More than $100m worth of non-fungible tokens were stolen in a variety of scams between January and July of this year, according to a new report by the blockchain analysis firm Elliptic. The thieves made off with an average of $300,000 per scam.
“The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers soon after the theft on 13 November 2021 for $490,000,” Elliptic reports. “Meanwhile, the largest single heist from an individual victim resulted in the loss of 16 blue-chip NFTs worth $2.1m on 28 December 2021,” the report says.
Elliptic collected the data on NFT scams through open-source research across major social media sites. All thefts included in the report were (a) reported stolen on social media, (b) showed a clear pattern of theft based on Ethereum transactions, and (c) occurred between July 2021 and July 2022.
The report outlines the different scams duping crypto art collectors. Phishing scams, in which users accidentally share the credentials to their cryptocurrency wallet, are the most common. Fraudsters can accomplish this by domain squatting on similar website names or hacking the owner’s social media accounts. In one of the highest-profile cases, $3 million worth of NFTs were stolen from the Yuga Labs’ Bored Ape Yacht Club after an Instagram hack.
“Scammers have also been known to pay to advertise their sites on search engines,” the Elliptic report says, “meaning that unwitting individuals searching for the impersonated NFT platform will see a host of phishing links at the top of their search results.”
In more elaborate scams, a “Trojan horse” NFT will bait the prospective buyer with a “smart contract” or token that will drain their account after being accepted. Elsewhere, a counterfeit NFT that has the same name and image as the unique digital asset can trick someone into a “like-for-like” swap, in which the scammer receives a valuable NFT but leave a worthless forgery.
Elliptic notes that 52% of the NFT scammers it tracked used the service Tornado Cash to launder their loot. The service, which was included on a US sanctions list this month, “was the source of $137.6m of cryptoassets processed by NFT marketplaces,” the report notes, adding, “Its prolific use by threat actors engaging with NFTs further emphasizes the need for effective sanctions screening by NFT platforms.”