How do NFT thieves get away with heists in the millions (or even billions) of dollars, in plain sight? Crypto transactions happen on the public ledger, so finding the culprit should be simple. Despite this, NFT thieves are nearly impossible to catch.
Part of the problem comes with the territory, since successful NFT scammers and thieves live on the cutting edge of the space. But there are deeper reasons for this than simply being familiar with the space — and examining the deeper story could help all of us better shield ourselves from future onslaughts.
NFT theft, high art, and ‘celebrity victims’
The most expensive NFT thefts targeted high-profile NFTs like Bored Ape Yacht Club, Mutant Ape Yacht Club, and Moonbirds. The high prices and popularity of these NFTs have left many with crushing losses.
- Art gallery owner Todd Kramer lost roughly $2.2 million in NFTs.
- Cameo co-founder Steven Galanis lost more than $200,000 in NFTs and crypto.
- Actor Seth Green lost four NFTs and bought one back for $269,000 to secure rights to use it in his new TV show White Horse Tavern.
The list of stolen NFTs is far longer than these celebrity examples, but the consistent thread is that few get their NFT back.
How NFT thieves get away with it
The mechanics of pulling a heist are relatively straightforward. More often than not, a theft begins with a phishing attack and ends by mixing crypto and making a withdrawal. These are the main steps a thief is likely to take:
- Get access to (or power over) the victim’s online crypto wallet
- Transfer NFTs and crypto from victim’s wallet to own wallet
- Sell NFTs at a low price to ensure fast exchange
- Send cryptocurrency from the thief’s wallet through a crypto mixer
- Withdraw mixed crypto to a third wallet blurring the tracks (more on this below)
Let’s take a deeper look at the first step in that process; then we’ll dive deeper into why the transparency of Web3 doesn’t help catch thieves.
How NFT thieves gain access to your crypto wallets
Trusted NFT marketplaces work hard to keep a high level of security and defend their customers against thieves. So far, they’ve mostly been able to keep hackers out. But thieves and hackers have successfully implemented other strategies via social media, emails, and fake websites.
These are the most common NFT theft strategies. We’ll unpack them next.
- Classic phishing attacks via email
- Phishing attacks via social media and forums
- Ice phishing – exploiting smart contracts
- Marketplace bugs and security flaws
The classic phishing attack via email
Most internet users know about phishing attacks — especially via email. They start with an email designed to look like it’s from a bank, postal service, or another service provider.
The message contains an urgent request to click a link, complete a payment, or reset a password. The link clicked reroutes you to a site designed to look like the real deal and lures you into sharing your username and password. NFT phishing attacks have ranged from classic requests for password updates to exclusive and (of course) limited-time offers of free tokens — known as airdrops.
The fake site is often made to look as close to the official marketplace as possible. This includes the technique called typosquatting, where the URL is close to the targeted platform’s URL. This way, the thieves increase their chances of getting new victims via organic traffic that doesn’t notice the subtle typos. Like classic phishing attacks, this approach secures NFT thieves access to their victim’s wallets, which are then emptied out according to the approach above.
Phishing attacks via social media and forums
While casting a wide net works well for classic phishing emails, the number of potential victims drops dramatically for NFT thieves. That’s why they also exploit other channels for phishing attacks. This could be one reason why celebrities are among the targets of big NFT heists. In one case, hackers successfully gained access to Bored Ape Yacht Club’s Discord. From there, they spread malicious links to a highly engaged audience of NFT holders.
In less spectacular heists, NFT thieves have posed as support staff for wallet software on Twitter and sent direct messages to identified NFT holders.
Ice phishing for NFTs
As with most things Web3, the possible routes scammers take are as complicated as they are novel. Instead of luring passwords from their victims, sophisticated hackers have set up smart contracts allowing them to empty out the wallets of their victims. This lets hackers avoid security measures like the 2-factor authentication (more on that below).
In an ice phishing attack, the hacker sets up a smart contract interface to look like it came from a known platform. This could be for an automated liquidity protocol like the one running on Uniswap and SushiSwap. For these to work, users sign smart contracts that let the platforms execute trades on their behalf. Unless the victims are extremely cautious and thorough, they can easily overlook that smart contracts from hackers have an altered address.
An ice phishing attack was even carried out on the DeFi protocol Badger DAO in late 2021. By injecting a malicious script, hackers were able to steal $121 million in just 10 hours. The approach is described in-depth in this article on Ice Phishing attacks by Microsoft Security.
Marketplace bugs and security flaws
NFT thieves have also exploited bugs and flexibility in protocols used for NFT smart contracts. One approach similar to ice phishing saw the hackers leave fields of smart contracts empty and fill them out after victims had signed them.
Another approach aimed to exploit a bug in the OpenSea transfer history. While this was not a hack, it showed bad intent. Some users had transferred their NFTs from one wallet to another. According to the coverage by The Verge, users did this in order to avoid paying the gas fees needed to validate transactions on the blockchain.
Since these users hadn’t updated the smart contracts for their NFTs, they opened themselves up to a vulnerability on OpenSea. According to the user interface, the transaction history and gas fees were gone. But the old listing was still active on the blockchain for all to see.
When these users moved their NFTs back to their old wallets for listing, the NFTs were automatically listed at the last price verified on the blockchain.
This resulted in a quick profit of approximately $904,000 worth of ETH in a single day for one OpenSea user with bad intentions. They bought popular NFTs at old prices and sold them on for the current, staggering prices.
This rekindled debates about who’s responsible for what in the decentralized and ungoverned Web3. We’ll get back to that.
Why the transparency of Web3 hasn’t stopped NFT theft
No matter the approach, any thief in the Web3 space needs a solid exit plan. Since every blockchain transaction is publicly listed, getting away with NFT theft takes considerable effort.
Having sold a stolen NFT (collection) and gained cryptocurrency — mostly ETH — an NFT thief has several options:
- Sell crypto for fiat on an exchange as fast as possible
- Transfer ETH to wallets of co-conspirators in exchange for fiat
- Hide their tracks and wait a while
The trail gets harder to follow if NFT thieves successfully trade their crypto loot into fiat currency. From there, they can use the old-school criminal approach of money laundering. Put the dirty money into a legit business and blend it with clean money.
However, Web3 criminals can also mix crypto to make their activities look clean by exploiting Web3 privacy initiatives. Privacy is particularly important to many early Web3 adopters, since NFT thieves and other cybercriminals are known to use these options to cover their tracks. This has led to recent debate about crypto mixers like Blender.io, UniJoin, and in particular, Tornado Cash.
Crypto mixers provide smart contracts that let users deposit set amounts of ETH in pools of up to 60,000 transactions. After a period in escrow, the deposited ETH can be withdrawn to other wallets using a token from the smart contract. The pooling process makes it virtually impossible to track transactions.
Tornado Cash has been linked to staggering amounts of crypto laundering. This led to the United States Treasury Department banning domestic residents from using Tornado Cash and forcing the Tornado Cash website to shut down.
Co-Founder of Tornado Cash Roman Semenov was also banned from GitHub. But the open source mixer protocol can still be run and was even re-uploaded to Github by a cryptography professor in order to test the level of free speech on the Microsoft-owned GitHub. So it remains to be seen whether regulation will have a real impact on crypto criminals or just hinder the privacy of everyday users.
How NFT theft challenges the essence of Web3
Until now, the tenet of Web3 has been “code is law.” When a transaction is verified on a blockchain, it’s a fact. This is the basis for Bitcoin, the original peer-to-peer cryptocurrency. And it’s the approach that made it possible to build out Web3 without centralization and regulators.
But with the influx of users with less technical backgrounds, Web3 could be challenged. In most cases of NFT theft and “unintended discounts,” the NFT holders made themselves vulnerable to it.
This might be a sign NFT holders aren’t motivated by a belief in self-detention, accountability, and reading up on the code as part of their research. As regulators and marketplaces try to fight NFT theft, a lack of adaptation among the NFT community could result in changes to the essence of Web3. The signs are already here:
- Celebrity NFT theft victims have pled for interventions
- Regulators have shut down websites and arrested open source developers
- Marketplaces like OpenSea froze accounts, NFTs, and urged victims to contact the police in its stolen item policy
- Popular crypto wallet MetaMask now directly asks users to read the fine print
This could be the beginning of a fork of Web3 as we know it. We might see a host of regulated and more user-friendly initiatives catering to less tech-savvy users. Whether this sounds good to you or not, let’s consider the best ways to avoid NFT theft.
Steps to avoid NFT theft
Most cases of NFT theft were made far more likely by the actions (or inactions) of the NFT holders themselves. This is how to avoid being that person.
Backup your recovery phrase on paper
Sure, you can etch it in stone, too. But make an analog, offline backup of your recovery phrase backup. Don’t ever put the recovery phrase for your crypto wallet online. Not even as a photo of your handwritten paper backup. Danish tech journalist Nikolaj Sonne had his Bitcoin wallet emptied after his cloud photo album was hacked.
Enable two-factor authentication (2FA)
Stealing your password is one thing. But it’s another kind of heist to secure access to the device you use for the second authentication step. So keep your NFTs safe with a 2FA app like Google Authenticator or a hardware 2FA key like Google’s Titan Security Key.
Store your NFTs offline in cold wallets
Online crypto wallets are called hot wallets. Since they’re connected to the internet, they can be hacked or disappear along with the company behind them. When you move your NFTs and crypto to an offline hardware wallet, they can’t be hacked. Popular cold wallets include Trezor, Ledger, and Ellipal.
Secure your community with Web3 authentication
Gating content is becoming increasingly important as the NFT community evolves. Secure multi-tier access is essential for ensuring that only the right people can access content around your NFT. Over at SlashAuth, we can easily secure this aspect of NFT ownership from would-be thieves.
Thieves are likely to keep getting away with it
That sad truth is that NFT theft is likely to remain a phenomenon for some time to come. Some developments offer hope for greater security, but the likelihood of the community rejecting them or thieves overcoming them is also great. We’re likely to see more regulation and governance introduced to the space in the future, but it’s expected to come at the cost of privacy. For many, it may not be worth the price.
New initiatives like an NFT authenticator from Verasity are also being created. These may prove to be a big step forward for user security, but may simply force thieves to find new ways to exploit owners.
Ultimately, protecting assets comes down to the individual. We all need to do our best to protect our own stuff, which is a sentiment broadly true across all of Web3. The best you can do is stay alert, aware, and on top of the Web3 security measures discussed above.
Editor’s note: This article was written by Nic Salhuana, co-founder of SlashAuth.