Crime in the metaverse is very real. But how do we police a world with no borders or bodies?

The concept of a metaverse is, in many ways, not new. Online, multi-player worlds like Second Life have been around for nearly 20 years. Modern equivalents like Minecraft and Fortnite boast hundreds of millions of users and huge supporting economies.

At its most basic, the metaverse describes the concept of a shared, persistent virtual space for meetings, games and socializing. Gartner estimates that 25% of people will spend at least one hour per day in the Metaverse by 2026.

Powered by innovations in virtual reality, AI, digital currencies, NFTs and blockchain, the proponents of the metaverse see us moving across different and interoperable virtual worlds, taking our avatars and digital assets with us.

Whether blockchain-based technology is going to form an integral component of the metaverse infrastructure remains to be seen — critics of blockchain and Web 3.0 have openly voiced their concerns, and even giants like Microsoft-owned game Minecraft announced that it does not support non-fungible tokens (NFTs) nor the adoption of Blockchain technology. Minecraft cited the non-alignment with the company’s values of creative inclusion, as well as the threat of fraud and other security risks associated with the metaverse.

Regardless of what the underlying infrastructure will look like, the metaverse will be a myriad of technologies coming together as building blocks, and each of these brings with it its own risks. Security problems that already exist — scams, impersonation, credential theft, technological debt, social engineering, espionage, vulnerabilities, misinformation, to name a few — will follow us into the metaverse. They could even be more damaging.

As digital commerce in the metaverse grows in scope and scale — by some estimates up to $1 trillion in yearly revenues — financially motivated attacks will grow in frequency and aggression.

These are some of the most obvious security concerns we need to be aware of right now.

Social engineering techniques such as phishing scams are some of the most successful initial attack vectors used by cybercriminals today. Because exploiting individuals’ psychological vulnerabilities is so effective, social engineering will be a major challenge in the metaverse.

People are already being duped by phishing scams peddling fraudulent NFTs, metaverse land sales and other dubious Web 3.0 projects. A recent phishing scam impersonated Decentraland, a popular Ethereum-based virtual world, and tricked users into inputting their private wallet keys, allowing the scammers to steal users’ cryptocurrency.

In the metaverse, imagine phishing attacks using deep fake technology impersonating trusted institutions or avatars.

We need standards that allow users to verify the authenticity of the organisations and avatars they engage with, without compromising people’s privacy. Organizations need to consider how to ensure verification of avatar-identities and protect against digital identity theft. Users need to be sensitized on how to identify social engineering attacks and how to protect their avatar’s identities.

Malware targeting crypto wallets is already being used to steal people’s cryptocurrencies, tokens or NFTs. Cyber extortion and ransomware are some of the most notorious and lucrative cybercrime threats. They may take on different shapes in the metaverse, but will remain a serious risk.

A high percentage of attacks against current Web 3.0 platforms and DeFi protocols are made possible due to vulnerabilities in the underlying software or smart contracts used. For DeFi protocols, in particular, the largest thefts, according to Chainalysis' 2022 Crypto Crime report, are usually the result of code exploits.

Apart from vulnerabilities in the metaverse platforms, we must also be mindful of the fact that virtual reality (VR) and augmented reality (AR) wearables are essentially small computers, with a lot of software and memory making them potential targets of attacks.

Research by Rutgers University-New Brunswick for example showed that they could hack VR and AR headsets to steal sensitive information communicated via voice command, including credit card data and passwords.

Patching bugs and vulnerabilities in platforms, smart contracts, and VR and AR headsets to protect against attacks and malicious software is an important security consideration.

Trolling, and sexual and racial harassment are problems right now on all digital and virtual reality gaming platforms.

This kind of behaviour has a long history in digital spaces — but the immersiveness of VR means it can be devastating to a victim’s psychological well-being. According to Common Sense Media, the risks for children are especially high. Children are likely to explore the metaverse before their parents, potentially exposing them to sexual and violent content without their caregivers’ knowledge.

VR worlds offer a number of tools to combat this, such as personal spaces and muting, blocking and reporting bad behaviour. Educating new users and vulnerable groups, like children, on how to use these tools is key.

Organisations working in the metaverse must collaborate with their security and risk teams early on to identify what could be at stake and where possible vulnerabilities are.

They must also adequately train their developers in these risks, and test apps thoroughly before they go live.

End-users should be made aware that participating in any new technology makes them a potential target. People need to familiarize themselves with the threat of social engineering and common scams, as well as best practices on how to safeguard themselves, their digital assets, wallets and identities.

Policy makers also have a key role to play in protecting individuals from metaverse crime. They must introduce regulations that will protect vulnerable groups and consumers without stifling innovation.

We need to define how to enforce ethics, consumer protection and governance and define “virtual law enforcement”. Who can victims call? Which jurisdiction applies? What’s the recourse?

These questions are complex, and they are pressing. The only way we can answer them is by adopting a multi-stakeholder approach and forward-thinking, innovative policy measures that put safety first.