NFT artists have to be constantly alert to the threat of scams and hacks. How can cybersecurity approaches be adjusted to protect the most vulnerable?

In the cryptosphere, scams and hacks are an expected, if unwelcome, part of the game. As Molly White’s Web 3 is Going Just Great blog meticulously documents, a whopping 12 billion USD has been lost to such malicious events, with the ticker going up by the hour. Much reporting has focused on the victims of these scams, conjuring an invariable stereotype: the get-rich-quick dreamer, often a tech newbie, captivated by the Wild West of crypto, and dumbfounded by the complexity and self-discipline required of keys, wallets, and IPFS. But this prefigured chump is a simplification of the average crypto user and tells us little about the experience of artists working with NFTs—even as the creative economy accounts for a significant portion of revenue in web3, not to mention the positive effect on its image.

The NFT artist occupies a singular position: expressly conspicuous, radically untethered, yet amenable to network-building. This role has been a boon to many artists, but in the precarious, unregulated ecosystem of web3, it also places them at risk. As a result, cybersecurity concerns are placed squarely in the artist’s purview. This raises the question: What impact does such constant attentiveness have on the production of NFT art? And whose work and perspectives might we unknowingly be missing out on due to the cybersecurity risks in web3? As one artist put it to me when recounting a hack they’d experienced: “I was suddenly asking myself, should I not be engaged in the space?”

It’s important to consider what we mean by cybersecurity—and what values are embedded within its tactics and strategies. The foundations of cybersecurity derive from the threat modeling of information systems in the 1970s, back when computers were hulking, institutional machines designed for specific computational tasks. Present-day cybersecurity directives still prioritize the safety of systems and assets, rather than people. In literature and training materials, the prevailing adage that “humans are the weakest link” inadvertently inculpates the user. From this perspective, were it not for human fallibility, computer systems would be able to operate and respond to threats seamlessly. This logic of placing individuated blame on the user likewise underpins cybersecurity discussions in web3, where the solution is always to upskill and improve one’s own tech literacy.

Present-day cybersecurity directives still prioritize the safety of systems and assets, rather than people.

Such austere recommendations elide the differing entry points, identities, and behaviors that artists bring to the blockchain. As the Reconfigure Network of feminist cybersecurity practitioners and researchers highlights in its 2021 report, traditional cybersecurity has long been guilty of the “exclusion of certain groups from its research, industry, and mythologies.” The concerns of these users, the report states, are made invisible by the prioritization of “more powerful actors” such as governments and corporations. The authors recommend a more inclusive model of cybersecurity, rooted in the experiences of individuals. To ensure that mainstream voices are not privileged over those at the margins, they also advocate for a consideration of how “intersecting identities shape individual attitudes to technology.”

Through a (still ongoing) series of interviews, I have attempted to elucidate some of the most pressing cybersecurity concerns from the perspective of NFT artists. By taking “cybersecurity” at its broadest of possible definitions, we can begin to uncover experiences that are traditionally overlooked, such as an unsolicited Discord message, or an airdrop of abusive NFTs: experiences that are clearly detrimental to providing an accessible and inclusive online environment. For the same reason, I have purposely tried to recruit artists working in a range of media and from varying geographies, although this research is not comprehensive or conclusive—and I would certainly welcome further responses. From these interviews, I have identified three primary considerations around cybersecurity for artists in web3, which make clear that a one-size-fits-all approach will inevitably leave the most vulnerable at the greatest risk. I have also identified some possible approaches that could help level the playing field. For the sake of security, names and other identifying information for most respondents have been obscured.

Firstly—and this applies across the board—the public-facing role of NFT artists has made them attractive targets for scams and hacks. This publicity is a necessity for anyone wishing to compete in an oversaturated and undifferentiated market. One artist told me of a scam they had encountered in which an attacker posed as a gallery, offering to display their work. The attacker engaged in a lengthy dialogue through multiple emails and even phone calls. They eventually sent a malicious link for the artist to upload their work that would surreptitiously ask them to reveal their private keys. These phishing scams employ social engineering, a sophisticated form of tailored coercion that plays on the specific precarity of the artist’s condition. Without a gallery serving as intermediary, most NFT artists are required to self-promote and manage their own engagements. It is up to the artist to decide which sales enquiries or exhibition invitations are phony and potentially harmful. Meanwhile, NFT platforms that spotlight certain artists or show a leadership count of highest-grossing artists may unwittingly be creating a hit-list for hackers and scammers.

The second issue is rooted in gendered inequality. Further research remains to be done to investigate whether scammers target specific subgroups of NFT artists (as well as collectors) based on their gender or other identity-based attributes, but there are striking correlations to be found. According to ProPrivacy’s 2022 study, women are still more at risk of becoming victims of fraud than other genders: they are 50 percent more likely than men to report identity theft. There are several high-profile cases in which the rampant unregulated minting of NFTs has affected work by women artists. In February of this year, CryptoChicks, a PFP project with a trading volume of 12,900 ETH, was shown to have plagiarized Brazilian illustrator Amanda Costa. The illicit minting of work by Qinni, a Chinese-Canadian digital artist who died at the start of 2020, is another example of NFT scammers profiting from the work of women artists.

One NFT artist spoke of an early attack she had experienced: “I’m an emotional person and some of this tech, this cybersecurity, requires you to be very rational about every decision that you make. There’s certainly a personality type that does much better.” The connotations of the emotional versus rational divide expressed in this artist’s account are strongly gendered. With only 26 percent of the global tech workforce identifying as women, and only 24 percent for the cybersecurity industry, tech and security are still predominantly coded as masculine, despite the leaps made by STEM inclusion in the past decade. We ought to not deduce from such incidents that women-identifying artists are less tech savvy or more susceptible to scams—rather, they are more likely to be targeted based on the group’s perceived tech literacy. Scammers may assume that women have a less robust support system, with fewer resources available for recourse, and are less likely to be believed.

Lastly, there is the question of the ethics of NFT expansion in the Global South. The opportunity for NFTs to open up markets to a diverse body of artists has been touted by platforms and investors alike. Success stories such as Nigerian artist Osinachi’s 68,000 USD sale at Christie’s exemplify how NFTs might tip the scales for certain creators. Amid the Russo-Ukrainian war, blockchain technology has also provided an intermediary solution for displaced or refugee artists. Crypto is more stable than their local currencies, and easier to access when moving across borders. But what about the insecure conditions that NFTs also impose?

Patricia Echeverria, an artist based in Los Angeles who is involved in arts-for-development projects with Palestinian women’s craft communities, told me she was torn over whether to try to integrate NFTs into this work. On the one hand, she described the benefits as “revolutionary for anyone who’s living in a country that has limited access to culture funds.” But she also harbored a concern for the unrestricted and uncritical diffusion of NFT to these communities: “I didn’t feel comfortable going into this community of women artists, giving a workshop on how to open up a crypto wallet, which ends up getting hacked—that would then be my responsibility.” There is no mandate for artists to use NFTs. But as the traditional art market expands into NFTs, and emerging platform actors begin to cast their attention to a more globalized market of potential users, the blockchain can no longer be sidelined as a fringe choice for artists that requires no security apparatus, particularly in communities where digital penetration rates are lower than in the Global North.

We should be mindful that cybersecurity risks, as explored here, are not shared equally among artists. Early adopters of NFTs are more likely to have a higher level of tech literacy than artists previously working in more traditional mediums. Not all artists are in favor of more robust cybersecurity support and accountability. Some believe their peers should “put the work in.” Artists who have been embedded in the culture for years (rather than months) perceive these sunken costs—the trial-and-error process of learning and sometimes failing—as crucial to binding the community. From this perspective, the trade-off on ease and usability is better than the compromises of privacy and freedom that Web 2.0 platforms oblige.

Cybersecurity risks are not shared equally among artists.

And yet, a cybersecurity that is not just responsive but also humane, intersectional and empathic to emergent threats is essential if web3 is to “onboard” a broader cohort of artists into NFTs. What specific mechanisms must be put in place to protect those with the most to lose, or the fewest resources? The mutual support systems powered by decentralization offer one possible way forward. We can already observe responsive threat-tracking in Discord servers, with artists highlighting spam and malicious messages and users to their community. We might also extend the responsibility to NFT sales platforms, which act as intermediaries between artists and the blockchain, and whose systems for recourse and reconstitution are often playing catch-up with nefarious actors. Investment in preventative, robust cybersecurity infrastructure ought to become a priority.

Another possible avenue is the design and deployment of a cybersecurity toolkit specifically tailored for NFT artists. Such a document would ideally be collaborative, open-source, fluid, and designed to encompass the full spectrum of technical literacies—as well as the different software and tools artists may have access to on either side of the digital divide. By acknowledging and integrating learnings from NFT artists, who are most often positioned on the frontlines of cybersecurity threats in web3, we can pull together to forge a safer, more diverse ecosystem.

Fattori McKenna is a researcher and PhD student at the Oxford Internet Institute. Her ethnographic fieldwork focuses on the materiality and lived experience of art worlds the blockchain. 

@fmckenna__

Thanks to Brendan Dawes for granting permission to illustrate this article with images from The Art of Cybersecurity (2019), a series of images and an animation visualizing data about cybersecurity threats to various industries.

@brendandawes