The emergence of non-fungible tokens and their subsequent meteoric rise has attracted a host of NFT scammers out searching for the next meal ticket.
And while the NFT bubble of 2021 has well and truly popped – with the speculative hype train gone (for the time being) – NFT thefts and hacks are happening at a record pace, despite NFT prices and sales currently at record 12-month lows.
Follow along as we discuss the most common schemes scammers use to steal NFTs in this article.
NFT Theft At Record Highs
One of the most persistent problems blockchain ecosystems face is the rising incidence of NFT theft.
According to London-based blockchain analytics and risk management firm Elliptic, over $100 million worth of NFTs were reported stolen from July 2021 to July 2022.
Elliptic reports that over 4,650 NFTs have been stolen from an analysis of 80 high-profile NFT scams circulating on social media since July 2021.
On the other hand, July 2022 alone saw 4,600 NFTs stolen, recording the highest per-month incidence of NFT thefts thus far, even as NFT sales are down by 80%. in the same time period.
It’s clear that NFT scams aren’t going away anytime soon, despite the crypto winter of 2022 obliterating NFT values across the board.
Elliptic gathered the data on NFT scams using open research from social media. The report includes NFT thievery reported as stolen on social media, as well as tangible patterns of thievery using on-chain data.
According to Elliptic, their study uncovered trends involving NFT-related scams, such as the use of digital asset mixers used to obfuscate on-chain activity related to theft. This includes US-sanctioned Tornado Cash, which enjoys prolific use as the laundering tool of choice by cybercriminals to hide the proceeds of ill-gotten gains.
Tornado Cash was identified as the source of approximately $138 million worth of digital assets handled by NFT platforms, making it the preferred money laundering solution for as much as 52% of NFT scam proceeds prior to its OFAC sanctioning last August 2022. Moreover, Elliptic reports that the latter’s prevalent use among cybercriminals engaging with NFTs greatly underlines the need for NFT platforms to implement effective sanctions screening processes.
Another trend is the rising prevalence of security breaches of NFT communities on social media such as Discord and Telegram, leading to cryptocurrency and NFT theft.
Another notable stolen NFT includes include CryptoPunk #4324, stolen in November 2021 before being resold for a cool $490,000, making it the most valuable NFT ever stolen on record.
Not too long after, in December 2021, cybercriminals stole 16 top-notch NFTs worth $2.1 million from a collector in one fell swoop, making it the biggest single instance of theft recorded thus far.
Moreover, according to the Elliptic report, NFT-based services need to look out for another emerging threat besides crypto scammers: threat actors from state-sponsored and sanctioned entities, particularly North Korea’s notorious Lazarus Group, which was linked by United States government officials as being responsible for an April 2022 theft which cost a staggering $540 million.
8 Types Of NFT Hacks You Should Know About
NFT hacks have been constantly on the rise, leaving collectors vulnerable to the growing threat of thieves and scammers. The next victim could be you.
While Sending.me can keep your assets secure from these scams, it is better to know what to look out for! That’s why we’ve put together a list of the eight most common types of NFT hacks – so you can avoid them.
These are undoubtedly the most prevalent scam in the crypto and NFT community. These involve establishing fake sites designed to compromise their victims’ wallets and crypto assets through 1) fake popups that poise as a window or login screen of a reputable custodial wallet like MetaMask to steal their information once unsuspecting users enter their credentials, and 2) encouraging unwitting individuals to sign malicious transactions that allow others to manage their crypto assets (read: steal them).
Scammers attract clicks by stirring up FOMO, or “fear of missing out,” among NFT collectors due to the rapid increase in value of certain NFT collections during the peak of speculation and hype in 2021. Cybercriminals have exploited this mania to incite careless buys and fast transactions.
Cybercriminals deploy phishing links in various ways. Since the broader NFT community has become aware of the most common scams, criminals have evolved to use more sophisticated, less obvious ways to steal millions worth of NFTs from collectors.
Direct Message & Email Phishing
Hackers use direct messages and email phishing tactics to access your account details. Like phishing scams, hackers send out fake links through email or social media channels such as Discord, Twitter, or Telegram. Once you click the link and enter your personal details or connect your wallet, thieves will use malicious software to compromise your account and cryptoassets.
Direct message and email phishing emails usually impersonate an NFT marketplace or a purported customer service representative to hoodwink victims into clicking links to enable a trade or to verify their personal information. Cybercriminals employ FOMO tactics like sending out fake email notifications of NFTs from popular collections being listed below their floor prices, linking the victim to fake malicious sites posing as legitimate NFT marketplaces.
Last February 2022, cybercriminals stole almost $1.7 million worth of NFTs from NFT marketplace OpenSea after copying emails from the company and sending phishing links to unwitting individuals.
More recently, scammers have been paying to get their malicious sites advertised on search engines, leading to unsuspecting individuals clicking on a Google link at the top of the search results to a fake NFT platform used for phishing.
Often, these fake, impersonated sites look just perfect replicas of established NFT trading platforms while surreptitiously using a URL that adds an additional keystroke to trick users into handing over their personal information or credentials. This is another typical phishing technique cybercriminals use to mimic an established NFT platform or marketplace wherein they use very similar domain names as the platforms they wish to impersonate, called domain squatting.
Once the user is inside the impersonated NFT platform, users might be coerced into creating a new wallet and setting up passphrases for it, not knowing that they were setting up wallets for the cybercriminals. Once users fund their “new” wallet, any digital assets that they transfer can easily be stolen by scammers.
Another common way cybercriminals use to steal NFTs is by hacking – involving unauthorized persons exploiting a computer, mobile device, social media, or private network to access its contents.
For instance, last April 2022, four Bored Ape Yacht Club NFTs were stolen after hackers broke into the official BAYC Instagram account. The hacker posted a phishing link to a purported airdrop that would ostensibly give BAYC holders free metaverse real estate. Not surprisingly, BAYC holders who opened the link and connected their crypto wallets had their Apes and other Yuga Labs collectibles stolen. All in all, the April 2022 Bored Ape Instagram hack cost victims $2.5 million worth in NFTs.
Once Yuga Labs regained control of the compromised account, they ordered an investigation into how the hackers were able to gain access.
A common NFT scam is through swapping services. These services allow users to trade their NFTs for another as opposed to buying or selling them using cryptocurrencies. Since May 2021, over $490 million worth of non-fungible token swaps has been done on swap protocols.
Swap scams happen when scammers trick NFT holders into swapping a valuable NFT in exchange for a fake one or a worthless forgery.
Other threat actors use trojan NFTs, which they send to collectors. If the collectors accept the NFT trojan, they end up losing theirs.
Trojan horse NFTs work with criminals baiting unsuspecting collectors with a token or smart contract that would drain their crypto wallets after being accepted. In addition, scammers have inserted malware in NFT-related spreadsheets or files purporting to contain information but whose real purpose is to deliver trojan malware.
Social Media & Discord Hacks
Over 5,000 NFTs have been stolen through social media hacks. On the other hand, OkHotShot, an NFT expert and Twitter user wrote that a total of 271 Discord servers had been compromised from May to July 2022.
Social media hacks are very attractive to criminals as they provide another layer of social proof that unsuspecting collectors believe is genuine. Once a social media or messaging account gets compromised, phishing links can be deployed from the official accounts of the NFT projects.
Social Engineering Tactics
Impersonation scams involve bad characters impersonating tech support representatives, as moderators of Discord servers, or as members preying on individuals asking questions about technical difficulties or bugs – in the hope that they can connect with unsuspecting victims by DM and get them to disclose their wallet seed phrases. The victims, believing them to be legitimate staff members, comply.
For instance, members from NFT projects like Bored Ape Yacht Club and Azukis have been impersonated on Twitter to steal victims’ digital assets.
5 Tips To Keep Your NFT And Crypto Investments Safe
That said, what steps can you take to ensure the safety of your crypto assets? Here are five pointers you could put to use:
- Use Sending.me. The platforms provide full security, a reputation system prevents bad elements from infiltrating the community, and in-app trading makes NFT trading safe.
- Never share your private key with anyone. One of the first things you need to do to secure your crypto and NFTs is to keep your private keys private. Never share it with anyone nor leave it somewhere else someone could find it and compromise your crypto wallet.
- Don’t answer to messages from unknown contacts. Plenty of NFTs have been stolen from scammers impersonating social media accounts. Refrain from answering messages from any unknown senders and don’t click on any links without first checking if it’s legitimate. Hackers employ convincing strategies using social engineering to scam others – make sure the person you’re responding to is genuine.
- Don’t click on sketchy links. Phishing is the most common way thieves steal NFTs. A good rule of thumb to avoid getting victimized by scammers is to refrain from clicking on any unverified links. For instance, if you receive a notification from a sender posing as a NFT exchange, hover over the link and examine the link if it comes from the company’s legitimate website or communication channels.
- Enable two-factor authentication. By enabling two-factor authentication on your accounts, you ensure that someone can’t use your password alone to access your account without your permission. The extra layer of security prevents hackers from getting into your account and could alert you if someone makes an attempt to log in.
- Keep your digital assets in a cold wallet. Crypto wallets connected to the internet are called “hot” wallets. Hot wallets are easy targets for hackers to compromise. On the other hand, “cold” wallets — wallets not connected to the internet — would require physical access to your wallet for them to hack into.
While criminal activity constitutes a fraction of all NFT activity, as the Elliptic stated, the prevalence of scams has besmirched the industry’s reputation and affected the user experience of legitimate collectors.
Nevertheless, scams are indeed rife and increasing in number even as the broader market is down – and crypto thieves are ramping up efforts with various scam tactics to part you from your assets. Likewise, NFT marketplaces and regulatory authorities should take steps to eradicate criminal activity in the marketplace.