Crime in the metaverse is very real. But how do we police a world with no borders or bodies?

Virtual reality headsets can be used to access the metaverse, but may pose cybersecurity risks.

Virtual reality headsets can be used to access the metaverse, but may pose cybersecurity risks. Image: REUTERS/Temilade Adelaja

Anna Maria Collard
Senior Vice-President, Content Strategy, KnowBe4, Inc.
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how The Metaverse is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

The Metaverse

Listen to the article

  • 25% of people are expected to spend at least an hour a day in the metaverse by 2026 — but this opens them up to a myriad of crimes.
  • Children could be particularly vulnerable to crime, including theft of virtual assets or sexual and racial harassment.
  • The nature of the metaverse means regulatory attention and a multi-stakeholder approach must be adopted now, as the technology rapidly advances.

The concept of a metaverse is, in many ways, not new. Online, multi-player worlds like Second Life have been around for nearly 20 years. Modern equivalents like Minecraft and Fortnite boast hundreds of millions of users and huge supporting economies.

At its most basic, the metaverse describes the concept of a shared, persistent virtual space for meetings, games and socializing. Gartner estimates that 25% of people will spend at least one hour per day in the Metaverse by 2026.

Powered by innovations in virtual reality, AI, digital currencies, NFTs and blockchain, the proponents of the metaverse see us moving across different and interoperable virtual worlds, taking our avatars and digital assets with us.

Whether blockchain-based technology is going to form an integral component of the metaverse infrastructure remains to be seen — critics of blockchain and Web 3.0 have openly voiced their concerns, and even giants like Microsoft-owned game Minecraft announced that it does not support non-fungible tokens (NFTs) nor the adoption of Blockchain technology. Minecraft cited the non-alignment with the company’s values of creative inclusion, as well as the threat of fraud and other security risks associated with the metaverse.

Have you read?

Regardless of what the underlying infrastructure will look like, the metaverse will be a myriad of technologies coming together as building blocks, and each of these brings with it its own risks. Security problems that already exist — scams, impersonation, credential theft, technological debt, social engineering, espionage, vulnerabilities, misinformation, to name a few — will follow us into the metaverse. They could even be more damaging.

Crimes in the metaverse

As digital commerce in the metaverse grows in scope and scale — by some estimates up to $1 trillion in yearly revenues — financially motivated attacks will grow in frequency and aggression.

These are some of the most obvious security concerns we need to be aware of right now.

Social engineering

Social engineering techniques such as phishing scams are some of the most successful initial attack vectors used by cybercriminals today. Because exploiting individuals’ psychological vulnerabilities is so effective, social engineering will be a major challenge in the metaverse.

People are already being duped by phishing scams peddling fraudulent NFTs, metaverse land sales and other dubious Web 3.0 projects. A recent phishing scam impersonated Decentraland, a popular Ethereum-based virtual world, and tricked users into inputting their private wallet keys, allowing the scammers to steal users’ cryptocurrency.

In the metaverse, imagine phishing attacks using deep fake technology impersonating trusted institutions or avatars.

We need standards that allow users to verify the authenticity of the organisations and avatars they engage with, without compromising people’s privacy. Organizations need to consider how to ensure verification of avatar-identities and protect against digital identity theft. Users need to be sensitized on how to identify social engineering attacks and how to protect their avatar’s identities.

Software vulnerabilities and malware

Malware targeting crypto wallets is already being used to steal people’s cryptocurrencies, tokens or NFTs. Cyber extortion and ransomware are some of the most notorious and lucrative cybercrime threats. They may take on different shapes in the metaverse, but will remain a serious risk.

A high percentage of attacks against current Web 3.0 platforms and DeFi protocols are made possible due to vulnerabilities in the underlying software or smart contracts used. For DeFi protocols, in particular, the largest thefts, according to Chainalysis' 2022 Crypto Crime report, are usually the result of code exploits.

Security breaches are a major threat to peoples' virtual assets in the metaverse.
Security breaches are a major threat to peoples' virtual assets in the metaverse. Image: Chainalysis

Apart from vulnerabilities in the metaverse platforms, we must also be mindful of the fact that virtual reality (VR) and augmented reality (AR) wearables are essentially small computers, with a lot of software and memory making them potential targets of attacks.

Research by Rutgers University-New Brunswick for example showed that they could hack VR and AR headsets to steal sensitive information communicated via voice command, including credit card data and passwords.

Patching bugs and vulnerabilities in platforms, smart contracts, and VR and AR headsets to protect against attacks and malicious software is an important security consideration.

Immersive content risks

Trolling, and sexual and racial harassment are problems right now on all digital and virtual reality gaming platforms.

This kind of behaviour has a long history in digital spaces — but the immersiveness of VR means it can be devastating to a victim’s psychological well-being. According to Common Sense Media, the risks for children are especially high. Children are likely to explore the metaverse before their parents, potentially exposing them to sexual and violent content without their caregivers’ knowledge.

VR worlds offer a number of tools to combat this, such as personal spaces and muting, blocking and reporting bad behaviour. Educating new users and vulnerable groups, like children, on how to use these tools is key.

Preparing for the future of cybercrime

Organisations working in the metaverse must collaborate with their security and risk teams early on to identify what could be at stake and where possible vulnerabilities are.

They must also adequately train their developers in these risks, and test apps thoroughly before they go live.

End-users should be made aware that participating in any new technology makes them a potential target. People need to familiarize themselves with the threat of social engineering and common scams, as well as best practices on how to safeguard themselves, their digital assets, wallets and identities.

Policy makers also have a key role to play in protecting individuals from metaverse crime. They must introduce regulations that will protect vulnerable groups and consumers without stifling innovation.

We need to define how to enforce ethics, consumer protection and governance and define “virtual law enforcement”. Who can victims call? Which jurisdiction applies? What’s the recourse?

These questions are complex, and they are pressing. The only way we can answer them is by adopting a multi-stakeholder approach and forward-thinking, innovative policy measures that put safety first.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Safeguarding central bank digital currency systems in the post-quantum computing age

Cameron Nili, Tom Patterson and Carl Dukatz

May 21, 2024


About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum