The continued growth of the non-fungible tokens (NFTs) market in 2022 has helped shape the zeitgeist of what has been colloquially referred to as the “Fourth Industrial Revolution.”[1] defined largely by network effect (eg virality); rapid innovation; social, creative and community involvement; and developed perspectives with respect to how rights and obligations between and between the parties in automated agreements are defined and enforced.
Commonly used to identify and attach identifiable rights to otherwise fungible digital media files, NFTs, along with other cryptographic assets and blockchain technology in general, constitute the infrastructure required to facilitate transactions between and among anonymous or pseudonymous counterparties without the involvement of third-party intermediaries, such as .ex. which knocks. As a result, the non-fungible (unique) nature of NFTs has revolutionized notions of digital property ownership by demonstrating that digital property is not only real, but has intrinsic value, equal to property.
Consumers spent up to $44 billion on NFTs in 2021[2] and is on track to spend at least as much, if not twice as much, in 2022.[3] But as the demand for NFTs continues to grow, unsuspecting consumers are at risk of being exposed to a host of new security risks associated with the burgeoning digital asset technology and ecosystem. For example, between 2021 and 2022, such risks have manifested in the theft of over $100 million in NFTs through fraud – with 4,600 NFTs stolen in July 2022 alone[4] – demonstrate that security and other risks associated with NFTs remain prevalent, even in the wake of the recent downturn in the digital asset market. This alert will explore some of the more common security incident typologies and other illegal activities involving NFTs and suggest strategies to mitigate these risks.
Phishing scams and hacks
Phishing unsuspecting NFT enthusiasts and newcomers continues to be a popular scam used by online hackers and fraudsters, who have ripped off thousands of consumers by impersonating or hacking digital forums, websites and social media accounts of well-known NFT projects to lure unsuspecting victims into buying fake NFTs.[5] In one case, hackers breached a hugely popular NFT collection’s official social media page and shared links to a fake airdrop. Followers who clicked on the fraudulent links were lured into connecting and authorizing access to their digital wallets, unknowingly allowing the hackers to siphon all funds into them.[6] Fraudsters targeted yet another long-awaited NFT launch by using fake websites and usernames on a popular social messaging platform to fraudulently communicate with unsuspecting enthusiasts and get them to buy fake NFTs.[7] Confusing buyers into thinking they are communicating with the brand is a dangerously simple and effective way to trick victims. Such transactions cannot be reversed once they have been completed. NFT buyers should be vigilant and take precautions such as double-checking URLs of marketplaces and other brand social media channels for relevant updates before completing purchases. Likewise, brands and digital asset marketplaces may publish notices and disclosures that warn consumers of such risks and prepare them on how to respond to the same.
Insider trading
NFT marketplaces are also vulnerable to insider trading, where employees use inside information to buy exclusive NFTs before they are available to the public, then sell them at a profit when prices rise.[8] The US Department of Justice (DOJ) recently indicted a former NFT marketplace employee and his associates on charges of wire fraud and money laundering “in connection with a scheme to commit insider trading.”[9] The DOJ alleged that the former employee used confidential information about certain NFTs selected for promotion by the NFT Marketplace to purchase them in advance and benefit from the corresponding increase in value of the NFTs after the promotion.[10]
To prevent insider trading, NFT marketplaces can implement formal policies that articulate prohibited conduct, provide training to employees, monitor purchases and sales, require periodic reporting, create blackout periods for employee transactions, provide anonymous reporting hotlines, and create firewalls.[11] Such policies should be established in advance to educate employees about the legal risks associated with insider trading and to prevent insider trading.
Money laundering and financing of illegal activities
“The NFT market is a prime target for financial crime, including money laundering, terrorist financing and fraud,”[12] according to blockchain analytics firm Elliptic, which recently reported that over $8 million in illicit funds have been laundered through NFT marketplaces since 2017.[13] One method of money laundering – “self-laundering” – is particularly widespread and involves individuals purchasing NFTs with illicit funds and then generating subsequent repeated transactions with themselves or related parties through a series of unique public keys to “clean” the funds by concealing the flow of transactions, and thus their association with criminal activity, at the end of the cycle.
NFTs may also be associated with corrupt financing activities due to characteristics inherent in NFTs that can be exploited to facilitate crimes. Such features include varying levels of anonymity available to blockchain transactors and the ability to settle transactions worldwide instantly.[14] For example, blockchain analysts and intelligence officials noticed that the Islamic State of Iraq and Syria (ISIS) used NFTs for recruitment and financing,[15] and that ISIS-themed NFTs were visible on at least one NFT trading website.[16] This recent finding illustrates the viability of using NFTs to finance illegal activities, not only because of their fundraising capabilities, but also because their indelible nature makes them nearly impossible to remove or censor, unlike other online recruitment and messaging tools.[17]
Exchanges and NFT marketplaces can take measures to prevent money laundering, such as implementing adequate know-your-customer and anti-money laundering procedures, monitoring trading and Internet Protocol activity among users, and banning and removing content associated with illegal activity. However, since NFTs are recorded on an immutable blockchain, they will be difficult (if not impossible) to eliminate completely.[18]
Market manipulation
As they did with self-washing, bad actors have found ways to manipulate NFT marketplaces by artificially increasing the value of certain NFTs through “wash trading” – the practice of creating high trading volume to manipulate market prices to one’s advantage. Wash trading creates the illusion that an NFT is in high demand, when in reality the transactions all originate from one individual, or among related individuals, using different wallets to hide the fact that such transactions are related. This type of fabricated demand can lead unsuspecting buyers to believe that an NFT is more valuable than it actually is, and can be very lucrative for those who engage in such illegal practices. For example, one report found that wash trading netted dozens of traders roughly $8.9 million combined.[19]
Although such practices may be difficult to determine, consumers should be wary of them before purchasing NFTs. NFT buyers should closely monitor social media activity and engage in other due diligence activities to determine whether a particular NFT is truly highly valued. Marketplaces and brands can also take steps to protect consumers by using blockchain analytics tools to monitor NFT transaction activity to identify and block efforts by bad actors attempting to engage in laundering.
Platform Exploits
Platform vulnerabilities and exploits can cause significant financial losses to platform users. A recent example of this occurred when a major global NFT platform unwittingly facilitated the sale of “inactive” NFT listings to savvy buyers who realized that sophisticated NFT holders often transfer blue-chip NFTs to other wallets they control instead of delisting them (which would require manual cancellation for a fee). By transferring NFT between wallets, the NFT holders could remove the public listing and avoid the fee associated with the cancellation.
However, this process only updated the listing from “active” to “inactive”, allowing savvy buyers to purchase the inactive NFTs via the smart contract rather than the exchange platform’s user interface. According to reports, a popular NFT platform had to refund up to $1.8 million to users who unknowingly sold their NFTs at prices well below market value due to the platform’s user interface issue.[20]
Security flaws can also exist within the back-end architecture of NFT marketplaces, which, if not addressed, could result in significant losses for marketplace users. For example, a popular NFT marketplace was recently asked to update its back-end coding to fix a security flaw identified by a third-party security firm.[21] Had malicious actors observed and exploited the back-end vulnerability, they would have been able to send NFT owners malicious links that, when clicked, would potentially grant full access to users’ wallets and NFTs or other digital assets held there.[22]
While these particular exploits were addressed in one case after the fact, and in another case before any exploitation occurred, NFT marketplaces are mindful of the need to plan and design products and user interfaces that protect consumers from unintended risk exposure.
Conclusion
Billions of dollars worth of fungible and non-fungible digital asset transactions occur daily.[23] As such, users and platforms must be vigilant to protect themselves from fraud, hacks and other illegal activity and take measures to minimize these risks. BakerHostetler’s Blockchain Technologies and Digital Assets and Data Security Incident Response teams are composed of dozens of experienced individuals—including attorneys who have served in the DOJ and many others—with extensive experience across all sectors of the blockchain and cryptocurrency markets, from investigations, incident response and cybersecurity, bank secrecy/anti-money laundering, tax, privacy, transactional, intellectual property, and media and technology design for federal legislation, congressional oversight, investigations, and public policy. Please feel free to contact one of our experienced professionals if you have any questions about this notice.
