Cybercriminals Set Their Eyes on the Metaverse

The modern metaverse concept consists of multiple independent and connected virtual spaces. As such, it is impossible for a single company to build the entire metaverse on its own. An optimistic estimate would be that the full-fledged metaverse is five to ten years away from complete deployment.

According to McKinsey & Company in its study “Value Creation in the Metaverse”, Metaverse has the potential to grow up to US$5 trillion by 2030. Last year alone, private capital for this technology reached US$13 billion; and by 2022 it is already at US$120 billion. The research also shows that consumers are so excited about the transition from life to the metaverse that nearly six in ten consumers (59%) prefer at least one metaverse experience over their physical alternative.

Now, today’s metaverse-like applications are designed primarily for gamers and not for the general public. In the future, everyday tasks such as remote work, entertainment, education and shopping are expected to be performed in next-generation metaverse-like applications.

But given this scenario, the metaverse will also attract its own flavor of cybercrime.

What are threats affecting the metaverse?

It is difficult to predict cyberthreats for a product space that doesn’t exist yet and may or may not exist in the form that we envision. With that in mind, we brainstormed ideas to refine our understanding of the metaverse and to identify threats against the metaverse and inside the metaverse.


Much has been made of the use of non-fungible tokens (NFTs) in the metaverse. NFTs are unique, blockchain-stored data units that can be sold and traded. NFT data can include hashes or links to digital files such as text, photos, videos, and audio in order to verify digital asset ownership. NFTs regulate asset ownership but don’t store assets, leaving users open to ransoming or other threats. If the files are encrypted by ransomware, the owner of the NFT won’t be able to access the files. Worse, if the underlying blockchain is susceptible to Sybil attacks, the asset can effectively be stolen.

Scammers can also clone an NFT by subtly altering a few bits of data in the ‘protected’ file and selling essentially the same digital asset. The asset servers can also be manipulated, as Moxie Marlinspike showed, by changing the contents returned from the URL stored in the NFT.

Another security issue involves asset transfers. Moving digital assets between metaverse spaces can incur costs due to verification and also because incompatible assets must be “converted” for use on a technologically different platform. Asset brokers will be used for this, but scammers pretending to be asset brokers may defraud users.

Before best practices and rules are established, virtual trade routes could resemble the Wild West. If rooted strongly in blockchain technology, it will essentially be an unregulated market where no defined government or legal entity exists to help in the event of fraud. Existing attacks like phishing, drive-by-downloads, and others may also be more effective due to the sense of trust that this interactive space presents.

The Darkverse

The darkverse, similar to the Dark Web, will be an anonymous space for malicious users to interact in. The pseudo-physical presence mimics real spaces used for clandestine meetings, making it suitable for criminals to facilitate their illegal activities. Conversely, it could also be a safe space for free speech against oppressive entities or governments.

Darkverse worlds could be set up so that they are only accessible if the user is in a designated physical location — this protects closed metaverse communities. Location-based and proximity messages will make it difficult for law enforcement agencies (LEA) to intercept metaverse data.

The darkverse is especially problematic because serious crimes such as child pornography are already a big problem on the internet. These offenses are badly defined in legal terms and extremely difficult to police by LEA in virtual spaces.

Financial Fraud

The high volume of e-commerce transactions in the metaverse will attract criminals who will try to steal money and digital assets. In the metaverse, a new digital economy (using Bitcoin, Ethereum, real money, PayPal, e-transfers, etc.) will operate, with exchange rates controlled by the free (and possibly deregulated) market. This will be a prime target for market manipulators. A metaverse-only company that is not covered by any jurisdiction could avoid income taxes. Ponzi schemes and securities fraud can victimize metaverse investors. Intertwined digital currency, digital assets, and fiat money systems can cause collapses like the Terra/LUNA cryptocurrencies in 2022.

Digital currencies are great for receiving funds, but if a user is defrauded or there are transaction issues, the publisher will face complex financial issues, possibly at the regulatory level. If a user is defrauded or robbed, getting help, filing complaints, or taking legal action will be nearly impossible if they use decentralized digital currencies.

In the metaverse, we can expect that fake recommendations, endorsements, and investments will artificially boost digital asset values. For example, the value of virtual “land” is highly dependent on perception, which can be manipulated by many factors.

Social Engineering

Social engineering describes a range of malicious human interactions designed to trick users into making security mistakes and giving away sensitive information. Scams that use social engineering are more successful when malicious actors have detailed information about their targets. In the metaverse, operators can perform precise sentiment analysis with personal information such as eye, body, voice, movement tracking, etc. This data is all collected and can be stolen or misused.

Criminals or state actors will look for vulnerable groups of people who are sensitive to certain topics and then drop targeted narratives to influence them. The metaverse is ideal for criminal deep fakes, since combining speech and visuals becomes a powerful expression of opinions (and a tool for manipulation).

Metaverse operators also have to be wary of infiltrators who will try to impersonate official avatars to misdirect metaverse users. Deep fakes may not be needed as an avatar’s assets can be easily collected and cloned. If someone impersonates an official avatar skin, they can enter a metaverse space and cause mischief, reflecting poorly on the impersonated company.

Criminals can also impersonate doctors using the metaverse and give patients false medical advice for payment.  In broader scams, fake news worlds can be created and used as intelligence-gathering VR honeypots and malicious advertisers can sell trojanized digital products.

The metaverse transcends physical boundaries so people will be exposed to global scammers easily and social engineering crimes will worsen.


The next evolution of augmented, mixed, and virtual reality is going to be the metaverse. Using new technologies, it will provide users with a complete immersive experience: the Internet of Experiences. The user will get the impression that they are participating in real-life events.

The metaverse is an additional internet layer that aims to provide a connection that is transparent for all devices. However, developers do not seem to be heeding advice from those with decades of experience and designing with security and privacy in mind. Everything should be done to prevent the metaverse from becoming an abusive, dangerous space infested with criminals. Developers should incorporate technical and social safeguards from the very start. Without these safeguards, the metaverse will potentially be a more dangerous space than the internet already is: it will be metaworse.