More than $100m (£85m) of non-fungible tokens were stolen in the year to July, research shows, with criminals getting away with an average of $300,000 per scam.
According to a report by cryptocurrency analyst Elliptic, criminals have stolen valuable NFTs – crypto assets that confer ownership of a unique digital item, often a virtual work of art – in a variety of ways.
“The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers shortly after the theft on November 13, 2021 for $490,000,” Elliptic reports. “Meanwhile, the largest heist by an individual victim resulted in the loss of 16 prime NFTs worth $2.1 million on December 28, 2021.
“Underlining the ongoing problem with scams, CloneX Collection assets #9650 and #5759 were stolen twice in the space of three months – in two unrelated scam incidents – worth approximately $50,000 each time. .”
Phishing scams, the most common type, trick users into accidentally handing over credentials to their cryptocurrency wallets, with which a fraudster can initiate an irreversible transaction.
Sometimes this can be done through a hacked social media account, like when $3 million of NFTs from Yuga Labs’ Bored Ape Yacht Club collection was stolen after an Instagram hack, and sometimes it can be through domain squatting or identity theft.
“Scammers have also been known to pay to advertise their sites on search engines,” the Elliptic report notes, “meaning that unwitting people searching for the spoofed NFT platform will see a slew of phishing links at the top of their search results”.
However, other scams are more unique to the NFT space. An NFT Trojan, for example, uses the unique characteristics of a “smart contract” to create a booby-trapped token: if the user accepts it, they can immediately drain their account.
NFT trading scams, on the other hand, work by abusing the fact that counterfeiting an NFT is meaningless. Simply creating a new digital asset with the same name and image as a high-value NFT means that some may be tricked into accepting what looks like an “like-for-like” exchange, only to find that they have nothing left.
The $100 million total doesn’t even include the largest NFT-related theft, of $500 million in digital currency from the NFT-based video game Axie Infinity. These hackers, believed to be North Korean state actors, left Pokémon-like NFTs alone and instead stole the money players had deposited into the system to fuel its in-game economy.
These hackers – along with 52% of NFT scammers tracked by Elliptic – turned to a service, Tornado Cash, to launder their profits.
The service, which was placed on the US sanctions list this month, “was the source of $137.6 million in crypto-assets processed by NFT markets and the laundering tool of choice for 52% of proceeds from NFT scams before being sanctioned by the US Office of Foreign Assets Control (OFAC) in August 2022,” says Elliptic. “Its prolific use by threat actors who engage with NFTs further underscores the need effective sanctions screening by NFT platforms.”