Digital risks in the Metaverse
By Jônadas Techio — Blockchain Solutions Architect & Web3 Evangelist @ Axur
2021 marked the re-emergence of interest in “the Metaverse”, with leading companies putting in efforts to build the next-generation platforms that will take us to our virtual future — a future which, according to Bloomberg Intelligence, could become a market worth $800 billion by 2024.
Concurrently, 2021 was also a banner year for online fraudsters — according to a recent report from cybersecurity company Arkose Labs, there was a massive spike of 85% in online fraud and attacks in 2021, compared to 2020. That increase affected nearly all industries but Metaverse companies were among the hottest targets, facing 80% more bot attacks and 40% more human attacks than other businesses. The report concludes that:
“With highly persistent attackers and high stakes, companies investing in the metaverse must put a premium value on trust & safety at login, registration, and in-platform actions to protect digital identities in their virtual worlds.”
Looking forward to 2022, Stu Sjouwerman, founder and CEO of KnowBe4 (a security awareness training platform) predicted that this trend would become a headline: “The Metaverse As The New Attack Vector.” That prediction was made on February 15. We may not be quite there yet, but we are certainly heading in that direction.
Case in point: on March 29, 2022, the operator of Axie Infinity — a popular game universe fueled by NFTs where players can own and trade digital assets — reported a loss of over $625 million USD caused by an attack on the Ronin network (a bridge between the video game and the blockchain Ethereum which allows crypto assets to be transferred in and out of the game). The attack has been referred to as “One of the Largest Crypto Hacks on Record,” and it showcases the level of risk, both financial and reputational, that this nascent industry will face as it grows.
But, you may be asking, what exactly is the Metaverse, and what does it have to do with games, blockchains, NFTs, and other crypto assets? I will answer these questions below, starting with a brief description of the evolution of the web from its humble beginnings (Web1) to its latest iteration (Web3). Having described the foundational role of the blockchain for Web3, I will venture a definition of the Metaverse as an intersection of technologies that include, among other elements, Web3, blockchain, and VR/AR. With that definition at hand we will be able to understand some of the main security risks that will be posed to users of the Metaverse, as well as some of the best practices for avoiding them.
From Web1 to Web3 to Metaverse
The first iteration of the internet — Web1 — began in earnest in the 1990s, as a decentralized network of computers hosting static web pages accessible via applications running inside the user’s own machine. Given its decentralized architecture, anybody with a computer connected to the network could become a producer of information as well as a consumer of it, at least in principle; but in practice, those roles were mostly kept apart, as creators also needed developer skills.
By the early 2000s, the internet was starting to change, becoming more interactive and dynamic, but also more centralized. Applications built “on the cloud” by big companies (such as Facebook, Google and Amazon) lowered the entry barriers for consumers to become producers of data. With unprecedented amounts of data being produced, said companies could then harvest it for profit — for example, by selling targeted ads. This, in a nutshell, is Web2, with which most of us are familiar.
With the advent of blockchain technology and its first popular application, Bitcoin, in 2009, a new way of storing and sharing data became available. At its core, a blockchain is a decentralized network that hosts copies of a distributed ledger which contains immutable records of all the transactions made by its participants; by virtue of its underlying technology, the blockchain allows data to be stored in a very secure and easily verifiable manner, without the need of trusted third parties.
Blockchains are also programmable, allowing for the creation of automatized transactions based on conditions codified into smart contracts. Besides cryptocurrencies, other kinds of tokens can be created and transacted in the blockchain, each representing different kinds of value. Among these are the nonfungible tokens, or NFTs, which were all the rage in recent months. What is special about these tokens is that they can be used to represent the ownership of unique, singular items (be them digital or physical).
The foundation provided by the blockchain gave rise to new kinds of decentralized applications (dApps) as well as to new infrastructure, such as distributed file systems (e.g., IPFS) and decentralized domains (e.g., ENS). Together, these advancements form the basis of what we are calling Web3 or “the internet of value.”
As with any nascent concept, the meaning of the term “Web3” is still nebulous at this point, and different definitions can be offered. Chris Dixon and Packy McCormick, who have written the canon on Web3, define it as “the internet owned by the builders and users, orchestrated with tokens.” The main insight underlying this definition is that, in contrast to the first two iterations of the internet, users of Web3 will be neither passive consumers of content nor will they give away their data to centralized platforms by default; rather, they will be able to actually own the data they create, choosing how much of it they are willing to share with each decentralized application, as well as the conditions under which said data could be used — all of this being enabled by tokens and smart contracts on the blockchain.
Ok, but what all this has to do with Metaverse? As with “Web3”, the concept of “Metaverse” is still a moving target, and it can mean different things to different people — “It depends on what Hollywood movie you’ve seen,” as expressed by Daniel Cohen, vice president of cybersecurity company Radware. Most definitions would include at least the notion of having immersive experiences in a virtual reality environment by means of some specialized hardware.
Examples of such experiences would be shopping, playing games, meeting friends, going to shows, concerts or film screenings, as well as attending lectures or business meetings. The Metaverse can also be thought of as the next iteration of social media (that is precisely the thinking behind Mark Zuckerberg’s decision to rebrand Facebook as “Meta”, and to refocus the efforts of his company accordingly). Whatever the Metaverse turns out to be, it will most likely be built at least partially upon Web3 and blockchain foundations.
This intersection is already at work in popular “metaverses” such as Decentraland, Roblox, and The Sandbox, which use NFTs to represent items inside their virtual worlds that can be owned and transacted by the players — for example, clothing or accessories for an avatar, ticket events, in-game assets, etc.
As an illustration, last year someone paid $650,000 for a yacht NFT in The Sandbox, and Ralph Lauren debuted The Ralph Lauren Winter Escape on Roblox to show off its holiday fashion themes. More recently, Adidas announced a partnership with Ready Player Me (a cross-app avatar platform for the metaverse) to create AI-generated avatars based on the Ozworld shoe collection to be used across a groundbreaking 1,500 metaverse worlds and apps.
In this new virtual environment, identity and reputation will work much differently than what we are used to today. Most of the time in Web3 apps, identities are tied to the wallet address of the user interacting with the application. Unlike Web2 authentication methods — that almost always require users to hand over sensitive and personal information — wallet addresses are by default pseudonymous. If a user chooses to connect the same wallet with multiple dApps, her identity is also seamlessly transferable across them, which means that, over time, the user can build up a reputation that is equally portable.
(As an analogy, imagine how it would be if you could transfer all of your history — your connections, posts, “likes”, etc. — from one social network to another, say from Twitter to Facebook.)
As more and more aspects of our lives become experienceable in the Metaverse — communication, work, education, entertainment, finances, personal profiles, reputation, and so on — all “orchestrated with tokens”, to go back to Dixon and McCormick’s definition, our very identities will become more and more intertwined with the contents of our wallets (or whatever comes to replace them). For this reason, to have a portable and composable digital identity that preserves privacy and provides security will become of paramount importance in this emergent future.
Security concerns as we enter the Metaverse
As the transition from Web1 to Web2 led to an explosion in the amount of data created by users, the advent of Web3 and the Metaverse will make those numbers pale by comparison. With an attack surface bigger than ever before, cybercriminals will have even more opportunities to exploit users. According to cybersecurity specialist Daniel Cohen, that surface will expand even to our brains:
“At least in the physical world, there are signals that we are accustomed to […] — you walk into a bank, a building with a logo, and people working at their desks. […] As we moved to online banking, what are the sensory signals? It’s a logo. In the metaverse, it’s this mix — it is all digital, but you feel very physical. You walk into JPMorgan in the metaverse. How do you know that you are in the actual bank? If I manage to hack your device, I can show you something else. You can be seeing something that I intend you to see. Crazy. The attack service now expands to your brain as well.”
Right now the kind of attack described by Cohen is only counterfactual, but this can change very rapidly, as technology catches up to our imagination. In fact, technology already exists for anyone to create a hyperreal avatar of themselves, and it has been put to use to create viral deepfake videos of celebrities such as Tom Cruise. Moreover, that technology has also been used for more disturbing ends: at the start of Russia’s invasion of Ukraine a deepfake video of president Volodymyr Zelensky supposedly surrendering popped up, showing how this kind of media might be weaponized for political purposes.
Once synthetic media technology evolves and is more widely used inside the Metaverse, it will become very hard to tell whether we are interacting with bonafide avatars or deepfakes. As Microsoft’s head of security Charlie Bell recently suggested in a blog post, hackers equipped with those resources could easily impersonate users to steal credentials or launch ransomware attacks:
“In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face — literally — like an avatar who impersonates your coworker, instead of a misleading domain name or email address”
Counterfactuals aside, given the foundational role of blockchain and Web3 technology for the Metaverse, there are already very real attack vectors to be considered, and it is never too early to become familiarized with them in order to avoid security risks. I have written more extensively about the risks associated with blockchain technology elsewhere, so in what follows I will briefly focus on some representative cases which are more closely related to the elements of the Metaverse highlighted in the previous section — namely NFTs, wallets, and identities.
Risks associated with NFTs
As one can attest by looking at virtual worlds already under development, NFTs (or whatever comes to replace them) are a central building block of the Metaverse. These tokens, as we saw, are powered by smart contracts, which are in turn deployed as compiled code inside of a transaction in the blockchain. Now, code is (mostly) written by humans, and humans are bound to make mistakes. This leads to bugs that can be exploited by hackers, often with the help of social engineering techniques, to carry out cyber attacks, stealing information or even the crypto assets managed by a contract.
The recent phishing wave experienced by OpenSea users, as well as this Twitter scam, in which victims were duped into signing off on malicious contract transactions and handing over their NFTs, may highlight the forms of attack we may see more commonly in the future.
It is also important to realize that however “non fungible” the tokens themselves may be — meaning that their representation inside the blockchain is unique and cannot be duplicated — the metadata associated with NFTs is very fungible. Therefore, nothing prevents copycats from minting new NFTs (using different smart contracts, or even different blockchains) that point to a copy of the content associated with the original. Indeed, this type of NFT infringement is rampant, as more and more cybercriminals steal ideas, content, and artwork, clone projects and collections, and intentionally try to confuse consumers about the source of digital assets.
Another recent technique used by attackers is the offering of malicious tokens via so-called airdrops. Since wallet addresses are public, literally anyone can send NFTs to these addresses. Usually this is not a big problem, because a wallet owner can simply choose to ignore them; but some cybercriminals have developed ways to send tokens that can execute transactions on your account as soon as you interact with them. In this sense, you could liken these tokens to a trojan that allows hackers to access your computer as soon as you interact with a malicious file. (A more detailed analysis of this type of scam, including an explanatory video, can be found here.)
Risks associated with wallets
A primary target of Web3 and Metaverse cybercriminals are wallets, i.e., applications that store users’ addresses, payment information, and keys, and which can be used to sign transactions and authorize payments on other websites and dApps. One kind of attack that is already being applied but may become more popular in the future, as wallets become ubiquitous, is wallet cloning.
In this kind of attack a cybercriminal forces victims to give up their seed phrase (the secret key used to recover wallets), usually by means of social engineering techniques such as a request made by someone acting as customer support, or by tricking wallet holders in fake verification processes.
Case in point: a few days ago NFT collector Domenic Lacovone posted on Twitter that his wallet, containing $650,000 worth of digital assets and NFTs, was wiped out. According to Lacovone, he received multiple text messages asking to reset his Apple ID password and then got a phone call, supposedly from Apple (as the company’s number showed on his caller ID) asking for a code sent to his phone. When he provided the code, his entire MetaMask wallet was wiped out within two seconds.
On a similar vein, discussing threats related to the metaverse, Cybersecurity researchers from Cisco Talos pointed out that if today you tweet about having any kind of trouble with the popular wallet Metamask, your tweet you will immediately receive replies from scammy support bots providing a link to a “Metamask Support form” which asks you provide your 12-word seed phrase:
Another recent and as yet little-known type of attack used to steal digital assets from wallets is blind signing. This attack takes advantage of the fact that users who employ their wallets to interact with dApps and NFTs often do not review the full code of the smart contracts underlying these applications, and therefore may end up signing and authorizing transactions without knowing exactly what they are signing and authorizing.
For example, sometimes it is necessary to grant a third party — say a crypto exchange or an NFT marketplace — permission to perform transactions involving tokens inside your wallet. Once the third-party access is approved, users of the application can swap tokens or list NFTs for sale without paying additional gas fees each time. Attackers have figured out ways of tricking victims into giving them third-party approval over the contents of their wallet, which can then be transferred to other wallet addresses controlled by the criminals.
Risks associated with decentralized domains and portable identities
Today the most promising candidates to supply a portable identity on Web3 are the services known as decentralized domains (such as the Ethereum Name Service — ENS), which allow wallet addresses to be associated with human-readable strings such as “businessname.eth” (analogously to what DNS does for IP addresses). Once you register a decentralized domain and associate your wallet, all sorts of additional data can be linked to the domain — for example, a traditional website URL, social network profiles and handles, email address, avatar, etc.
Being recorded on the blockchain in a permissionless and basically immutable manner, these addresses can be registered by anyone, and once created they cannot be removed through trademark disputes easily. That makes them well suited for malicious actors who intend to use them as leverage in phishing attacks; as highlighted by Cisco Talos researchers:
“It may come as no surprise that ENS domains such as cisco.eth, wellsfargo.eth, foxnews.eth and so on are not actually owned by the respective companies who possess these trademarks. Rather, they’re owned by third parties who registered these names early on with unknown intentions. The risk here is obvious: Nothing prevents the owner of the ENS domain wellsfargo.eth from using that name to trick unsuspecting users into believing that they are dealing with the real bank.”
Moreover, some users choose to register an ENS domain in their own names, which implies that they are, in practice, deanonymizing their wallet address and thus allowing anyone to check its contents, which also increases their risk of their being selectively targeted by a threat actor.
A brief search by Cisco Talos on ENS domain holders who publicized their addresses on Twitter revealed a number of “whales” holding vast amounts of cryptocurrency and some expensive NFTs. To make things worse, some users also reveal additional information such as their home towns, full names, and social media profiles, giving attackers broad opportunities for targeted social engineering attacks.
Fraud Prevention in the Rising Metaverse
“The weakest point in any organization from a cybersecurity perspective is the user,” as explained by Gary Gardiner, head of security engineering for Asia-Pacific and Japan at Check Point Software Technologies. As users leave trails of data around the Metaverse, security problems already plaguing us in the current iterations of the internet will also cross into this new environment, and new ones will arise. Therefore, there is no better way of preventing vulnerabilities than educating users about security hygiene and best practices.
Chief among these practices are identity security and wallet security — specifically, securing and managing the way humans and machines connect and interact with the applications running in the all-encompassing virtual environment of the Metaverse. Without adequate identity and wallet security controls, bad actors will focus on compromising accounts with the goal of gaining access to and stealing valuable digital assets.
In particular, users and businesses should focus on protecting their seed phrases and private keys, never sharing them with anyone nor storing them with third-party services (unless they specialize in wallet custody). As wallets become more used for identification and personalization of Metaverse content, losing a seed phrase amounts to nothing short of losing control over one’s identity and personal digital belongings.
Moreover, cybersecurity is not a “once and done” activity; it requires ongoing attention and it works best if it becomes part of one’s habits. So users and businesses should learn to research thoroughly all their interactions with dApps and smart contracts. In particular, they should learn how to look up the addresses of the contracts with which they interact (for example, in order to buy / mint NFTs on marketplaces) using block explorers (such as Etherscan) and see if their source code is published. Unpublished source code is a red flag. Also, look up information regarding the developers of the projects you are interested in; be wary of anonymous developers with no track record. Consider using freshly generated wallet addresses holding just enough funds to cover the cost of a purchase so that, if anything bad happens, you won’t lose the entire contents of your main wallet. By the same token, consider keeping different wallets for different purposes, and do not deanonymize your main wallet.
Fraud prevention in the Metaverse will also need a fresh approach. What worked in the past may no longer suffice in this new digital order. Businesses must quickly adapt to the ever-evolving attack tactics for superior identity proofing and protecting multiple touchpoints.
Alexey Khitrov, CEO at ID R&D, argues that to protect consumers from account takeovers in the Metaverse, PINs, passwords and multi-step security checks will not be enough: “These are easily stolen by fraudsters, or picked up from data breaches, not to mention accidentally forgotten by those to whom they genuinely belong.” As an alternative he suggests the use of more advanced authentication methods such as face or voice biometrics, protected by liveness detection:
“A quick snap of the face and 1–2 seconds of speech is all that’s needed to check an avatar is still who they claim to be. It’s also a quick way to catch fraudsters; face and voice are almost completely impenetrable for fraudsters, with the combination one hundred times stronger than face alone.”
Besides individual actions, public pressure should be mounted for better laws and regulations, as well as for the implementation of better authentication processes by marketplaces and companies developing metaverse applications. Such processes should make full use of the opportunities offered by public blockchains, ensuring that users have access to creators and sellers’ reputations, so that, for example, if someone has been subject to an unusual amount of takedown or delisting requests that information would be easily available and verifiable. The same goes for information about creators and sellers with a positive track record, which could be easily stored on safelists containing their addresses and history of transactions.
References and further reading
- A Sea of Fakes? Combating Counterfeit NFTs on OpenSea
- Arkose Labs — 2022 State of Fraud and Account Security Report
- Fighting cybercrime in metaverse
- How Attackers Will Target the Metaverse in 2022 and Beyond — Security Boulevard
- In the metaverse, the attack surface expands to your brain (Interview with Daniel Cohen)
- Line Goes Up — The Problem With NFTs (YouTube — video essay)
- Metaverse: Digital Identities Using Blockchain Technology | SAP Blogs
- Metaverse security: How to learn from Internet 2.0 mistakes and build safe virtual worlds | TechRepublic
- NFT Security Risks: Old Scams and New Tricks
- On the Radar: Securing Web 3.0, the Metaverse and beyond
- The deepfake dangers lurking in the metaverse | Sifted
- The metaverse is coming. Here are the cornerstones for securing it. — The Official Microsoft Blog
- What will it take to stop fraud in the metaverse? — Information Age
- Why Web3 Matters | Future
