Security Breaches in the Metaverse

Security Breaches in the Metaverse

Rob Cataldo, Managing Director, North America
kaspersky logo

More and more brands are striving to embrace the metaverse. Gucci is creating its own world in the Sandbox metaverse, buying virtual land to start building a new empire. Warner Music Group also announced a Sandbox integration that will include a theme park and a concert venue. And the first NFT restaurant, the Flyfish Club, opened recently in New York. A permanent NFT membership card costs 2.5 Ethereum, or a little over $8,000.

There will be a real-world economic effect. According to PWC’s VR and AR forecasts, these technologies could impact 23 million jobs by 2030. This, in turn, could lead to economic growth of $1.92 trillion.

Metaverses aren’t just for consumers. One of the most obvious business applications is to improve the training and education experience for employees.

New interactive learning experiences in VR, AR and mixed reality can enable people to learn faster, retain information better and enjoy the process. A recent PWC study found employees who trained in virtual reality simulations learned four times faster than in-class learners and twice as fast as online learners. The sessions were also shorter: only 20 minutes compared to one hour.


It is often not completely clear what people mean when using the term metaverse. Are they referring to a particular virtual world, like Fortnight, or a VR ecosystem, like Oculus? Other hot technologies like NFT and blockchain are often involved. One startup promises a solution to create AI-enabled digital avatars that can be minted and sold as NFTs to be used in the metaverse – basically all the buzzwords in one.

All this complexity introduces cybersecurity and privacy implications, but many of the fundamentals remain the same. We still have the problem of possible account takeover, which can lead to identity theft and fraud. In the same way that adversaries can get access to your personal or corporate correspondence if they hack your email accounts via phishing, malware or credential stuffing, they can also gain access to your personal data stored on your preferred metaverse platform. From a corporate perspective, it still means that humans are the weakest link when it comes to cybersecurity.

Some things might turn out to be different, so let’s try to imagine where things might be in a few years. One of the promises of metaverse is interoperability. For example, a house you bought on Decentraland and a pair of luxury virtual sneakers from OpenSea would be accessible on all platforms, including the one you use to go to work at your virtual office. This scenario would create a single point of failure and put greater stress on the need to protect your accounts.

Another issue would arise if this interoperability is based on a blockchain, such as Ethereum. This puts more responsibility on the end user to keep their identity and digital property safe, since current blockchains, by definition, lack central authority. This means if your fancy NFT avatar is stolen, the platform cannot help you, as demonstrated by the high-profile NFT-ape stealing cases. Also, tying identity (and access to personal data) to a blockchain wallet, which also stores your money and digital property, means cybercriminals will be more eager to gain access to them.

Finally, the question of trust in the platform will be important. Many companies are already using the cloud as their primary infrastructure and have distributed their workforce accordingly, so moving the office to a VR world would be a logical next step (even though the tech still needs to evolve considerably to make the idea of being in VR for 8 hours a day appealing). Those whose operations involve handling personal data or classified information might want to continue relying on on-premises solutions and not expose the identities of their employees on a blockchain.

Should Metaverse actually become a new paradigm, (which is still an if), the basics of threat mitigation will be the same: protect consumer accounts with password managers and multi-factor authentication, use a reliable cybersecurity solution to prevent malware and phishing attacks, and educate yourself and your employees on best cybersecurity practices. If you already use cryptocurrency, invest in a hardware wallet and please read these cybersecurity tips on how to keep your crypto safe.

Of course, the metaverse is still in its early stages, but when it does become part of our daily lives, not every brand will be able to grow in these competitive markets. Like the people who control them, avatars will have limited time, opportunity and energy to interact with companies. Brands that hope to thrive in the metaverse tomorrow need to explore its boundaries and possibilities today, address the security risks, and stake their bets before there are no more virtual worlds left to conquer.

About the Author
Rob Cataldo, Managing Director, North America, Kaspersky
rob cataldo authorAs managing director of the region, Rob is responsible for the company’s sales, business development and marketing functions as well as achieving the company’s objectives for growth in market shares and profitability. Rob shares management oversight and responsibility for the public relations, customer support, finance, human resources and information technology departments.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.