Art heists may be coming to a metaverse near you.

When Sotheby’s Metaverse launched last month, giving the auction house a sales platform for high-end nonfungible tokens (NFTs), Cisco Talos Head of Outreach Nick Biasini realized that the shared virtual reality had become a legitimate marketplace — and he says cybercriminals are taking note, too.

“Because [the metaverse] is tied to this largely unregulated, quasi new era of cryptocurrency, there’s a huge potential for scams,” Biasini said. “It’s something where some organizations are spending a huge amount of resources, so there’s the potential for this to become a very big part of the internet. You have a place with low regulation and low legal recourse for victims — it’s extremely attractive to criminals.”

Cybercriminals have always been quick to spot opportunity in new or of-the-moment technologies such as collaboration tools and virtual private networks. Both of these, along with cyberattacks, surged during the COVID-19 pandemic that forced companies around the world to send their employees home to work remotely. The metaverse “is just the next medium,” Biasini said. It gives cybercriminals a new place to use their old scams.

However, some cyberthreats are specific to the metaverse and the technologies that make it work, specifically blockchain, cryptocurrencies, and NFTs.

“One of the challenges that I see coming up is going to be related to defending your intellectual property and branding,” Talos Technical Leader Jaeson Schultz said.

Sotheby’s Metaverse, for example, sells a curated selection of NFTs. It does this via minting, which is the process of turning a digital item — in this case, art — into a part of the Ethereum blockchain as a public ledger. The digital piece of art, now represented as an NFT, can be bought or traded and also digitally tracked as it is resold in the future.

However, legitimate businesses aren’t the only ones minting these virtual products, and Schultz said he’s seen an uptick of fake NFTs being bought and sold. “Once that gets put into the public blockchain, it lives there, and there’s no way to get it out,” he said, adding that in addition to scamming buyers out of potentially thousands of dollars, these fake NFTs can also damage a company’s brand reputation.

Buying and selling NFTs also require an Ethereum wallet, so in addition to opening the door for cryptocurrency scams and theft, there are also risks related to smart contracts and malicious Ethereum Name Service (ENS) “.eth” domain names. “I’ve already seen people squatting the names and taking over major brands,” Schultz said. “WellsFargo.eth is not necessarily owned by Wells Fargo.”

Similarly, smart contracts, which manage the ownership and transferability of NFTs, can be malicious. And they are only as secure as the entity enforcing them, Schultz added.

Cisco Talos has documented cybercriminals abusing smart contract functions in the metaverse. “One of the functions in a smart contract might be the approve function,” Schultz said. This allows the online swap services to move tokens out of a buyer’s Ethereum wallet after certain conditions are met. “So we’ve seen cybercriminals abusing that approve function so that they can get approval to move all of the Ethereum, all of the NFTs out of users’ wallets.”

Additionally, the metaverse promises to let businesses and consumers work, play, and buy and sell goods and services across platforms. This means multiple metaverses at play. “And there’s a ton of ways that you could abuse that,” Biasini said. “You could build a storefront that looks like you are a reputable retailer or a branch from a major store like we see with Sotheby’s. But there’s no guarantee that what you’re dealing with is the actual organization because there is no regulation in this space.”

While regulation and laws pertaining to cryptocurrencies are part of the solution, neither present an immediate fix. This technology is relatively new, and lawmakers are still struggling with how to regulate cryptocurrency and related businesses.

In addition to waiting for government regulations, private-sector companies need to get more involved in enforcing certain standards of conduct in the metaverse, Biasini and Schultz said. “You may have industries that start to take more of a look at how do we regulate the transactions that are occurring on the on the blockchain with cryptocurrency,” Biasini said. “Is there a way for us to do an additional layer of validation of some sort?

Meanwhile, businesses should take measures to protect their brands and not make themselves attractive targets for metaverse criminals.

“A lot of it is about being careful,” Biasini said. “If you’re advertising your wallet has millions of dollars in in cryptocurrency in it, that can make you be a target, and there’s not really a lot of recourse for you — even as a business. If someone scams you and gets you to give up the password that protects your wallet, there’s nothing you can do. I can’t think of another space where you can be robbed of $5 million and just say, ‘Oh, that sucks, and there’s really nothing else I can do about it.’”

This is why Schultz describes the metaverse as the Wild West. “And unfortunately, there’s not a lot of protection for users. It’s kind of live and learn.”

With many emerging technologies, security is an afterthought. “First, it’s let’s implement some cool features,” Schultz said. “And unfortunately, security is bolted on afterwards. I think we have a real opportunity here to hopefully integrate more security into this.”