Connect with us

Hi, what are you looking for?



Protecting Cryptocurrencies and NFTs – What’s Old is New

Five steps that end-users can take to protect themselves against cryptocurrency losses

Five steps that end-users can take to protect themselves against cryptocurrency losses

There has been quite a bit of chatter around cryptocurrencies and non-fungible tokens (NFTs) of late. As with most topics these days, some of that chatter has been around the topic of security. Specifically, there seems to be quite a bit of interest around how attackers and fraudsters can compromise cryptocurrencies and NFTs. In particular, one topic of keen interest is how attackers and fraudsters can profit from illicit or fraudulent activities around cryptocurrencies. I would like to take a look at that along with the security of cryptocurrencies in this piece.

I should preface all of this by noting the obvious – I am no expert in cryptocurrencies. That being said, when I look at threats to cryptocurrencies, I see a case of what’s old is new again. What do I mean by that?  While there is always the possibility that a cryptocurrency itself will be compromised, that is not likely to be where we will see the vast majority of fraud loss and theft. Why is that? Attackers and fraudsters are opportunistic and coin-operated. If they can easily make money targeting weaker links than the cryptocurrencies themselves, they will do so.

To understand this concept a bit better, let’s draw a lesson from the traditional financial world. Most of us are customers of one or more credit card issuers. While card issuers themselves are compromised from time to time, the vast majority of fraud loss comes from compromising end-user devices (e.g., with banking trojans) used to make purchases, compromising card processors, and/or compromising Point-of-Sale terminals (e.g., cash registers). In other words, attackers and fraudsters know that they can make far more money in far less time by going after the end-user, the intermediary, and/or the merchant than they can going after the card issuers.

So how does this translate to the cryptocurrency world? Well, rather than go after the cryptocurrencies themselves, attackers and fraudsters have gone after and will likely continue to go after the end-users and the intermediaries just as they do in the traditional financial world. For cryptocurrencies, this means digital wallets (the end-users’ means of accessing their cryptocurrencies) and exchanges (where cryptocurrencies are bought and sold). To put it another way, although the medium is different, the strategy remains the same. Go after the weakest links – not the cryptocurrencies themselves.

What’s old is indeed new again. If we look over cryptocurrency thefts that have occurred in the recent past, we see that the end-users (specifically their access to the digital wallet) and the intermediaries (the exchanges) are by and large the targets of attackers and fraudsters. Not surprising in the least.

Given this, what are some steps that end-users can take to protect themselves against cryptocurrency losses? While not an exhaustive list, here are five steps end-users can take to protect themselves:

Advertisement. Scroll to continue reading.

1. Use MFA: Wherever possible, enable multi-factor authentication (MFA). Stolen credentials abound on the darkweb, and some of those credentials likely belong to you. Requiring one or more factors in addition to a username and password can help reduce the risk of attackers and fraudsters gaining unauthorized access to your accounts.

2. Use known, reputable exchanges: Cryptocurrencies are not regulated like national currencies.  This includes the exchanges used to buy and sell cryptocurrencies.  Thus, it is best to be cautious when choosing an exchange.  Choose a reputable, reliable, and respected exchange, preferably one that clearly and openly outlines its security measures.

3. Choose your cryptocurrency wisely: There are many different types of cryptocurrencies, and not all cryptocurrencies are created equal. Each has differing levels of security. Should you choose to purchase cryptocurrency, be sure to invest in one that is reputable.

4. Beware of social engineering: Phishing and other scams are a great way for attackers and fraudsters to steal credentials. Those credentials give them access to what they are after. The easiest way to gain access to the cryptocurrencies of others is to flat out ask them for the usernames and passwords to the resources that hold those assets. Don’t fall victim to it.

5. Guard your wallet: The end-user is likely the weakest link in the cryptocurrency chain. As such, access to the end-user digital wallet is exactly the type of target attackers and fraudsters eagerly pursue. Take steps with your digital wallet provider to ensure that you’ve leveraged their ability to help you lock down your account.

Although cryptocurrencies are relatively new, the strategies used by attackers and fraudsters to profit from them don’t appear to be. By understanding that end-users and intermediaries, rather than the cryptocurrencies themselves are the most likely targets for theft and fraud, end-users can take steps to protect themselves. The time invested in considering the points above and others is sure to pay dividends and help avoid fraud loss.

RelatedNorth Korean Hackers Stole $400 Million Worth of Cryptocurrency in 2021

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...