The term “metaverse” was first used by Neal Stephenson in his 1992 cyberpunk novel Snow Crash. It describes a virtual world that can be explored using avatars, offering players a completely immersive experience. Today, we see similar worlds in massively multiplayer online role-playing games (MMORPGs) such as Roblox, Minecraft, Fortnite, Second Life, and others, but these games are still nowhere close to the immersive experience described in Snow Crash.
The modern metaverse concept consists of multiple independent and connected virtual spaces. As such, it is impossible for a single company to build the entire metaverse on its own. An optimistic estimate would be that the full-fledged metaverse is five to ten years away from complete deployment. However, in the next three to five years, we expect the market to see more metaverse-like applications. Some, such as Decentraland and Crypto Voxels, as well as games like Minecraft and Second Life, already exist.
Current metaverse-like applications are designed primarily for gamers rather than the general populace. In the future, we expect that daily tasks like remote work, entertainment, education, and shopping will be done in next-generation metaverse-like applications. Many of these applications will naturally share cyberspace, and that will eventually transform into a single metaverse when the underlying technology (hardware, software, network infrastructure, and ubiquity) reaches maturity. In this shared space, users will be able to effortlessly switch between applications, and access the metaverse using a wide variety of hardware.
But the metaverse will also attract its own flavor of crime. We will explore this in the following blog and the accompanying research paper.
But first, what is the metaverse?
There are many differing opinions about what it is, and how it fits into the bigger picture of the internet. To aid in our research, we created a working definition for the metaverse:
The metaverse is a cloud distributed, multi-vendor, immersive-interactive operating environment that allows users to access it using different categories of connected devices (both static and mobile). It uses Web 2.0 and Web 3.0 technologies to provide an interactive layer on top of the existing internet. As proposed, it is an open platform for working and playing inside a virtual, augmented, mixed, or extended environment. This is comparable to existing MMORPG platforms, but while each MMPORG represents a proprietary single virtual world, the metaverse will allow players to seamlessly move between virtual spaces together with their virtual assets. The metaverse is not merely a platform for human users; it will also be a communications layer for smart city devices with which humans and AI can share information.
Essentially, it will be the Internet of Experiences (IoX.) However, we fully expect our definition to evolve as the metaverse concept evolves.
What are threats affecting the metaverse?
It is difficult to predict cyberthreats for a product space that doesn’t exist yet and may or may not exist in the form that we envision. With that in mind, we brainstormed ideas to refine our understanding of the metaverse and to identify threats against the metaverse and inside the metaverse.
Much has been made of the use of non-fungible tokens (NFTs) in the metaverse. NFTs are unique, blockchain-stored data units that can be sold and traded. NFT data can include hashes or links to digital files such as text, photos, videos, and audio in order to verify digital asset ownership. NFTs regulate asset ownership but don't store assets, leaving users open to ransoming or other threats. If the files are encrypted by ransomware, the owner of the NFT won’t be able to access the files. Worse, if the underlying blockchain is susceptible to Sybil attacks, the asset can effectively be stolen.
Scammers can also clone an NFT by subtly altering a few bits of data in the ‘protected’ file and selling essentially the same digital asset. The asset servers can also be manipulated, as Moxie Marlinspike showed, by changing the contents returned from the URL stored in the NFT.
Another security issue involves asset transfers. Moving digital assets between metaverse spaces can incur costs due to verification and also because incompatible assets must be "converted" for use on a technologically different platform. Asset brokers will be used for this, but scammers pretending to be asset brokers may defraud users.
Before best practices and rules are established, virtual trade routes could resemble the Wild West. If rooted strongly in blockchain technology, it will essentially be an unregulated market where no defined government or legal entity exists to help in the event of fraud. Existing attacks like phishing, drive-by-downloads, and others may also be more effective due to the sense of trust that this interactive space presents.
The darkverse, similar to the Dark Web, will be an anonymous space for malicious users to interact in. The pseudo-physical presence mimics real spaces used for clandestine meetings, making it suitable for criminals to facilitate their illegal activities. Conversely, it could also be a safe space for free speech against oppressive entities or governments.
Darkverse worlds could be set up so that they are only accessible if the user is in a designated physical location — this protects closed metaverse communities. Location-based and proximity messages will make it difficult for law enforcement agencies (LEA) to intercept metaverse data.
The darkverse is especially problematic because serious crimes such as child pornography are already a big problem on the internet. These offenses are badly defined in legal terms and extremely difficult to police by LEA in virtual spaces.
The high volume of e-commerce transactions in the metaverse will attract criminals who will try to steal money and digital assets. In the metaverse, a new digital economy (using Bitcoin, Ethereum, real money, PayPal, e-transfers, etc.) will operate, with exchange rates controlled by the free (and possibly deregulated) market. This will be a prime target for market manipulators. A metaverse-only company that is not covered by any jurisdiction could avoid income taxes. Ponzi schemes and securities fraud can victimize metaverse investors. Intertwined digital currency, digital assets, and fiat money systems can cause collapses like the Terra/LUNA cryptocurrencies in 2022.
Digital currencies are great for receiving funds, but if a user is defrauded or there are transaction issues, the publisher will face complex financial issues, possibly at the regulatory level. If a user is defrauded or robbed, getting help, filing complaints, or taking legal action will be nearly impossible if they use decentralized digital currencies.
In the metaverse, we can expect that fake recommendations, endorsements, and investments will artificially boost digital asset values. For example, the value of virtual "land" is highly dependent on perception, which can be manipulated by many factors.
Social engineering describes a range of malicious human interactions designed to trick users into making security mistakes and giving away sensitive information. Scams that use social engineering are more successful when malicious actors have detailed information about their targets. In the metaverse, operators can perform precise sentiment analysis with personal information such as eye, body, voice, movement tracking, etc. This data is all collected and can be stolen or misused.
Criminals or state actors will look for vulnerable groups of people who are sensitive to certain topics and then drop targeted narratives to influence them. The metaverse is ideal for criminal deep fakes, since combining speech and visuals becomes a powerful expression of opinions (and a tool for manipulation).
Metaverse operators also have to be wary of infiltrators who will try to impersonate official avatars to misdirect metaverse users. Deep fakes may not be needed as an avatar’s assets can be easily collected and cloned. If someone impersonates an official avatar skin, they can enter a metaverse space and cause mischief, reflecting poorly on the impersonated company.
Criminals can also impersonate doctors using the metaverse and give patients false medical advice for payment. In broader scams, fake news worlds can be created and used as intelligence-gathering VR honeypots and malicious advertisers can sell trojanized digital products.
The metaverse transcends physical boundaries so people will be exposed to global scammers easily and social engineering crimes will worsen.
The next evolution of augmented, mixed, and virtual reality is going to be the metaverse. Using new technologies, it will provide users with a complete immersive experience: the Internet of Experiences. The user will get the impression that they are participating in real-life events.
The metaverse is an additional internet layer that aims to provide a connection that is transparent for all devices. However, developers do not seem to be heeding advice from those with decades of experience and designing with security and privacy in mind. Everything should be done to prevent the metaverse from becoming an abusive, dangerous space infested with criminals. Developers should incorporate technical and social safeguards from the very start. Without these safeguards, the metaverse will potentially be a more dangerous space than the internet already is: it will be metaworse.