Digital assets/copyright certificates (NFTs), which are popular in the Internet, finance and blockchain fields, are facing a series of cybersecurity crises.

Last Thursday, a self-taught artist, Mike Winkelmann, sold a digital image online at Christie’s for $69.3 million, fetching far more than even Salvador Dali or Paolo. Gauguin’s artwork, which is also the most expensive digital asset ever sold, comes with a digital certificate of authenticity known as a non-fungible token (or NFT).

Additionally, musician Grimes also recently sold 10 NFT-based digital artworks for about $6 million, according to the Wall Street Journal.

Even Twitter founders have joined the NFT “carrying goods” craze, with five words (the genesis tweet) auctioned for $2.5 million…

　What is NFT?

Simply put, NFT is a certificate of ownership created for any type of digital goods/assets using (Ethereum) blockchain distributed database technology, and the certificate is unique.

The reason why NFT makes the Internet and financial circles crazy is because NFT solves the two major pain points of digital copyright: uniqueness and authenticity verification and de-intermediary (heart) transactions.

The key innovation of NFTs is to provide a way to mark the ownership of native digital assets (that is, assets that exist in the digital world, or originate in the digital world), and that ownership can exist outside of centralized services or centralized libraries.

At the same time, due to its non-homogeneous and inseparable characteristics, NFT can be bound to some commodities in the real world. In other words, it is actually a digital asset issued on the blockchain. This asset can be game props, digital artwork, tickets, etc., and is unique and non-reproducible. Since NFTs have natural collectible properties and are easy to trade, crypto artists can use NFTs to create unique digital artworks.

　　Hacker attacks are coming

But while NFT subverts and opens up the huge potential digital asset/copyright trading market, it also attracts the attention of hackers. In less than a week after the sky-high price paintings based on NFTs were sold, hacker attacks came one after another.

Users of Nifty Gateway, a marketplace for digital art rights, have reported that hackers took over their accounts over the weekend and stole thousands of dollars worth of art.

Some users even said that after changing their passwords, they still failed to drive the hackers out of their accounts. Some found the stolen digital assets then sold on chat apps Discord or Twitter.

Other users also reported that the intruders also stole their credit card information and started using it to buy other artworks, pilfering up to $20,000.

In a statement, Nifty Gateway said it encouraged users to use two-factor authentication (2FA) to prevent account hacking and takeover, noting that none of the affected accounts had 2FA enabled. “There is no indication that the Nifty Gateway platform was compromised,” the company said.

Questions remain as to whether the value of NFT-backed digital art will disappear over time, and whether its value stems from its innovative nature. But for now, driven by huge profits, hackers are keen to steal and transfer high-value digital assets through NFTs.

In the past, state hackers working for the North Korean government were keen to acquire cryptocurrencies such as Bitcoin, but NFTs are unique in that they cannot be exchanged for other NFT tokens like Bitcoin.

　　Are bugs also works of art?

Not only black hat hackers, but also white hat hackers can’t stand the temptation of NFTs. In recent weeks, the cybersecurity community has also started to dabble in NFTs. A user of NFT marketplace OpenSea posted an NFT-based exploit earlier this month, which sparked scoping and auditing about the content of NFT transactions and whether malicious hackers could potentially buy and sell exploits or other hacking tools through NFTs. Moral issue.

“As an exploit engineer, I see certain vulnerabilities as works of art, for example: this is an interesting computer security bug that can cause a denial of service in the most popular online game engine today,” said the user who posted the exploit, co-founder Matthew Hickey, head of security firm Hacker House, said in a tweet. “Assets/IP will be fully transferred and buyers can dispose of them as needed.”

The vulnerability is a post-authentication memory corruption vulnerability in the ioquake3 engine, a classic first-person shooter engine, and anyone who purchases it could launch an effective denial-of-service attack on the game engine. But OpenSea rejected Hickey’s listing request, CoinDesk reported.

Hickey revealed that he has yet to hear back from OpenSea, adding that while he believes there should be no restrictions on the kinds of digital assets that someone can sell through NFTs, he believes that NFTs are still in their early stages of development, and the application of NFTs in the information security community Still to be explored.

“We’re still working on NFTs, and the technology seems to be in its infancy, but we do see it as a disruptive technology, but the relationship to the cybersecurity space is yet to be studied further,” Hickey said. “I think people should be able to There should be no restrictions on the type of digital assets sold, I think the current NFT centralized exchange model should become decentralized to allow direct peer-to-peer transfers of such assets. Really change copyright, DRM and other digital rights related concept.”

Hickey warned that NFTs have the potential to be misused if they fall into the wrong hands.

Like any technology, NFTs can lead to new crimes and abuses, and just as the Internet has facilitated new commerce, NFTs will also lead to new cybercriminals.