Non-fungible tokens (NFTs), offer massive revenue potential for brands, and opportunities for cybercriminals to exploit if security isn’t considered from the start.
These days, bots are cybercriminals’ secret weapon, and they are increasingly used to manipulate prices, defraud customers, and undermine the NFT ecosystem.
This means NFT marketplaces need to do everything they can to offer dynamic security defenses against bot and other cyberattacks to safeguard their NFT investments, marketplace reputation, and customer experience
Why are hackers focusing their bots on NFT sales? Quite simply, it’s where the money is. The market for NFTs grew to $41 billion by the end of 2021, according to Chainalysis. NFT marketplace ecosystems are relatively new, and the technology and processes are not always understood—which makes them a perfect target.
The e-commerce industry has been heavily hit by bots, especially with limited edition product releases like sneakers targeted by inventory hoarding bots. While blockchain, cryptocurrencies, and decentralized finance are recent innovations, they are emerging in a mature, battle-tested cybercrime environment.
Bots to watch out for
Malicious bots can manipulate NFT prices and product availability, or offer fake products for sale. Bots can also be part of larger schemes that involve taking down entire websites, as well as stealing identities and other personal financial information. Here are some types of bots you should protect against:
Purchasing bots. These are designed to buy online goods or services in bulk, the moment they go on sale and complete the checkout process instantaneously. The goal is to gain mass control of valuable inventory, which is usually resold on secondary markets at a significant markup. They impede purchasing from real human shoppers, resulting in consumer frustration and denial of inventory as the NFTs become unavailable.
Bidding bots. These bots make fake bids to manipulate NFT prices. By placing large numbers of lowball bids for NFTs well below the asking price, decrease price bots drive down the value of an NFT without actually making a purchase. Increase price bots purchase low price NFTs, artificially creating scarcity and boosting popularity to force buyers to pay more for remaining inventory, often on secondary markets. And bidding bots can artificially drive up the price of NFTs through automated bidding wars.
Counterfeit NFT bots. Bots can be used to sell non-authentic NFT projects that don’t match policy IDs. When a consumer mistakenly buys a fake NFT, there’s little chance of a refund, and without proper authentication, no chance of legal resale.
Fake promo bots. Bots can also masquerade as phishing schemes, enticing users to click on links to take advantage of very limited offers, such as a fake YouTube Genesis Mint Pass.
Rampant bot activity on NFT marketplaces sows doubt and suspicion and affects potential buyers, legitimate sellers, artists, athletes, and creatives whose products are sold on online marketplaces. Malicious bots can also potentially sidetrack the growth of blockchain-based markets, and if NFT exchanges gain the reputation of being bot hotbeds, it can threaten one of the most dynamic facets of the new digital economy.
Protecting your marketplace against bots
We’ve learned a lot from our work with many of the top NFT marketplaces and exchanges, helping them to implement sophisticated security and safeguards. This includes protecting against bot attacks that target login, stopping fake account creation, and preventing inventory hoarding bots that buy up inventory and drive up NFT prices. Here are a few key points to consider:
- Understand patterns for fraudulent new account openings and validate their enrollment.
- Evaluate your bot defense strategy to prevent sophisticated, human-emulating automation and retooling.
- Avoid account takeover by monitoring transactions for signs of fraud or risky behavior and strengthen login systems against credential stuffing.
- Leverage authentication intelligence to improve the customer experience.
- Manage users to identify whether they are customers or bots.
- Augment your security and fraud teams with new tools and intelligence support.
- Expect criminals to continue to retool their attacks—and be able to quickly retool your defenses.
Help your customers protect themselves against cybercriminals
It is important to protect and gain customer trust, and this starts with education. Here are some tips you can share with your customers:
Consider hardware wallets. If using cryptocurrency to purchase NFTs, consider using a hardware wallet to make the purchase. Hardware wallets, which are external physical devices with specialized firmware to prevent private keys from being accessed, can significantly improve security of cryptocurrency and NFT purchases by protecting them from bots and other cyberattacks.
Always review contracts. Purchasing an NFT nearly always entails engaging in a ‘smart contract’ with the seller. Carefully review these contracts, which are issued on blockchain, prior to approval because they detail the unique information that is associated with your NFT, including ownership and transaction details. Know what you are agreeing to, as smart contracts can specify rules about trading the NFTs and other ownership rights.
Be aware of fake marketplaces. Only consider purchasing NFTs from reputable organizations that take security seriously and keep transactions bot-free.
Understand how your NFT marketplace communicates and what your options are if your NFTs are stolen. Knowing in advance how your marketplace will contact you and what your recourse is if your NFTs are stolen can help you deflect phishing attacks, spoofing, and other fraud.
Ab0ut the Author
Angel Grant is VP for Security at F5, on why Web3 companies need to defend their customers against malicious bots. F5 is a multi-cloud application services and security company committed to bringing a better digital world to life. F5 partners with the world’s largest, most advanced organizations to optimize and secure every app and API anywhere, including on-premises, in the cloud, or at the edge. F5 enables organizations to provide exceptional, secure digital experiences for their customers and continuously stay ahead of threats. For more information, go to f5.com.
Featured image: ©Dmitry