Do You Really Know Who’s Bidding on Your NFTs?

Why Web3 Companies Need to Defend their Customers against Malicious Bots

Non-fungible tokens, or NFTs, offer massive revenue potential for brands, and opportunities for cybercriminals to exploit if security isn’t thought of from the start. Adidas scored more than $20 million with its first NFT drop, and many major sports leagues have now embraced these modern collectible memorabilia. A perfect example of this is NBA Top Shot, an online marketplace that offers digital basketball collectibles in the form of NFTs that is seeing great traction with the NBA playoffs and the hype of the initial NFT drop of former Los Angeles Lakers star Magic Johnson.   

With the NBA Finals, Father's Day upcoming, and graduations in full swing, this is a great time for NFT marketplaces to promote limited-release NFTs as the perfect gift for dads and grads. However, bad actors have also taken notice of the recent high-dollar success of NFTs. Bots are cybercriminals’ secret weapon, and they use them to wreak havoc, manipulate prices, defraud customers, and undermine the NFT ecosystem. How can collectors and investors know the true value of their NFTs if the marketplace is infiltrated with bots?

NFT marketplaces, and organizations considering other Web3 business models, need to understand and address the fast-changing security requirements of doing business in the metaverse. To be successful, these new digital exchanges will need to offer dynamic security defenses against bot and other cyberattacks to safeguard their NFT investments, marketplace reputation, and the activities and experiences of customers.

Why are hackers focusing their bots on NFT sales? Quite simply, it’s where the money is. The market for NFTs grew to $41 billion by the end of 2021, according to Chainalysis. NFT marketplace ecosystems are relatively young, and the technology and processes are not really understood by many—which makes them a perfect target. Cybercrime organizations use bots to cause disruption and are well established, bringing years of experience to the task.

Traditional financial services, such as banks, brokerages, and insurance companies have contended with increasingly sophisticated bot attacks for years. The e-commerce industry has also been heavily hit by bots, especially with limited edition product releases like sneakers targeted by inventory hoarding bots. While blockchain, cryptocurrencies, and decentralized finance are recent innovations, they are emerging into an already mature, battle-tested cybercrime environment.

Bots to Watch Out for

Bots are a fact of life for NFT marketplaces. NFT drops are highly susceptible to exploitation by malicious bots, which manipulate prices and product availability, or offer fake products for sale. Bots can also be part of larger and more nefarious schemes that can involve taking down entire websites, stealing identities, and acquiring other personal financial information. Here are some types of bots you should protect against:  

• Purchasing bots. Automated purchasing bots are designed to buy online goods or services in bulk, the moment they go on sale. These bots complete the checkout process instantaneously. The goal is to gain mass control of valuable inventory, which is usually resold on secondary markets at a significant markup. Because these bots impede purchasing from real human shoppers, they result in consumer frustration and denial of inventory as virtual goods like NFTs become unavailable.
• Bidding bots. These bots employ fake bids to manipulate NFT prices, raising or lowering the price, depending on the underlying resale strategy. By placing large numbers of lowball bids for NFTs well below the asking price, decrease price bots can drive down the value of an NFT without ever actually making a purchase. Increase price bots purchase low price NFTs, artificially creating scarcity and boosting popularity to force buyers to pay more for remaining inventory, often on secondary markets. At their worst, bidding bots can artificially drive up the price of NFTs through automated bidding wars.
• Counterfeit NFT bots. Similar to fake Rolex watches sold on street corners, bots can be used to sell non-authentic NFT projects that don’t match policy IDs. When a consumer mistakenly buys a fake NFT from a fraudster, there’s little chance of a refund, and without proper authentication, no chance of legal resale.
• Fake promo bots. Bots can also masquerade as phishing schemes, enticing users to click on links to take advantage of very limited offers, such as a fake YouTube Genesis Mint Pass.

Rampant bot activity on NFT marketplaces sows doubt and suspicion and affects not only potential buyers, but also the legitimate sellers, artists, athletes, and creatives whose products are sold on online marketplaces. Malicious bots have the potential to sidetrack the growth of blockchain-based markets, and if NFT exchanges gain the reputation of bot hotbeds, bots can threaten one of the most dynamic expressions of the new digital economy.

Protecting Your Marketplace Against Bots

If you operate an NFT marketplace or other Web3 operation, the bottom line is that your customers expect a safe, fast, and seamless experience, and there are things you can do to ensure this happens.

F5 has worked closely with many of the top NFT marketplaces and exchanges, helping them to implement sophisticated security and safeguards from the start, protecting against bot attacks that target login, stopping fake account creation, and preventing inventory hoarding bots that buy up inventory and drive up the prices of NFTs.

If you’re considering promoting your NFTs for Father’s Day or graduation gift-giving, here are a few tips to keep in mind:

• Understand patterns for fraudulent new account openings and validate new account enrollment
• Evaluate your bot defense strategy to prevent sophisticated, human-emulating automation and retooling
• Avoid account takeover by monitoring every transaction for signs of fraud or risky behavior and harden login systems against credential stuffing
• Leverage authentication intelligence to reduce user friction and improve customer experience
• Manage users on your platform to identify if they are customers or bots; blocking bot attacks upstream helps your company reduce fraud downstream
• Explore ways to augment your security and fraud teams with new tools and external intelligence support to help stay ahead of fraud
• Expect criminals to continue to retool their attacks—so you must also be able to quickly retool your defenses

Help Your Customers Protect Themselves Against Cybercriminals

It is important to protect and gain customer trust, and this starts with education. Here are some tips you can share with your customers:

• Consider hardware wallets. If using cryptocurrency to purchase NFTs, consider using a hardware wallet instead of software wallet to make the purchase and store the NFT. Hardware wallets, which are external physical devices with specialized firmware to prevent private keys from being accessed, can significantly improve security of both cryptocurrency and NFT purchases by protecting them from bots and other cyberattacks.
• Always review contracts. Purchasing an NFT nearly always entails engaging in a “smart contract” with the seller. Carefully review these contracts, which are issued on blockchain, prior to approval because they detail the unique information that is associated with your NFT, including ownership and transaction details. Know what you are agreeing to, as smart contracts can specify rules about trading the NFTs and other ownership rights.
• Be aware of fake marketplaces. Only consider purchasing NFTs from reputable organizations that take security seriously and keep transactions bot-free.
• Understand how your NFT marketplace communicates and what your options are if your NFTs are stolen. Knowing in advance how your marketplace will contact you, and what your recourse is if your NFTs are stolen, can help you deflect phishing attacks, spoofing, and other fraud.

Want to learn how other organizations successfully protected their customers and company against bots? Read this F5 Bot Defense Total Economic Impact Report by Forrester.

If you’d like to see F5 Distributed Cloud Bot Defense in action, visit F5’s DevCentral to watch the demo.

And for information on what to look for in a bot defense solution, here are 10 questions to ask a bot mitigation vendor.