- What threats could metaverse users face?
- Why cybercriminals will target metaverse companies
- Blockchain and crypto – great for security or opportunities for criminals?
- How will law enforcement agencies tackle metaverse cybercrime?
According to predictions from technology research company Gartner, a quarter of people will spend at least an hour each day in the metaverse by the year 2026. More and more industries are embracing and investing in the metaverse by setting up virtual operations there. However, wherever there is money to be made, there is money to be stolen, swindled, and embezzled – and this is as true in the virtual world as in the physical one. While many metaverse services and platforms deal only in virtual currencies that have no value outside of the virtual space, others involve cryptocurrencies which have real world value as well, or are linked to real world funds such as those in users’ bank accounts. As more and more services central to our daily lives move to the metaverse, the dangers will increase as well. Awareness of the potential for criminal activity in the metaverse is growing, and metaverse users and organisations must be aware of the risks if they are to use it safely.
What threats could metaverse users face?
Cybercrime, in all its forms, is on the rise. Interpol’s 2022 Global Crime Trend report names money laundering – which has become easier due to the advent of digital money laundering tools – and ransomware as the two biggest cybercrime threats. Fraud and hacking are also extremely common and are particularly likely criminal activities to thrive in the metaverse. Just like how social media accounts and email addresses can be hacked, so can metaverse avatars. Deepfakes are also a huge potential threat in the metaverse. Hacked avatars and deepfakes could enable cybercriminals to fraudulently pose as others, accessing funds or digital goods – or sabotaging business operations – through deception. Even more concerning is the possibility of VR headsets or full physical bodysuits – of which many are in development – being hacked from a distance and used to monitor activity, steal biometric data, or caused to malfunction in ways that put wearers in real physical danger. With more and more organisations likely to integrate the metaverse with their physical operations – such as through the use of IoT devices – hackers could gain access to computers and other devices from a distance. Even industrial equipment could be fraudulently operated, potentially causing serious safety issues and disastrous sabotage. Research from Rutgers University-New Brunswick found that using voice commands to hack VR and AR headsets and stealing data, such as passwords and credit card information, is surprisingly – and disconcertingly – easy.
Although the metaverse has not yet become a central feature of most business operations, some industries have been quick to adopt it. For example, the trade of digital art such as NFTs has already become widespread and involves huge sums of money. This trade is a prime target for criminals, from hackers stealing art to sell or use as leverage for ransomware attacks, to the selling of counterfeit works. The art trade has been a common channel for money laundering, even before the advent of the metaverse, and the comparative lack of checks and balances in virtual marketplaces could increase this. Virtual spaces on the dark web – which are known as ‘the darkverse’ – can be used to trade stolen art and various other criminal activities.
Why cybercriminals will target metaverse companies
Companies interested in investing in the metaverse should be particularly aware of the potential threats. Organisations – more so than individual users – are attractive targets for cybercriminals, just as they are outside of the metaverse. Not only do organisations typically have more money than individuals, but they also tend to hold a lot of sensitive data, such as the personal information of customers. The potential reward of successfully attacking an organisation’s infrastructure can be many times higher than that of attacking casual users such as those using virtual spaces for socialising or gaming. And it is not only large corporations that are at risk. In fact, small businesses are targeted more frequently using traditional cybercrime methods. Whether this will remain the case in the metaverse is yet to be seen, but it is essential for organisations of all sizes to learn about the potential threats and implement adequate security measures.
Blockchain and crypto – great for security or opportunities for criminals?
With more and more integration between blockchain, cryptocurrencies, and the metaverse, Meta (formerly Facebook) is relaunching its Diem (formally Libra) coin alongside a new cryptocurrency wallet called Novi. As a ‘stablecoin’, Diem’s value is matched to cash and government securities, making it theoretically less volatile than other cryptocurrencies. However, Diem may still operate outside of financial regulations as other cryptocurrencies do. While cryptocurrencies do have notable benefits, the lack of regulations also makes them attractive for cybercriminals. Blockchain-based marketplaces, where crypto is usually traded, are often similarly difficult to regulate. These markets can be used for fraudulent activities, such as the sale of fake goods. More disturbingly, they can also be used for such severe crimes as human trafficking, and the metaverse could further facilitate this type of crime. Ron Teicher, founder of EverC, a firm that detects money laundering in e-commerce, believes that in Meta’s version of the metaverse, “sex slaves could potentially be sold surreptitiously via e-commerce avatars involving NFTs for virtual merchandise or other fake postings for marketplace products.” Teicher has also warned of the possibility of terrorist groups using the metaverse – as they previously have done with online gaming – for communication, recruitment, and the transfer of funds. To prevent this, Teicher explains how “AI-driven content moderation, user authentication, and transaction monitoring will be essential.” There may even be existing solutions for this. Technology firm Shyft Network has launched a decentralised data exchange system called Veriscope that could “help VASPS (virtual asset service providers) comply with global anti-money laundering regulations”, according to its chief executive Joseph Weinberg. However, companies like Meta still have a role to play in preventing crime on their platforms.
“Decentralised data-exchange systems like Veriscope can also promote trust in the metaverse by facilitating the transfer of attributable identity elements from Oculus users transacting across Meta’s anticipated crypto-gaming and other decentralised marketplace applications. But the effectiveness of any KYC [know your customer] transmission system hinges on how consistently and robustly Meta implements a virtual economy throughout its platform.”
Joseph Weinberg, chief executive, Shyft Network
How will law enforcement agencies tackle metaverse cybercrime?
With growing awareness of the likelihood of metaverse cybercrime, there is talk of how these crimes could be prevented through technological features, and also how they could be tackled by the law. Omar Sultan Al Olama, minister of artificial intelligence of the United Arab Emirates, has expressed hopes that metaverse crime will be prosecuted in the same way as crime in the physical world. Interpol is already taking steps to prepare for the criminal threats that may take place in the metaverse, and has even created a metaverse space designed for international law enforcement. The Interpol metaverse will allow users to explore a virtual representation of Interpol’s General Secretariat headquarters and take part in police training courses. The virtual training course involves students learning how to verify travel documents, and then being ‘teleported’ to a virtual airport where these skills are put into practice in training games. Interpol’s Executive Director of Technology and Innovation, Madan Oberoi, believes that the risks of the metaverse must first be identified so that law enforcement can “work with stakeholders to shape the necessary governance frameworks and cut off future criminal markets before they are fully formed.” Interpol’s training programme is only one example of law enforcement using virtual spaces. Dutch police have created a virtual educational tool for officers that aims to reduce racial profiling, Norwegian police have carried out online ‘patrols’ on gaming and streaming platforms, and French police have launched an initiative to create a space within online game Fortnite where children can report abuse and receive support. These initiatives show how the metaverse can create opportunities for tackling crime and other challenges.
“The Metaverse has the potential to transform every aspect of our daily lives with enormous implications for law enforcement… But in order for police to understand the Metaverse, we need to experience it.”
Madan Oberoi, Executive Director of Technology and Innovation, Interpol
Law enforcement agencies are also developing practical methods of tackling metaverse crime. For example, officers are starting to ‘patrol’ spaces where NFTs and other digital goods are traded. These officers will be assisted by AI algorithms designed to detect suspicious behaviour so that it can be dealt with. There are notable challenges that law enforcement agencies will have to solve in order to police the metaverse effectively. Not all real-world criminal acts are considered crimes in the virtual world – and perhaps not all should be. For example, can one avatar ‘assaulting’ another avatar be compared to assaulting a person in the physical world? These are the type of questions that law enforcement will have to grapple with over the coming years.
When it comes to prosecuting crimes and punishing metaverse criminals, it gets a little complicated. One potential solution could be taken from a model developed by cybercriminals themselves and carried out on the dark web – a virtual ‘court’ built to adjudicate disputes between cybercriminals themselves, overseen by an impartial judge that issued fines for breaking marketplace ‘rules’. A similar model could be used by law enforcement to hold criminal trials in the metaverse itself. These virtual courts could be used not only to adjudicate on crimes committed (or accused) in the metaverse itself, but also to enable judges, juries, defendants, and legal professionals to attend ‘court’ remotely to adjudicate on real-world crimes. Punishment of crimes may be more complex – it is not yet clear what a method of penalising the person behind the avatar may look like. Identifying these people may be very difficult, and preventing them from simply creating new avatars and credentials if their accounts are banned may be virtually impossible. This is already an existing problem with the internet, with no real solutions in sight.
Closing thoughts
Preventing the metaverse from becoming a playground for cybercriminals will require considered action and innovation from metaverse companies, software developers, regulators, law enforcement, and many more actors – including end users themselves. It is likely to require a combination of technological security measures, methods of prevention, and a culture that treats virtual spaces with as much importance as physical ones. Individuals and organisations using the metaverse – whether for business, leisure, or any other purpose – must be aware of the potential threats, much as they should be when using the traditional internet.