The metaverse brings new cyber risks

Tom Tuunainen

The gap between the physical and the cyber world is narrowing down, and we are spending more and more time in the artificial universe. One of the most exciting new hypes is the metaverse. It is a term that is used to describe a combination of the virtual reality and mixed reality worlds, that is accessed through a browser or headset. It raises the virtual reality experience to a whole new level both quantitatively and qualitatively, and provides a truly immersive experience to its users.

Web 3.0 is at the forefront of bringing metaverse into life, and it has similar cybersecurity risks as most Web 3.0 projects. These include e.g. hacks, exploits, and scams. Metaverse creates however additional risks because it bridges the gap between the real and digital worlds more deeply. Unless cybersecurity risks in the metaverse are addressed, we might not see the success we hope for.

J. P. Morgan (2022) released a white paper which recognized user identification and privacy safeguards as important elements for interacting and transacting in the metaverse. The paper raised key issues that should be addressed to improve the security of metaverse. According to the paper, verifiable credentials should be structured to enable easier identification of fellow community or team members, or to enable configurable access to varying virtual world locations and experiences. The paper said that a similar mindset that is already in use for internet security should also be applied to the metaverse. (Morgan 2022.)

As users leave trails of data around the metaverse, one major problem in the real world may also cross into the virtual reality world – the invasion of user privacy by high technology companies. The 2018 Facebook and Cambridge Analytica scandal (CNBC 2018) saw millions of users’ data harvested and used without consent. In the metaverse, there may be even more data available for questionable companies to feed on, if strict regulations are not put in place to protect the users. When users are wearing devices such as virtual reality headsets, data about e.g. head and eye movement, or the voice, can be collected. That means that the user of the virtual reality headset can be identified almost instantly.

In order to safely operate in the metaverse, it is important to understand the potential risks, and if necessary, get cybersecurity training. The weakest point from a cybersecurity perspective is often the user. If an cyberattack hits the metaverse, users will be in a much stronger position if they understand the dangers. Companies involved in designing the metaverse will also have to work together in order to establish a common standard that will enable security improving protocols to be deployed effectively – and it has to be done well. If it is not, people will lose confidence in the platform, and stop using it.


Morgan, J. P. 2022. Opportunities in the metaverse – How businesses can explore the metaverse and navigate the hype vs. reality. J.P. Morgan, New York, USA. Published February 2022. Available at: Referenced 31st August 2022.

CNBC 2018. Here’s everything you need to know about the Cambridge Analytica scandal. CNBC, New Jersey, USA. Published 21st March 2018. Available at: Referenced 1st September 2022.

Tom Tuunainen
R&D Developer
Centria University of Applied Sciences
Tel. +358 40 681 7207