Virtual reality technology has been adopted by some companies. Users can use a headset to access a metaverse, however the platform where users sell and buy virtual property cannot be accessed without a computer. 

The Sandbox (Decentraland), SuperWorld and SuperWorld are three of the most popular places to buy metaverse real property. These platforms are not new, but they have only been selling land plots that use blockchain technology in the past year. 

In the metaverse, users can bid on land plots through NFT markets like OpenSea. This process is similar to buying property in real life. 

To purchase land in the metaverse, users typically need a cryptocurrency wallet — MetaMask is the most common.

Once an investor buys virtual land, the property is transferred to his or her digital wallet and the purchase becomes encoded on the blockchain — which essentially serves as the equivalent of a deed of purchase. From a residence to an extravagant concert venue, the owner has unlimited options. Investors believe that the platform’s popularity will increase the property value, as there are very few land plots available.

However, there is also an enormous illegitimate company. 

These phishing sites are available for purchase on the dark internet and other chat platforms like Telegram. These impostor websites are advertised by cybercriminals for $400 while some others can be purchased for up to $5,000 via underground Russian forums.

If landowners enter their MetaMask credentials on one of these pages, their usernames and passwords are transmitted to the cybercriminal allowing them to obtain all digital assets in the wallet.

Cybercriminals may then try to resell stolen land via an internet marketplace such as OpenSea.

Mason Wilder is the research manager for the Association of Certified Fraud Examiners and this hacking doesn’t surprise him.

Wilder explained that “there are plenty of legitimate applications for these technologies which will cause it to stay around.” But until the technology matures, many people will lose a lot.

Many investors flock to the metaverse because it operates in a decentralized manner, meaning there is no central authority, such as a bank, providing oversight of the transactions.

This is because all the transactions occurring on the blockchain (which is transparent and shows all the transactions) allow for the selling or buying of metaverse properties. These transactions can never be reversed once they have occurred. 

The permanent nature of cryptocurrency transactions means that local, state, or federal authorities do not have the ability to protect them.

Adam Lowe (creator of cold storage wallet Arculus) recommends that investors utilize multifactor authentication for added protection. 

He stated, “If you think your only security line is a password and username, then it’s wrong.” 

With the popularity of the metaverse increasing, many platforms have difficulty fielding hacking and phishing complaints. Many say once assets are stolen it can not be recovered due to its decentralized nature. 

Lowe explained that “all of these platforms” have seen a rapid growth in popularity and growth. He also said that it is difficult for them to keep up with the demand for people who can answer questions.

CNBC interviewed every victim who said that they could not retrieve lost funds due to losing their land in phishing schemes.

Carlinsky stated that MetaMask and The Sandbox responded to her queries but they didn’t take responsibility for stolen funds or land. She recommends she be more vigilant in the future. OpenSea (the platform where she bought land in The Sandbox) has yet to respond to her. 

“My biggest issue with the whole thing is that — what I noticed is all three entities: Sandbox, MetaMask, OpenSea, they’re all very much aware that these hacks exist,” Carlinsky said.

The Sandbox replied to Carlinsky, “Sadly we cannot retrieve the tokens/funds lost as this decentralized ecosystem transactions are finalized and user-managed.”

MetaMask sent an email to Kasha Desrosiers, listing the causes of the hacking and suggesting solutions such as discontinuing the account or reporting it to authorities. OpenSea sent Kasha Desrosiers an email stating that it was “actively investigating” this issue over several weeks. However, it never provided a resolution. SuperWorld also stated that they could do nothing about it.

MetaMask product leader Taylor Monahan said that the company was working with victims to offer better services in recovering funds. MetaMask is the only platform who agreed to an interview for CNBC.

Monahan explained that, ultimately, Monahan wants the result to be: “If you lose your money, there are steps you can take so you can get those funds back.” 

MetaMask and Asset Reality have announced on Thursday a partnership to make that goal real. Asset Reality will act as the case manager for consumer complaints. Then, they’ll investigate any scams on victims’ behalf.

Monahan stated to date that any investor losses due fraud is not under the company’s control. MetaMask has not refunded any victims’ digital assets — it will only assist consumers with recovering the funds from scammers.

In an ideal world we’d like for no one to ever lose money. Even in the most dire scenario they might lose funds they can still recover the money. “That’s what we want to do,” she stated. MetaMask doesn’t have to be the only product in this space. Any big product can.

She stated that the company was aware of the dangers of phishing sites and pointed out it has seen websites impersonating MetaMask or other crypto-related products.

Monahan also stated that there has been an increase in fraudsters impersonating sites with login pages.

They are called phishkits, correct? They are a set of items that you use to fool people. They’ve become sophisticated in recent years,” she stated.

Monahan admitted that the metaverse is still a work-in-progress and encouraged people to tell others about their experiences on social media.

In a statement to CNBC, an OpenSea spokesperson said it had disabled the ability to buy or sell NFTs that are reported stolen and has even banned accounts involved in theft in an effort to combat scam listings that can lead to phishing websites

OpenSea stated that its platform can identify and remove items from phishing sites. OpenSea also announced that it now has a report mechanism which allows customers to flag compromised wallets and will disable any items bought or sold. 

CNBC received a statement from Decentraland stating that they have a legal department working to protect its trademarks and logo from fraudsters. According to the platform, they are also trying to eliminate any imposter websites that may be associated with Decentraland. They have hired firms to conduct intellectual property research and enforce to aid them in this endeavor.

A spokesperson stated that two websites, 24 domains, and five social media accounts pretending to be the official platform had been removed in recent months. 

Sandbox also stated that it had contracted companies to detect and remove phishing websites in order to protect customers. 

Security is something we take very seriously. Unfortunately, these fake sites are a typical phishing scam that affects all industries. “To combat these scammers we use constant monitoring using Brandshield, and other providers, to take the proper legal actions and eliminate these sites,” stated the company in an email.

SuperWorld, while not pointing out any effort to eliminate these impostor websites, stated in a statement, that the company had made attempts to improve consumer education about best practices to prevent theft. 

CNBC also asked these metaverse platforms to estimate the land stolen, as well as how much money investors have lost due to these phishing frauds. However, the platforms didn’t provide any figures.