Why NFTs need a cold wallet even more than coins
Here is an uncomfortable fact: NFTs get stolen more often than fungible tokens of equivalent value. Three reasons: (1) NFT value is concentrated — one Bored Ape is worth tens of ETH, so attackers only need a single token to cash out; (2) NFT holders constantly interact with smart contracts — minting, claiming airdrops, staking, listing — and every interaction is another signing risk; (3) the NFT ecosystem is flooded with phishing: fake mint pages, fake airdrop claims, lookalike OpenSea domains.
Keeping NFTs in a browser hot wallet like MetaMask exposes you to all of those attack surfaces. Moving them into a USB cold wallet like ArcSign means your private key never leaves the device and, for day-to-day browsing of your collection, you don’t even need to connect to anything.
Real caseIn 2022 a Bored Ape holder clicked a fake “Otherside land allowlist” link and lost an NFT collection worth over USD 2.4M in a single day. The post-mortem revealed the entire collection was held in a hot wallet and had granted setApprovalForAll to the phishing contract. A cold wallet with periodic approval cleanup would have prevented the loss entirely.
The 5 most common NFT attacks in 2026
Understanding the threat landscape is the first step to defending against it. Here are the top 2026 NFT threats tracked by the ArcSign security team:
1. Approval phishing
The most common vector. Attackers spin up a fake mint or marketplace page and trick you into signing setApprovalForAll. Once granted, they can drain your entire collection any time they choose — often weeks later, once you’ve forgotten about it.
2. Fake mint / airdrop pages
Lookalike URLs posted in Discord, X and Telegram that differ by a single character from the real project. They push “free mints” or “claim your airdrop” flows that either drain ETH directly or harvest malicious approvals.
3. Seed phrase phishing
Attackers impersonate “OpenSea support” or “MetaMask helpdesk” and tell you your account was compromised and needs to be “verified” by entering your seed phrase. Any link asking for a seed phrase is a scam — ArcSign users don’t even have a UI to enter one.
4. Zero-value order exploits
Older marketplace APIs had bugs that let attackers fill stale orders for almost nothing. If you don’t periodically clean up expired listings and approvals, you might wake up one day to find your Apes gone for 0.0001 ETH.
5. Clipboard hijacking
Clipboard-watching malware silently replaces any wallet address you copy with the attacker’s address. Always verify the full destination address before transferring a valuable NFT, or better yet verify it on your cold wallet screen.
ArcSign NFT Gallery: one UI for every chain
The NFT Gallery is one of ArcSign’s flagship features for collectors. No matter which chains your NFTs live on, the dashboard fetches and displays them in a single unified view — no network switching, no juggling six browser extensions.
1
Six chains in one viewSupports Ethereum, Polygon, Arbitrum, Optimism, Base and BSC. BSC uses NodeReal’s enhanced nr_getNFTHoldings API while the other chains use Alchemy’s NFT API for complete metadata.
2
ERC-721 and ERC-1155Whether you collect 1/1 PFP art or stackable game items (ERC-1155), counts, collections and rarity traits are displayed correctly.
3
Lazy loading and privacy modeMedia is fetched through a built-in image proxy to avoid leaking your IP to third-party IPFS gateways. You can enable “view-only mode” to display an address’s holdings without connecting to any dApp.
4
No third-party cloudAll data is pulled live from chains and official APIs. ArcSign never uploads your holdings to any server. Your collection privacy belongs to you alone.
5 steps to move your NFTs into ArcSign
Here’s the full hot-to-cold migration flow, roughly 15 minutes end to end:
1
Prepare a USB and install ArcSignDownload the latest build from arcsign.io and install it to a USB stick (16 GB or larger is recommended). ArcSign is free software. Create a new wallet and set a strong password.
2
Configure an Alchemy API keyEnter a free Alchemy API key on the Provider settings page to enable the NFT Gallery and cross-chain balances. If you hold NFTs on BSC, add a NodeReal key too for the best metadata coverage.
3
Export your .arcsign encrypted backup firstBefore transferring in anything of value, export the AES-256-GCM encrypted .arcsign backup file. It’s fully encrypted the moment it hits disk, so you can safely store it in the cloud or on a second USB.
4
Migrate in batches (cheapest first)Never move an entire collection in one go. Transfer one low-value NFT first, confirm it arrives and renders in the Gallery, then move the valuable items in batches. This is the golden rule of any cold wallet migration.
5
Clean up approvals on the old hot walletOnce the migration is done, return to the old wallet and use ArcSign Token Approvals to revoke every lingering setApprovalForAll. Otherwise, if any asset ever returns to the old wallet, those dangling approvals remain a live attack vector.
Safety reminderWhen transferring a valuable NFT, always verify the full destination address — the first 6 and last 4 characters are not enough. ArcSign displays the full address and tokenId on the signing screen for you to double-check. See our phishing prevention guide for clipboard-hijack examples.
Approval management: don’t let old approvals become bombs
This is the most overlooked part of NFT security. Every order you’ve ever listed on OpenSea, Blur, LooksRare or X2Y2 granted the corresponding contract permission to transfer your NFTs. Those approvals don’t expire automatically — some are literally infinite.
The risk scenario: if any marketplace contract is later found to have a vulnerability (as happened with OpenSea’s legacy Wyvern contract in 2022), attackers can drain every NFT still approved to that contract — even if you stopped using the marketplace years ago.
| Approval type | Risk level | Recommendation |
|---|---|---|
| setApprovalForAll (collection-wide) | Critical | Keep only your current marketplace, revoke the rest |
| approve (single tokenId) | Medium | Revoke immediately after the trade completes |
| Legacy Wyvern / sunset contracts | Critical | Revoke all, no exceptions |
| ERC-20 approvals (WETH etc.) | Medium | Prefer limited to infinite; revoke after use |
ArcSign’s token approvals feature lists every approval you’ve granted across 6 EVM chains and lets you revoke them in one click. Pro users (ArcSign Pro NFT membership) can batch-revoke multiple approvals in a single transaction, saving significant gas. Review at least once per quarter.
Trading safely via WalletConnect
Putting NFTs into cold storage doesn’t mean you can’t trade. ArcSign supports WalletConnect v2 and pairs with OpenSea, Blur, Magic Eden and other major marketplaces. The flow:
1
Pick WalletConnect on the marketplaceGo to OpenSea or any marketplace, click “Connect Wallet”, choose WalletConnect, and you’ll get a QR code or a connection URI.
2
Scan or paste into ArcSignOpen the WalletConnect tab in ArcSign, scan the QR or paste the URI, and approve the pairing. ArcSign will display the requesting domain — double-check it.
3
Review every signing request carefullyFor listings, bids and trades, ArcSign parses and displays the full EIP-712 structured data. Verify the target contract, the expiry, and which tokenIds are involved before approving.
Pro tipWalletConnect v2 supports short-lived sessions. Grant one-time or hours-long sessions instead of indefinite ones — so even if a dApp turns malicious later, the window of impact is limited.
ArcSign vs other NFT storage options
| Solution | Keys offline | Cross-chain Gallery | Approval mgmt | Price |
|---|---|---|---|---|
| MetaMask | No | Partial | Needs extensions | Free |
| Ledger + Ledger Live | Yes | Limited | Not built in | $149+ hardware |
| Trezor + Suite | Yes | Not native | Not built in | $169+ hardware |
| ArcSign | Yes (USB) | 6 chains native | One-click revoke | Free |
Related reading: Ledger vs Trezor vs ArcSign full comparison and our BTC + ETH + BSC multi-chain management tutorial.
FAQ
Q: Do NFTs really need a cold wallet?
Any valuable NFT belongs in a cold wallet. Hot wallets are convenient but constantly exposed to browser extensions, malicious sites, approval scams and clipboard hijackers. Most high-profile NFT thefts originated from a phished hot wallet. Moving NFTs into a USB cold wallet like ArcSign means the private key never leaves the device, so an attacker cannot transfer them even with full control of your computer.
Q: Which NFT standards and chains does ArcSign support?
ArcSign supports both ERC-721 (unique NFTs) and ERC-1155 (semi-fungible tokens), across 6 EVM chains: Ethereum, Polygon, Arbitrum, Optimism, Base and BSC. Most chains are powered by Alchemy’s NFT API, while BSC uses NodeReal’s nr_getNFTHoldings enhanced endpoint for full metadata.
Q: Is it hard to manage NFTs from a cold wallet?
Not at all. ArcSign Provides a full NFT Gallery UI where you can browse images, descriptions and collection info. When you need to list on OpenSea or accept offers, you connect via WalletConnect v2 — every transaction is still signed by the cold wallet, but the experience is similar to a hot wallet. If you only want to view your collection, you don’t need to sign anything.
Q: What about existing approvals I granted to NFT marketplaces?
This is the most overlooked risk. Every time you list on OpenSea, Blur or similar marketplaces, you grant setApprovalForAll to their contracts, letting them move your entire collection. ArcSign’s token approvals feature lists all approvals (ERC-20 and NFT contracts) across 6 EVM chains and lets you revoke dangerous ones in one click. Pro users can batch-revoke multiple approvals at once.