$100M in NFT Theft Last Year Despite Crypto Winter: Elliptical
Crypto “winter” or not, non-fungible token (NFT) scams are on the rise.
Investors reported over $100 million worth of NFTs stolen due to fraud between July 2021 and July 2022, according to a new report from top blockchain analytics firm Elliptic.
Scammers raked in $300,000 on average as several shady records were broken in the past year. In July 2022 — mid-crypto bear market, when NFT prices fell sharply — over 4,600 NFTs were reported stolen, the “highest month ever” for such fraud, according to Elliptic.
Additionally, in May, just under $24 million in NFTs were stolen through fraud. That’s the “highest confirmed value” to date, Elliptic wrote, noting that the actual number is likely even higher because victims don’t always publicly report being scammed.
Among the most common methods used were phishing scams, often where fake pop-ups encourage users to log into their wallet or log into malicious transactions. Sometimes, for example, bad actors pose as the website of a well-known NFT platform or wallet, or hack into the social media account of a popular NFT project, spreading malicious links that give fraudsters access when clicked.
Social media-based phishing scams have also increased, according to Elliptic, with around $20 million worth of NFTs stolen in 2022. Elliptic concludes that this is due to the increased use of malware that can bypass two-factor authentication.
Aside from fraud, NFTs are often criticized as vehicles that can be used for money laundering. However, in its investigation, Elliptic found that although illicit funds have been used to purchase NFTs, this amount is relatively small.
Elliptic analyzed 17 million Ethereum transactions between Q4 2017 and Q1 2022 from 22 NFT marketplaces, four NFT games or metaverse platforms and two NFT exchanges.
In its breakdown, Elliptic reported that funds from legal activity accounted for about $40 billion, or 99%, of the total used for NFT services. Under $329 million, or 0.81%, of the funds on NFT services come from “obfuscators” such as so-called crypto “mixers”, which allow users to hide the trace of transactions. And illegal means, such as theft, phishing or ponzi schemes, account for $8 million, or 0.02%.
Nonetheless, Elliptic sees an “increasing threat to NFT-based services from sanctioned entities and state-sponsored exploits,” it wrote, citing among other things the $540 million Axie Infinity Ronin Bridge exploit by the notorious North Korean hacking outfit known as the Lazarus Group. .
For example, Tornado Cash, a notable crypto mixer now sanctioned by the United States, “was the source of $137.6 million of cryptoassets processed by NFT marketplaces and the laundering tool of choice for 52% of NFT fraud proceeds before being sanctioned,” Elliptic wrote. “The prolific use of threat actors engaging in NFTs further underscores the need for effective sanctions screening of NFT platforms.”
Overall, Elliptic concluded that while the “perceived chances of NFT-based crime occurring are higher than they actually are”, there is still a need for improvement in the space.
sign up Fortune features mailing list so you don’t miss out on our biggest features, exclusive interviews and surveys.
