Like other digital solutions, an NFT (non-fungible token) is exposed to the danger of cyberthreats. As an NFT uses blockchain technology, the cybersecurity problems that might affect an NFT are similar to those that affect a broad range of blockchain technology solutions. Equally, the token is only as (cyber)secure as the technology is secure from which it is formed.

Although NFTs are still not common and are used little due to the technology being relatively new, the associated cyberthreats are already apparent.

Above all, NFT security depends among other things on the technology used to create it. One of the major security factors is the level of decentralization of the blockchain system from which the NFT is created. The more centralized the blockchain system, the greater the risk of an unauthorized person taking control. Although this is at odds with the idea itself of distributed ledger technology, which blockchain is, blockchain is created by one or a small number of parties. This technology is intended to ensure security due to roles played by a large number of parties in the operation of that technology, as this minimizes the risk of an unauthorized person taking control. The lower the number of parties managing NFT production projects, the easier it might be to gain control of the entire token resources created in the project. This might even result in them being lost completely.

Another serious risk that may impact all users of a particular solution from which an NFT is generated is vulnerabilities that might enable control to be gained over the tokens or their integrity or authenticity to be endangered in an unauthorized manner. The best example is an error in the Ethereum platform source code, which in June 2016 led to theft of tokens worth approximately USD 50 m[1]. This is relevant above all to platforms that are just in the process of being launched. As they are start-ups, they may disregard the issue of security, and this may place users at risk of loss of the funds they invest in the NFT.

In addition, there is a broad spectrum of NFT cyberthreats, now well known, that might affect individual users. These threats will become increasingly common. As NFTs are used, new types of risk to token security will emerge. The major threats existing at the moment include:

  • sale of fake NFTs, for example for copies of artworks that do not have a token or have a counterfeit token;
  • gaining control of users’ accounts on NFT trading marketplaces, which could result in theft of the funds accrued on those accounts and unauthorized trade in NFTs held by users;
  • phishing, leading to unauthorized access to users’ bank accounts.

Although blockchain technology ensures greater technological security than the “conventional” IT solutions, NFT security is not only a question of technological resilience of NFTs to possible threats. NFT cybersecurity measures include a range of other factors such as organizational matters concerning use of NFTs, developing the appropriate processes within an organization that has NFT-generating systems, or as a minimum a suitable policy for advising NFT users of cyberthreats related to generating tokens or trading in products that contain NFTs. Only a multifaceted approach to cybersecurity can mitigate the risk of incidents that pose a threat to security of tokens, token producers, and buyers of tokens.

NFT (cyber)security is not only a question of technical or technological security guaranteed by systems used to create NFTs. There might also be legal aspects, due to cybersecurity legislation that is being developed at EU and national level.

Both the current cybersecurity legislation (in the form of the NIS directive(w postaci dyrektywy NIS[2] and the National Cybersecurity System Act[3]), and the envisaged legislation (NIS2 directive[4], DORA regulation[5] and a bill amending the National Cybersecurity System Act) – are intended to protect the most important areas of the national economy against cyberthreats and ensure that they function smoothly. These laws will apply if entities that are operators of essential services, providers of digital services, or state entities required to comply with these laws use NFT technology when providing an essential service or digital service, or performing public duties, as the case may be.

With regard to operators of essential services, the NIS directive requires member states to specify at national level the appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems they use[6]. Similar obligations are placed on digital service providers[7].  

This means that both operators of essential services and digital service providers should for instance undergo cybersecurity incident risk analysis and analysis of management of that risk, where the NFT technology or systems used in their business operations enabling them to make use of tokens are used to perform their essential services or digital services, as the case may be. Operators of essential services and digital service providers need to take measures of a technical and organizational nature (such as managing continuity of operations, and monitoring or testing systems) enabling them to make use of those solutions in a secure and continual manner and which will keep the effects of incidents on the essential services and digital services provided to a minimum.

Because NFT technology is relatively new, at the moment it will be used by operators of essential services and digital service providers to provide their services on a limited scale, if at all. Nonetheless, even now, essential sectors of the economy, such as banking, have been identified, on which NFTs could have a major impact[8].

In addition, this demonstrates even further that the ongoing legislative developments concerning cybersecurity that cover new areas of the economy in which NFT technology is used more frequently than in other sectors, or the establishing of a particular practice due to application of soft law instruments and norms, could change this, as could the emergence of new services that use NFTs. It is possible that the obliged parties that make use of these services will have to conduct security assessment for specific NFT solutions. This would be done in particular by analyzing risks that may arise when using these solutions, and by taking measures to mitigate the negative consequences of using NFT technology.

[1] What Was The DAO?, Gemini, 17.03.2022, https://www.gemini.com/cryptopedia/the-dao-hack-makerdao#section-the-dao-hack-remedy-forks-ethereum (dostęp: 31.08.2022).

[2] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

[3] National Cybersecurity System Act of 5 July 2018 (consolidated text, Journal of Laws of 2020, item 1369).

[4] Proposal for a Directive of the European Parliament and of the Council on measures for a high common level of security across the Union, repealing Directive (EU) 2016/1148.

[5] Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulation (EC) no 1060/2009, (EU) no 648/2012, (EU) no 600/2014, and (EU) no 909/2014.

[6] Art. 14(1) of the National Cybersecurity System Act.

[7] Art. 16 ust. 1 ustawy o krajowym systemie cyberbezpieczeństwa.

[8] B. Legters, Will The Growth In NFTs Change The Trajectory Of The Banking And Payments Industry?, Forbes, 23.06.2021, https://www.forbes.com/sites/boblegters/2021/06/23/will-the-growth-in-nfts-change-the-trajectory-of-the-banking-and-payments-industry/?sh=1771e0a554ad (dostęp: 31.08.2022).