More than $100 million in NFTs stolen since July 2021, data shows | Non-fungible tokens (NFTs)

More than $100m (£85m) worth of non-fungible tokens were stolen in the year to July, research shows, with criminals making off with an average of $300,000 per scam.

Criminals have been stealing valuable NFTs — cryptoassets that provide ownership of a unique digital object, often a piece of virtual art — in a variety of ways, according to a report by cryptocurrency analyst Elliptic.

“The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by fraudsters shortly after the theft on November 13, 2021 for $490,000,” reports Elliptic. “Meanwhile, the largest single heist from a single victim resulted in the loss of 16 blue-chip NFTs worth $2.1 million on December 28, 2021.

“Underscoring the ongoing problem of fraud, assets #9650 and #5759 in the CloneX collection have been stolen twice in three months – in two unrelated fraud incidents – after being worth around $50,000 on both occasions.”

Phishing scams, the most common type, lure users into accidentally handing over their cryptocurrency wallet credentials, with which a fraudster can initiate an irreversible transaction.

Sometimes it can be done through a hacked social media account, like when $3 million of NFTs from Yuga Labs’ Bored Ape Yacht Club collection were stolen after an Instagram hack, and sometimes it can be through domain squatting or impersonation.

“Fraudsters have also been known to pay to advertise their sites on search engines,” notes the Elliptic report, “meaning unwitting individuals searching for the impersonated NFT platform will see a series of phishing links at the top of search results.”

However, other scams are more unique to the NFT space. A Trojan horse NFT, for example, uses the unique properties of a “smart contract” to create a booby-trapped token: if the user accepts it, it can immediately drain their account.

NFT exchange scams, meanwhile, work by abusing the fact that forging an NFT is trivial. Simply creating a new digital asset with the same name and image as a high-value NFT means that someone can be tricked into accepting what looks like a “like-for-like” exchange, only to discover that they are not have been left with nothing.

The $100 million total does not even include the largest single NFT-related theft, of $500 million in digital currency from the NFT-based video game Axie Infinity. These hackers, believed to be North Korean state actors, left the Pokemon-like NFTs alone, instead stealing the money that players had deposited into the system to power the in-game economy.

These hackers—as well as 52% of the NFT fraudsters Elliptic tracked—turned to one service, Tornado Cash, to launder their proceeds.

The service, which was placed on the US sanctions list this month, “was the source of $137.6 million of crypto-assets processed by NFT marketplaces and the laundering tool of choice for 52% of NFT fraud proceeds before being sanctioned by OFAC (US Office of Foreign . Assets Control) in August 2022, says Elliptic. “The prolific use of threat actors engaging in NFTs further underscores the need for effective sanctions screening of NFT platforms.”