Non-fungible tokens (NFTs) worth more than $100m were stolen in the past year, new research says. The report from crypto compliance company Elliptic also highlights other NFT crime trends, with the digital assets being widely used by money launderers.
NFTs, digital tokens representing a unique asset such as a photo or video, have enjoyed a boom in popularity among consumers and businesses over the past two years. Yesterday, ticketing giant Ticketmaster said it would allow event organisers to issue NFTs linked to tickets using the Flow blockchain. These could be made available before or after events, and possibly be linked to special experiences for customers.
However, the report from Elliptic lifts the lid on some of the problems associated with the tokens.
The cost of non-fungible token crime in 2021
The Elliptic research says more than $100m worth of NFTs were publicly reported as stolen through scams between July 2021 and July 2022, netting the perpetrators $300,000 per scam on average.
The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers soon after the theft
in November 2021 for $490,000. The largest single heist from an individual victim occurred in December and resulted in the loss of 16 so-called “blue chip” NFTs worth $2.1m.
July 2022 was the most prolific month for this kind of crime, the report says, with more than 4,600 NFTs stolen. This indicates that scams have not abated despite the well-publicised problems in the cryptocurrency market, which have seen the value of digital currencies such as Bitcoin and Ethereum tumble.
In terms of value, May 2022 recorded the highest cost of thefts, at just under $24m. The authors believe the true number is likely much higher, with crimes often going unreported.
NFTs are also being used by criminals, as the authors found evidence of more than $8m of illicit funds being laundered through NFT-based platforms since 2017. Again the true figure is likely to be a lot higher, with a further $328m spent on NFTs emanating from what the report describes as “obfuscation services” like crypto mixers, where crypto assets from different sources are mixed to disguise their origins. “A proportion of this may reflect proceeds from illicit activity,” the report says.
How are cybercriminals stealing NFTs?
NFT platforms compromised in the past year include OpenSea, the world’s biggest NFT marketplace, which reported a data breach in June which saw user information stolen. It has not disclosed whether this led to any NFTs being pilfered.
The report says that social media compromises – particularly of NFT project Discord servers – have surged in 2022, accounting for 23% of all NFTs stolen this year: just under 5,000 NFTs with a value of $20m were taken in such breaches. The authors say: “The growing availability of tailored malware that can bypass multi-factor authentication is likely to be partially responsible.”
Phishing scams remain the most popular attack vector, accounting for 51.5% of all reported losses in the last year, the Elliptic report says.