Business

Cybercriminals Target Metaverse Investors With Phishing Scams

Source: CNBC
  • The metaverse, the new digital frontier where users can attend virtual concerts or purchase digital assets like land, has been hit with fraud.
  • Cybercriminals use phishing links that imitate the legitimate metaverse platforms to drain investors' digital wallets of assets.
  • While metaverse platforms are increasing their security measures and educating consumers about fraud prevention, they say they're not responsible for refunding money to phishing scam victims.

A nurse in rural Maine. A fitness instructor in Colorado. A venture capitalist in Florida. All three invested in the metaverse, buying land they say they thought was a solid investment. 

"I was really excited about it," said Kasha Desrosiers, a long-term care nurse. "And hopeful for, you know, whatever projects that would come out of it."

But in just days or months, all their virtual land was gone. And each of them says that there was simply no way to get it back.

Investors across the country told CNBC that hackers stole their land in the metaverse by tricking them into clicking on links they believed were genuine portals to the virtual universe, but which turned out to be phishing sites designed to steal user credentials. What they wanted was a piece of the metaverse — a new, blockchain-based virtual set of platforms that has recently come to prominence because of significant involvement from celebrities, fashion shows and investors. 

Instead, they say they got a lesson in the dangers of high-risk investing.

The rising popularity of investing in the metaverse – in which users purchase virtual "land" on various platforms with an expectation that it will increase in value – has also ushered in a new wave of high-tech fraud, according to authorities, interviews with victims and cybersecurity experts.

Defining the metaverse

The metaverse is not one single place. From virtual reality headsets to digital worlds that you can explore as an avatar, the term "metaverse" refers to a series of virtual reality platforms that immerse users in an interactive online experience. 

With cryptocurrency, users can buy and develop virtual land or attend fashion shows and concerts — all within the confines of their computer screens.  

The concept is not new. For centuries, authors and inventors have fantasized about a novel, interactive 3D reality. The term "metaverse" was first coined by author Neil Stephenson in his 1982 science fiction novel, "Snow Crash," in which the metaverse was a virtual reality used as a means of escape from a totalitarian world. 

And in the decades since Stephenson's novel, interactive online video games like Minecraft, Roblox and Fortnite have set the groundwork for blockchain-based games that have captivated the internet. 

Buying virtual property

While some companies have adopted virtual reality technology with which users can enter into a metaverse with a headset, the platforms in which users buy and sell virtual property can only be accessed through a computer. 

The three most popular platforms for purchasing metaverse real estate are The Sandbox, Decentraland and SuperWorld. While the three platforms have existed for years, they only started selling blockchain-based plots of land during the past year. 

Users in the metaverse make bids on virtual plots of land through NFT marketplaces, like OpenSea, in a process that works much like buying real estate in the real world. 

To purchase land in the metaverse, users typically need a cryptocurrency wallet — MetaMask is the most common.

Once an investor buys virtual land, the property is transferred to his or her digital wallet and the purchase becomes encoded on the blockchain — which essentially serves as the equivalent of a deed of purchase. The owner can then develop anything from a residential home to a decked-out concert venue on the land. Since many of these virtual worlds only have a scarce number of land plots, investors said they believe as the platforms rise in popularity, so will the value of their properties.

Phishing scams

Desrosiers said the metaverse piqued her interest because the nurse hoped to use the virtual platform to develop an educational game on human anatomy and physiology. So, she invested $16,000 in plots of land in The Sandbox and SuperWorld.

"It was kind of like a new frontier," said Dick Desrosiers, Kasha's husband, who was also involved in the purchases.

But her dreams of a virtual medical education game were quickly dashed. About three months after buying the land, Kasha said she typed in the name of the virtual platform Decentraland on a Google search bar — the first link that popped up was a phishing link. After she clicked on the link, it wiped out her MetaMask wallet.

"I was really sad," she said. "I went to work the next day, and I was just, like, 'My metaverse lands got stolen.' And everybody's, like, 'What?'"

Tracy Carlinsky, an online fitness instructor based in Boulder, Colorado, had a similar experience. Carlinsky spent about $20,000 on land in The Sandbox after hearing the hype about the metaverse. 

Her Sandbox property bordered rapper Snoop Dogg's virtual mansion — Snoop Dogg was one of the first celebrities to enter the metaverse and has recently shot a music video in the virtual space. 

"I thought it could be a fun area to be around," Carlinsky said. "You know, he talked about having private parties, interacting with his fans, holding concerts."

But like Kasha Desrosiers, Carlinsky said she mistakenly clicked on a phishing link and lost all her land, only days after using the faulty link. The phishing link looked nearly identical to The Sandbox's login page. 

Since the metaverse is so new, law enforcement officials don't keep stats on how much investors have lost to scams. But according to Chainalysis, a blockchain data platform, phishing scams are on the rise. For example, Decentraland was the victim of a phishing attack that targeted MailChimp, and as a result, had hundreds of email accounts leaked to the hacker, according to Chainalysis. The data platform also says cybercriminals posted fake minting sites on Twitter that resulted in lost Sandbox tokens.

Major investors

While hackers drain consumers' savings, investor funds have poured into these metaverse platforms.

The Sandbox, which is owned by a major blockchain venture capital firm called Animoca Brands, has a $4 billion valuation. 

Decentraland skyrocketed in popularity after the announcement of Facebook's name change to Meta, which put a spotlight on Silicon Valley's faith in the metaverse as an emerging technology. The start-up saw parcels of land sell for as much as $100,000. The platform has since attracted major brands like Estee Lauder, Samsung and Sotheby's as participants. In addition to these big-name backers, Decentraland has received $25 million in funding from investors like Animoca Brands. 

Animoca Brands has also invested $2.1 million into the online marketplace OpenSea. That blockchain start-up is reported to have a $13.3 billion valuation and has attracted celebrities like Mark Cuban and Ashton Kutcher.  

Tech giants like Microsoft and SoftBank are major investors in MetaMask.

CNBC reached out to these investors for comment. Cuban was the only one to respond and said that these phishing scams aren't unique to the crypto space — they affect big companies, too.

Phishing pages for sale

But there's a huge illegitimate business as well. 

The phishing pages responsible for emptying investors' wallets are for sale on the dark web and popular chat platforms such as Telegram. Some cybercriminals advertise these impostor sites for just $400, while others sell for as much as $5,000 on a Russian-language underground forum.

When landowners type their MetaMask credentials into one of these phishing pages, their username and password are sent to the cybercriminal, allowing the scammer to extract all the digital assets contained in the wallet.

The cybercriminal may then resell the stolen land on an online marketplace like OpenSea.

The prevalence of these hacks doesn't surprise Mason Wilder, research manager at the Association of Certified Fraud Examiners.

"There are a lot of legitimate use cases for these technologies that will cause it to stick around," Wilder said. "But until it matures more, a lot of people are going to lose a lot of money."

Mason Wilder, who is a research manager at the Association of Certified Fraud Examiners.
CNBC
Mason Wilder, who is a research manager at the Association of Certified Fraud Examiners.

Limited recourse

Many investors flock to the metaverse because it operates in a decentralized manner, meaning there is no central authority, such as a bank, providing oversight of the transactions.

That's because the buying and selling of metaverse property all occurs on the blockchain, which is a transparent ledger showing all transactions that take place. But once these transactions occur, they can't be changed. 

Due to the permanent nature of blockchain transactions, local, state and federal authorities have limited ability to protect these retail investors.

Adam Lowe, creator of the cold storage wallet Arculus, recommends investors use multifactor authentication as an added measure of protection. 

"If your only line of security is a username and password, you're doing it wrong," he said. 

As the metaverse has become more popular, platforms are having trouble fielding phishing and hacking complaints, with most saying that once an asset is stolen, it cannot be retrieved due to the decentralized nature of the blockchain. 

"All of these platforms have just exploded in growth and popularity, and I'm sure they're having trouble keeping up with employing enough people to answer questions," Lowe said.

Every victim CNBC interviewed said they were unable to retrieve their lost funds after losing their land to phishing scams.

Carlinsky said The Sandbox and MetaMask responded to her inquiries but said they weren't responsible for any stolen land or funds, recommending that she take more precautions in the future. OpenSea, that platform she used to buy land in The Sandbox, still has not responded to her. 

"My biggest issue with the whole thing is that — what I noticed is all three entities: Sandbox, MetaMask, OpenSea, they're all very much aware that these hacks exist," Carlinsky said.

"Sadly there is nothing we can do to retrieve the lost tokens/funds as this is a decentralized ecosystem, transactions are final and user-managed," read The Sandbox's response to Carlinsky.

In an email, MetaMask listed the reasons for the hacking, and offered solutions like discontinuing her account and reporting the incident to the authorities. OpenSea wrote in an email to Kasha Desrosiers that it had been "actively investigating" the issue for weeks, but it then never followed up with a solution. And SuperWorld said that there was "nothing we can do about it for now."

Response from metaverse platforms

Taylor Monahan, MetaMask's product lead, said the company is working to provide victims with better services for recovering their funds. MetaMask was the only platform that agreed to an interview with CNBC.

"Ultimately, what we want the outcome to be is, if you lose your funds, there's a path forward where you can recover those funds," Monahan said. 

To make this goal tangible, MetaMask announced a new partnership on Thursday with Asset Reality, which will be the case handler for consumer complaints and then investigate the scams on behalf of victims.

To date, Monahan said investor losses caused by fraud are not the company's responsibility. MetaMask has not refunded any victims' digital assets — it will only assist consumers with recovering the funds from scammers.

"In an ideal world, we would like to see nobody ever lose funds. And in the worst-case scenario, where they do, they have the ability to recover those funds, right? That's where we're aiming to be," she said. "And MetaMask is not the only one in the space that's being hit by this, any big product is."

She said the company is well aware of the phishing sites, noting that it's seen sites impersonating MetaMask and other crypto-related products on the dark web.

There's also been a rise in scammers impersonating more traditional sites with login pages, Monahan said.

"We call them phish kits, right? It's sort of like a package of things to try to trick people. And in the last couple years, they've become increasingly sophisticated," she said.

Monahan acknowledged that the metaverse was "definitely a work in progress" and urged people who've been ripped off to share their stories on social media or other mediums to alert people of scams.

In a statement to CNBC, an OpenSea spokesperson said it had disabled the ability to buy or sell NFTs that are reported stolen and has even banned accounts involved in theft in an effort to combat scam listings that can lead to phishing websites

OpenSea also said its platform works to identify and delist any items using phishing links. Additionally, the company said it has introduced a reporting mechanism that allows users to flag a compromised wallet, and it will then disable items being bought or sold from it. 

A Decentraland spokesperson told CNBC in a statement that it has a legal team working to prevent impersonators from fraudulently using its trademark and logo. The team is also working to remove any malicious Decentraland imposter sites and has hired firms in intellectual property research and enforcement to assist with this effort, according to the platform.

The spokesperson also said that in the last few months, two websites, 24 domains and five social media accounts posing as the official platform have been taken down. 

The Sandbox similarly said that it has contracted with companies that can detect and take down phishing sites to better protect consumers. 

"We take security very seriously. Unfortunately, these fake sites are a typical phishing scam that affects all industries. To combat these scammers, we have constant monitoring, using Brandshield and other providers to take proper legal actions and remove these sites," the company said in an email.

While SuperWorld did not point to any efforts to take down these impostor sites, like all the other platforms, the company said in a statement that it has made efforts to increase consumer education regarding best practices for theft prevention. 

CNBC also asked the three metaverse platforms whether they could quantify how much land has been stolen as well as the financial loss to investors from these phishing scams. The platforms did not provide figures.

The Wild West

And even though the technology's security has not fully matured yet, some investors say that hasn't deterred them from putting money into these metaverse platforms.

Kerry Leigh Miller, a Miami-based investor and venture capitalist by profession, owned a slice of the virtual universe for a grand total of 24 hours. Then, she said she clicked on a phishing link in a messaging platform called Discord, which allowed a hacker to steal her property in the Sandbox. 

"You feel violated … I had something stolen from me," Miller said. 

But she said having her virtual property stolen hasn't deterred her from participating in the early stages of the metaverse. Although she lost her personal property, Miller and a group of investors are developing a virtual campus in The Sandbox.

"Anyone investing in this space — it's the Wild West," Miller said. "Do your own research … and know that the platforms behind these infrastructures haven't figured out everything."

Please email tips to investigations@cnbc.com.

Disclosure: CNBC owns the exclusive off-network cable rights to "Shark Tank," which features Mark Cuban as a panelist.

Copyright CNBC
Contact Us