The continued growth of the market for nonfungible tokens (NFTs)
in 2022 has helped shape the zeitgeist of what has been referenced
colloquially by some as the “fourth industrial
revolution,”1 defined largely by network effect
(e.g., virality); rapid innovation; social, creative and civic
engagement; and evolved perspectives with regard to how rights and
obligations between and among parties to automated agreements are
defined and enforced.
Commonly used to identify and affix identifiable rights to
otherwise fungible digital media files, NFTs, along with other
cryptographic assets and blockchain technology generally, compose
the infrastructure required to facilitate transactions between and
among anonymous or pseudonymous counterparties without involvement
by third-party intermediaries, such as banks. As a result, the
nonfungible (unique) nature of NFTs has revolutionized conceptions
of digital property ownership by demonstrating that digital
property is not only real but has intrinsic value, similar to real
property.
Consumers spent up to $44 billion on NFTs in 20212
and are on track to spend at least as much, if not double, in
2022.3 But while demand for NFTs continues to grow,
unsuspecting consumers risk being exposed to a variety of novel
security risks associated with the burgeoning digital asset
technology and ecosystem. For example, between 2021 and 2022, such
risks have manifested in the theft of over $100 million in NFTs
through scams – with 4,600 NFTs stolen in July 2022
alone4 – demonstrating that security and other
risks associated with NFTs remain prevalent, even in the wake of
the recent digital asset market downturn. This alert will explore
some of the more common security incident typologies and other
illicit activities involving NFTs and propose strategies for
mitigating these risks.
Phishing Scams and Hacks
Phishing unsuspecting NFT enthusiasts and newcomers continues to
be a popular fraud scheme deployed by online hackers and
fraudsters, who have successfully robbed thousands of consumers by
imitating or hacking digital forums, websites and social media
accounts of well-known NFT projects to lure unsuspecting victims
into purchasing counterfeit NFTs.5 In one instance,
hackers breached an immensely popular NFT collection’s official
social media page and shared links to a fake airdrop. Followers who
clicked on the fraudulent links were lured into connecting and
authorizing access to their digital wallets, unknowingly allowing
the hackers to siphon all funds therein.6 Fraudsters
targeted another highly anticipated NFT launch by using fake
websites and usernames on a popular social messaging platform to
communicate fraudulently with unsuspecting enthusiasts and induce
them into purchasing counterfeit NFTs.7 Confusing
purchasers by making them believe they are communicating with the
brand is a dangerously simple and effective way to deceive victims.
Such transactions, once effectuated, cannot be undone. NFT
purchasers should remain vigilant and take precautions, such as
double-checking marketplace URLs and other brand social media
channels for relevant updates before finalizing any purchases.
Likewise, brands and digital asset marketplaces can publish notices
and disclosures warning consumers of such risks and preparing them
on how to respond to the same.
Insider Trading
NFT marketplaces are also vulnerable to insider trading, where
employees use insider information to purchase exclusive NFTs before
they are available to the public and then sell them for a profit
once prices spike.8 The U.S. Department of Justice (DOJ)
recently indicted a former NFT marketplace employee and his
associates on charges of wire fraud and money laundering “in
connection with a scheme to commit insider
trading.”9 The DOJ alleged that the former employee
used confidential information about certain NFTs selected for
promotion by the NFT marketplace in order to purchase them in
advance and benefit from the corresponding increase in value of the
NFTs post-promotion.10
To prevent insider trading, NFT marketplaces can implement
formal policies that articulate prohibited conduct, provide
training for employees, monitor purchases and sales, require
periodic reporting, create blackout periods for employee
transactions, provide anonymous reporting hotlines, and create
firewalls.11 Such policies should be created in advance
to educate employees about the legal risks associated with insider
trading activities and prevent insider trading from occurring.
Money Laundering and Financing Illicit Activities
“The NFT market is a prime target for financial crimes,
including money laundering, terrorist financing and
scams,”12 according to blockchain analytics firm
Elliptic, which recently reported that over $8 million in illicit
funds has been laundered through NFT marketplaces since
2017.13 One method of laundering –
“self-laundering” – is particularly prevalent and
involves individuals purchasing NFTs with illicit funds then
generating subsequent repeated transactions with themselves or
related parties through numerous unique public keys to
“clean” the funds by obfuscating the flow of
transactions, and thus their association with criminal activity, by
the end of the cycle.
NFTs may also be associated with corrupt financing activities
because of characteristics inherent in NFTs that can be leveraged
to facilitate crimes. Such characteristics include varying levels
of anonymity available to blockchain transactors and the ability to
instantaneously settle transactions worldwide.14 For
example, blockchain analysts and intelligence officials noticed
that the Islamic State of Iraq and Syria (ISIS) used NFTs for
recruiting and funding,15 and that the ISIS-themed NFT
was visible on at least one NFT trading website.16 This
recent finding illustrates the viability of using NFTs to fund
illicit activities, not only because of their fundraising
capabilities but also because their indelible nature makes them
nearly impossible to remove or censor, unlike other online
recruiting and messaging tools.17
Exchanges and NFT marketplaces can take actions to prevent money
laundering, such as implementing adequate know-your-customer and
anti-money-laundering procedures, monitoring trading and
Internet-protocol activity among users, and prohibiting and
removing content associated with illicit activity. However, since
NFTs are recorded on an immutable blockchain, they will be
difficult (if not impossible) to eliminate
entirely.18
Market Manipulation
As they done with self-laundering, bad actors have found ways to
manipulate NFT marketplaces by artificially increasing the value of
certain NFTs through “wash trading” – the practice
of creating high trading volume to manipulate market prices in
one’s favor. Wash trading creates the illusion that an NFT is
in high demand, when in reality the transactions all emanate from
one individual, or among related individuals, using different
wallets to obscure the fact that such transactions are related.
This type of fabricated demand can lead unsuspecting buyers to
believe an NFT is more valuable than it actually is and can be
highly lucrative for those who engage in such unlawful acts. For
example, one report found that wash trading netted dozens of
traders approximately $8.9 million combined.19
Although such practices can be difficult to ascertain, consumers
should be wary of them before purchasing NFTs. NFT purchasers
should pay close attention to social media activity and engage in
other diligence activities to determine whether a particular NFT is
indeed highly valued. Marketplaces and brands can also take
measures to protect consumers by engaging blockchain analytics
tools to monitor NFT transaction activity to identify and block
efforts by bad actors attempting to engage in wash trading.
Platform Exploits
Platform vulnerabilities and exploits can cause significant
financial loss to platform users. A recent example of this occurred
when a large global NFT platform unwittingly facilitated sales of
“inactive” NFT listings to savvy buyers who realized that
sophisticated NFT holders frequently transfer blue-chip NFTs to
other wallets they control instead of de-listing them (which would
require manual cancellation for a fee). By transferring the NFT
between wallets, the NFT holders were able to remove the public
listing and avoid the fee associated with its cancellation.
However, this process merely updated the listing from
“active” to “inactive,” allowing knowledgeable
buyers to purchase the inactive NFTs via the smart contract instead
of the exchange platform’s user interface. According to
reports, one popular NFT platform had to reimburse up to $1.8
million to users who unknowingly sold their NFTs at prices far
below market value because of the platform’s user interface
issue.20
Security flaws can also be found within the back-end
architecture of NFT marketplaces, which, if left unaddressed, can
lead to significant losses to marketplace users. For example, one
popular NFT marketplace was recently prompted to update its
back-end coding to fix a security flaw identified by a third-party
security firm.21 Had malicious actors observed and
exploited the back-end vulnerability, they would have been able to
send NFT owners malicious links that, when clicked, would
potentially grant full access to users’ wallets and the NFTs or
other digital assets located therein.22
While these particular exploits were addressed in one instance
after the fact, and in another instance before any exploit
occurred, NFT marketplaces are on notice of the need to plan and
design products and user interfaces that shield consumers from
inadvertent risk exposure.
Conclusion
Billions of dollars’ worth of fungible and nonfungible
digital asset transactions occur daily.23 As such, users
and platforms must remain vigilant to protect themselves from
scams, hacks and other unlawful activity and implement measures to
minimize these risks.
Footnotes
1. Darryn Pollock, The Fourth Industrial Revolution
Built On Blockchain And Advanced With AI, Forbes (Nov. 30,
2018),https://www.forbes.com/sites/darrynpollock/2018/11/30/the-fourth-industrial-revolution-built-on-blockchain-and-advanced-with-ai/?sh=6b90751f4242.
2. Report Preview: The 2021 NFT Market
Explained, Chainalysis (Jan. 13, 2022),
https://blog.chainalysis.com/reports/nft-market-report-preview-2021/.
.
3. Tom Mitchelhill, NFT Collectors Sent $37B to
Marketplaces in 2022, Nearly Equaling 2021 Already,
Cointelegraph (May 6, 2022), https://cointelegraph.com/news/nft-collectors-sent-37b-to-marketplaces-in-2022-nearly-equaling-2021-already.
4. More Than $100 Million Worth of NFTs Have Been
Stolen in the Past Year as Crypto Scams Continue to Rise,
Artnet News (Aug. 25, 2022), https://news.artnet.com/market/rise-of-nft-thefts-report-2165338;
George Stamboulidis, Christina Gotsis, Jordan Silversmith and
Robert Musiala, Combatting Fraud and Corruption in the NFT
Market, BakerHostetler (Aug. 30, 2022), https://www.bakerlaw.com/files/blockchain/6-Combatting%20Fraud_p06.pdf.
5. More Than $100 Million Worth of NFTs Have Been
Stolen in the Past Year as Crypto Scams Continue to Rise,
supra note 4;Stamboulidis et al., supra note
4.
6. Zhiyuan Sun, Bored Ape Yacht Club NFTs Stolen in
Instagram Phishing Attack, Cointelegraph (Apr. 25, 2022), https://cointelegraph.com/news/bored-ape-yacht-club-nfts-stolen-in-instagram-phishing-attack.
7. Playboy Enters. Int’l v.
www.playboyrabbitars.app, 21 Civ. 08932 (VM) (S.D.N.Y. Nov.
13, 2021),
8. Stamboulidis et al., supra note
4.
9. Former Employee of NFT Marketplace Charged In
First Ever Digital Asset Insider Trading Scheme, The United
States Attorney’s Office Southern District of New York (June 1,
2022), https://www.justice.gov/usao-sdny/pr/former-employee-nft-marketplace-charged-first-ever-digital-asset-insider-trading-scheme.
10. Id.
11. Stamboulidis et al., supra note
4.
12. Lauren Bass & Lynn Tang, Fashion Brands Score
with NFTs, But Market Trends Show Threats Abound, JDSUPRA
(Aug. 29, 2022), https://www.jdsupra.com/legalnews/nft-market-research-published-crypto-9792339/
(Citing to NFTs and Financial Crime, Elliptic (Aug. 24,
2022), https://www.elliptic.co/resources/nfts-financial-crime?utm_campaign=NFT%20Report%202022&utm_content=218984818&utm_medium=social&utm_source=twitter&hss_channel=tw-1344645140).
13. NFTs and Financial Crime, supra
note 12.
14. NFTs and Financial Crime, supra
note 12; Ian Talley, Islamic State Turns to NFTs to Spread
Terror Message, Wall Street Journal (Sept. 6, 2022), https://www.wsj.com/articles/islamic-state-turns-to-nfts-to-spread-terror-message-11662292800.
15. Talley, supra note 14.
16. Id.
17. Id.
18. Id.
19. Crime and NFTs: Chainalysis Detects Significant
Wash Trading and Some NFT Money Laundering In this Emerging Asset
Class, Chainalysis (Feb. 2, 2022), https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-nft-wash-trading-money-laundering/.
20. Misyrlena Egkolfopoulou and Bloomberg, OpenSea
reimburses users $1.8 million after bug led them to accidentally
sell their NFTs at deep discounts, Fortune (Jan. 28, 2022), https://fortune.com/2022/01/28/opensea-reimburses-users-1-8-million-bug-sell-nfts-bored-ape-yacht-club/.
21. Brian Quarmby, Researchers find security flaw in
Rarible: Users could have lost all their NFTs, COINTELEGRAPH
(April 14, 2022), https://cointelegraph.com/news/researchers-find-security-flaw-in-rarible-users-could-have-lost-all-their-nfts.
22. Id.
23. Today’s Cryptocurrency Prices by Market
Cap, COINMARKETCAP (last visited Oct. 25, 2022), https://coinmarketcap.com/.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
