One of the aspects to keep in mind when working with crypto and blockchain is the security of our wallets.
Blockchain and cryptocurrencies only provide a certain level of protection and anonymity but as we will see in the below example, there are techniques that can be traced back to everything and fix a name behind an address and wallet.
Just as it is never wise to publish and disseminate your private crypto address to everyone, in the same way we must not publish the IDs of our NFTs that we have.
The reason for this is that they are in effect unique pieces of information that only we will have. The image is the same for the whole collection might be identical but the underlying identifier isn’t.
Today we are going to analyze and show a technique that is used by criminals and unscrupulous people to obtain private information about us and our wallets, putting us in awe and even blackmailing us in the most diverse ways.
The first step that the criminal takes is to scroll through various posts and stories of any social network, especially those with hashtags related to crypto and #NFT, to find the naive person who published the ID or even the link of the their brand new NFT just purchased or received.
In this example, a story about the recent purchase is shared showing different elements of the NFTs just purchased as the famous unique IDs (obviously for privacy names and IDs have been hidden and any addresses in this article are completely random to protect and protect this potential victim):
Now that we have recovered both the type of collection and the NFT ID, the criminal goes to the famous OpenSea platform.
The search field he enters what he found in the image to identify the correct collection, which in this case is the one belonging to "JR - Can Art Change the War?" that as we can see from the collection, it has all identical pieces and a total of 586 pieces at the moment, which allows us to narrow the search a lot:
At this point, after identifying the NFT with that ID, the criminal proceeds to open the related NFT and check more information, that is, the "Owned" field, as some people also put their name and surname or their nickname and then proceed to click on its name to find out its address.
In this case, we take a random NFT, and we see that in the owned field there is written Barcelona_Lakers, and that their address is 0xf545D18b3e17bc8d7D48D0f16c44441A88BC7705:
The next step, now that we have the victim's address, is to find out how many crypto there are in that address and to do so, simply enter that address in a suitable block explorer, in this case Etherscan:
What we see now is both the strength and the weakness of any public blockchain, i.e. the transparency of the operations and the balance that contains this address which is about 0.5 ETH, and from here we can also see how many tokens it has and what other NFTs and operations did:
The whole process is now set up and can start with one or more scams against the victim because if we know the email, we can send phishing or extortion emails for various reasons, as we can identify with extreme precision the various transactions that the victim has done which makes the attack extremely effective and dangerous against the victims.
The rule that must always be remembered is to never reveal sensitive information anywhere, just as you do not write your current account anywhere in the same way, the address number and even the ID of your NFTs should not be written.
Another strategy is to use different wallets to divide both crypto and NFT purchases, therefore 1 NFT 1 address in order to avoid and limit this type of phenomenon, which, however, not everyone does, but which is a good idea to do.
Trash any type of contact and email that comes to us from strangers, regarding our wallet or NFTs we hold, as most likely this information was recovered with one of these aforementioned methods.
Here is a video for readers who speak Italian.