Avoiding the Bait: Phishing in Web3
Whilst investment has increased for Web3 projects, malicious actors are following the money. Venture capital firms invested over $30 billion in crypto start-ups in 2021, with over 65 companies in the sector valued at $1 billion or more. As Web3 continues to drum-up support (and cash) via Web2, much of the ground work relies on traditional websites and social media. Traditional methods of brand protection remain critical to protect R&D and customer safety.
What is Web3?
The term ‘Web3’ refers to the decentralization of the internet through token-based economics, blockchain technology and cryptocurrency. Web3 promises to remove the requirement of third parties and central authorities to govern the internet.
Phishing is the collection of sensitive data from the user, often with the intent of gaining access to funds. Phishing occurs in various formats, such as ‘smishing’ by SMS, and remains a continuous threat to a brand’s customers, regardless of industry.
Phishing misuses a brand’s intangible assets to mislead users by creating identical sites and highly similar domains. Bad faith use of domains is a common threat in Web2, attributing to 3,259 domain names in UDRP decisions for Q1 2022 alone. Web3 adds to the risk by removing the middleman and leaving the user without a central authority, like a credit card provider, to remedy the loss. Scams capturing higher value assets like Bored Ape Yacht Club NFTs can create widespread reputational damage for brands within the space.
Adapting to Web3
OpenSea, the largest NFT marketplace, was targeted by the domain <opensea.co> when it was used for ‘smishing’ purposes. Crypto investors were contacted via their leaked phone numbers and were encouraged to access <opensea.co> advertising false NFT releases. Users new to Web3 and unfamiliar with OpenSea would be confused as to the authenticity of the site. The website included a function to link the user’s wallet – a process required for many Web3 services – and attempted to gain access to assets. The issue was reported, the domain was disabled and MetaMask, a highly popular digital wallet, flagged the domain as a phishing risk. All the while, OpenSea suffered reputational damage and committed to a PR drive to reassure their users
Wallet companies – allowing users to traverse Web3 – have also been attacked through fake Google Ads appearing on top of search results for “MetaMask” and “Phantom”. Check Point Research found imitations of MetaMask and Phantom ads had captured over $500k in a matter of days.
A traditional domain watch programme would likely flag <opensea.co> once made live, but brands should be aware of more intermediaries, such as MetaMask, that can assist with informing users and preventing irrevocable transfers. Brand alerts through Twitter and Discord may also go a long way in de-escalating the risk if a similar situation occurs.
The U.S. comedian Seth Green recently tweeted the loss of 4 NFTs to phishing, one of which being a Bored Ape NFT that was then sold via OpenSea for $262,000. Crucially, the IP of Bored Apes are transferred to the new owner. As Seth Green was due to market a TV show centred upon the NFT, questions now arise surrounding the launch of his venture. Considering the recent decision to view NFTs as legal property in England via Lavinia Deborah Osbourne v (1) Persons Unknown (2) Ozone Networks Inc Trading as Opensea, could there be additional recourse for similar cases under UK jurisdiction in the future?
Digital wallets loaded with decentralised assets add further dimensions to online brand enforcement. Phishers are getting creative with Web3, exploiting fake NFT releases and token drops, and current brand enforcement methods may miss these issues. Integrating Web3 intermediaries and keywords can help rectify before damage ensues. For brands dipping their toes in Web3, committing budget for intensified enforcement before and during releases may be useful to prevent phishing horror stories from making the front page.