More than $100m (£85m) worth of non-fungible tokens were stolen in the year to July, research shows, with criminals making off with an average of $300,000 per scam.
Criminals have stolen valuable NFTs – crypto assets that confer ownership of a unique digital item, often a piece of virtual art – in a variety of ways, according to a report by the cryptocurrency analyst Elliptic.
“The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers soon after the theft on 13 November 2021 for $490,000,” Elliptic reports. “Meanwhile, the largest single heist from an individual victim resulted in the loss of 16 blue-chip NFTs worth $2.1m on 28 December 2021.
“Emphasising the persisting problem of scams, assets #9650 and #5759 in the CloneX collection have been stolen twice in the space of three months – in two unrelated scam incidents – having been worth around $50,000 on both occasions.”
Phishing scams, the most common type, entice users to accidentally hand over the credentials to their cryptocurrency wallets, with which a fraudster can initiate an irreversible transaction.
Sometimes that can be done through a hacked social media account, as when $3m of NFTs from Yuga Labs’ Bored Ape Yacht Club collection were stolen after an Instagram hack, and sometimes it can be through domain squatting or impersonation.
“Scammers have also been known to pay to advertise their sites on search engines,” the Elliptic report notes, “meaning that unwitting individuals searching for the impersonated NFT platform will see a host of phishing links at the top of their search results.”
However, other scams are more unique to the NFT space. A Trojan horse NFT, for instance, uses the unique features of a “smart contract” to create a booby-trapped token: if the user accepts it, it can immediately drain their account.
NFT swap scams, meanwhile, work by abusing the fact that counterfeiting an NFT is trivial. Simply creating a new digital asset with the same name and image as a high-value NFT means some can be fooled into accepting what looks like a “like-for-like” swap, only to find they’ve been left with nothing.
The $100m total does not even include the single largest NFT-related theft, of $500m of digital currency from NFT-based video game Axie Infinity. Those hackers, believed to be North Korean state actors, left the Pokemon-like NFTs alone, and instead stole the money that players had deposited in the system to power its in-game economy.
Those hackers – as well as 52% of the NFT scammers Elliptic tracked – turned to one service, Tornado Cash, to launder their proceeds.
The service, which was put on the US sanctions list this month, “was the source of $137.6m of cryptoassets processed by NFT marketplaces and the laundering tool of choice for 52% of NFT scam proceeds before being sanctioned by OFAC (US Office of Foreign Assets Control) in August 2022,” Elliptic says. “Its prolific use by threat actors engaging with NFTs further emphasises the need for effective sanctions screening by NFT platforms.”