The continued growth of the market for nonfungible tokens (NFTs) in 2022 has helped shape the zeitgeist of what has been referenced colloquially by some as the “fourth industrial revolution,” defined largely by network effect (e.g., virality); rapid innovation; social, creative and civic engagement; and evolved perspectives with regard to how rights and obligations between and among parties to automated agreements are defined and enforced.
Commonly used to identify and affix identifiable rights to otherwise fungible digital media files, NFTs, along with other cryptographic assets and blockchain technology generally, compose the infrastructure required to facilitate transactions between and among anonymous or pseudonymous counterparties without involvement by third-party intermediaries, such as banks. As a result, the nonfungible (unique) nature of NFTs has revolutionized conceptions of digital property ownership by demonstrating that digital property is not only real but has intrinsic value, similar to real property.
Consumers spent up to $44 billion on NFTs in 2021 and are on track to spend at least as much, if not double, in 2022. But while demand for NFTs continues to grow, unsuspecting consumers risk being exposed to a variety of novel security risks associated with the burgeoning digital asset technology and ecosystem. For example, between 2021 and 2022, such risks have manifested in the theft of over $100 million in NFTs through scams – with 4,600 NFTs stolen in July 2022 alone – demonstrating that security and other risks associated with NFTs remain prevalent, even in the wake of the recent digital asset market downturn. This alert will explore some of the more common security incident typologies and other illicit activities involving NFTs and propose strategies for mitigating these risks.
Phishing Scams and Hacks
Phishing unsuspecting NFT enthusiasts and newcomers continues to be a popular fraud scheme deployed by online hackers and fraudsters, who have successfully robbed thousands of consumers by imitating or hacking digital forums, websites and social media accounts of well-known NFT projects to lure unsuspecting victims into purchasing counterfeit NFTs. In one instance, hackers breached an immensely popular NFT collection’s official social media page and shared links to a fake airdrop. Followers who clicked on the fraudulent links were lured into connecting and authorizing access to their digital wallets, unknowingly allowing the hackers to siphon all funds therein. Fraudsters targeted another highly anticipated NFT launch by using fake websites and usernames on a popular social messaging platform to communicate fraudulently with unsuspecting enthusiasts and induce them into purchasing counterfeit NFTs. Confusing purchasers by making them believe they are communicating with the brand is a dangerously simple and effective way to deceive victims. Such transactions, once effectuated, cannot be undone. NFT purchasers should remain vigilant and take precautions, such as double-checking marketplace URLs and other brand social media channels for relevant updates before finalizing any purchases. Likewise, brands and digital asset marketplaces can publish notices and disclosures warning consumers of such risks and preparing them on how to respond to the same.
NFT marketplaces are also vulnerable to insider trading, where employees use insider information to purchase exclusive NFTs before they are available to the public and then sell them for a profit once prices spike. The U.S. Department of Justice (DOJ) recently indicted a former NFT marketplace employee and his associates on charges of wire fraud and money laundering “in connection with a scheme to commit insider trading.” The DOJ alleged that the former employee used confidential information about certain NFTs selected for promotion by the NFT marketplace in order to purchase them in advance and benefit from the corresponding increase in value of the NFTs post-promotion.
To prevent insider trading, NFT marketplaces can implement formal policies that articulate prohibited conduct, provide training for employees, monitor purchases and sales, require periodic reporting, create blackout periods for employee transactions, provide anonymous reporting hotlines, and create firewalls. Such policies should be created in advance to educate employees about the legal risks associated with insider trading activities and prevent insider trading from occurring.
Money Laundering and Financing Illicit Activities
“The NFT market is a prime target for financial crimes, including money laundering, terrorist financing and scams,” according to blockchain analytics firm Elliptic, which recently reported that over $8 million in illicit funds has been laundered through NFT marketplaces since 2017. One method of laundering – “self-laundering” – is particularly prevalent and involves individuals purchasing NFTs with illicit funds then generating subsequent repeated transactions with themselves or related parties through numerous unique public keys to “clean” the funds by obfuscating the flow of transactions, and thus their association with criminal activity, by the end of the cycle.
NFTs may also be associated with corrupt financing activities because of characteristics inherent in NFTs that can be leveraged to facilitate crimes. Such characteristics include varying levels of anonymity available to blockchain transactors and the ability to instantaneously settle transactions worldwide. For example, blockchain analysts and intelligence officials noticed that the Islamic State of Iraq and Syria (ISIS) used NFTs for recruiting and funding, and that the ISIS-themed NFT was visible on at least one NFT trading website. This recent finding illustrates the viability of using NFTs to fund illicit activities, not only because of their fundraising capabilities but also because their indelible nature makes them nearly impossible to remove or censor, unlike other online recruiting and messaging tools.
Exchanges and NFT marketplaces can take actions to prevent money laundering, such as implementing adequate know-your-customer and anti-money-laundering procedures, monitoring trading and Internet-protocol activity among users, and prohibiting and removing content associated with illicit activity. However, since NFTs are recorded on an immutable blockchain, they will be difficult (if not impossible) to eliminate entirely.
As they have done with self-laundering, bad actors have found ways to manipulate NFT marketplaces by artificially increasing the value of certain NFTs through “wash trading” – the practice of creating high trading volume to manipulate market prices in one’s favor. Wash trading creates the illusion that an NFT is in high demand, when in reality the transactions all emanate from one individual, or among related individuals, using different wallets to obscure the fact that such transactions are related. This type of fabricated demand can lead unsuspecting buyers to believe an NFT is more valuable than it actually is and can be highly lucrative for those who engage in such unlawful acts. For example, one report found that wash trading netted dozens of traders approximately $8.9 million combined.
Although such practices can be difficult to ascertain, consumers should be wary of them before purchasing NFTs. NFT purchasers should pay close attention to social media activity and engage in other diligence activities to determine whether a particular NFT is indeed highly valued. Marketplaces and brands can also take measures to protect consumers by engaging blockchain analytics tools to monitor NFT transaction activity to identify and block efforts by bad actors attempting to engage in wash trading.
Platform vulnerabilities and exploits can cause significant financial loss to platform users. A recent example of this occurred when a large global NFT platform unwittingly facilitated sales of “inactive” NFT listings to savvy buyers who realized that sophisticated NFT holders frequently transfer blue-chip NFTs to other wallets they control instead of de-listing them (which would require manual cancellation for a fee). By transferring the NFT between wallets, the NFT holders were able to remove the public listing and avoid the fee associated with its cancellation.
However, this process merely updated the listing from “active” to “inactive,” allowing knowledgeable buyers to purchase the inactive NFTs via the smart contract instead of the exchange platform’s user interface. According to reports, one popular NFT platform had to reimburse up to $1.8 million to users who unknowingly sold their NFTs at prices far below market value because of the platform’s user interface issue.
Security flaws can also be found within the back-end architecture of NFT marketplaces, which, if left unaddressed, can lead to significant losses to marketplace users. For example, one popular NFT marketplace was recently prompted to update its back-end coding to fix a security flaw identified by a third-party security firm. Had malicious actors observed and exploited the back-end vulnerability, they would have been able to send NFT owners malicious links that, when clicked, would potentially grant full access to users’ wallets and the NFTs or other digital assets located therein.
While these particular exploits were addressed in one instance after the fact, and in another instance before any exploit occurred, NFT marketplaces are on notice of the need to plan and design products and user interfaces that shield consumers from inadvertent risk exposure.
Billions of dollars’ worth of fungible and nonfungible digital asset transactions occur daily. As such, users and platforms must remain vigilant to protect themselves from scams, hacks and other unlawful activity and implement measures to minimize these risks. BakerHostetler’s Blockchain Technologies and Digital Assets and Data Security Incident Response teams are composed of dozens of experienced individuals – including attorneys who have served in the DOJ and numerous others – with extensive experience across all sectors of the blockchain and cryptocurrency markets, from investigations, incident response and cybersecurity, Bank Secrecy Act/anti-money laundering compliance, tax, privacy, transactions, intellectual property, and media and technology design to federal legislation, congressional oversight, investigations and public policy. Please feel free to contact any of our experienced professionals if you have questions about this alert.
By Veronica Reynolds, Robert A. Musiala Jr., Sally Kim, and Reem Chehade.
Darryn Pollock, The Fourth Industrial Revolution Built On Blockchain And Advanced With AI, Forbes (Nov. 30, 2018),https://www.forbes.com/sites/darrynpollock/2018/11/30/the-fourth-industrial-revolution-built-on-blockchain-and-advanced-with-ai/?sh=6b90751f4242.
Report Preview: The 2021 NFT Market Explained, Chainalysis (Jan. 13, 2022), https://blog.chainalysis.com/reports/nft-market-report-preview-2021/. .
 Tom Mitchelhill, NFT Collectors Sent $37B to Marketplaces in 2022, Nearly Equaling 2021 Already, Cointelegraph (May 6, 2022), https://cointelegraph.com/news/nft-collectors-sent-37b-to-marketplaces-in-2022-nearly-equaling-2021-already.
 More Than $100 Million Worth of NFTs Have Been Stolen in the Past Year as Crypto Scams Continue to Rise, Artnet News (Aug. 25, 2022), https://news.artnet.com/market/rise-of-nft-thefts-report-2165338; George Stamboulidis, Christina Gotsis, Jordan Silversmith and Robert Musiala, Combatting Fraud and Corruption in the NFT Market, BakerHostetler (Aug. 30, 2022), https://www.bakerlaw.com/files/blockchain/6-Combatting%20Fraud_p06.pdf.
 More Than $100 Million Worth of NFTs Have Been Stolen in the Past Year as Crypto Scams Continue to Rise, supra note 4;Stamboulidis et al., supra note 4.
 Zhiyuan Sun, Bored Ape Yacht Club NFTs Stolen in Instagram Phishing Attack, Cointelegraph (Apr. 25, 2022), https://cointelegraph.com/news/bored-ape-yacht-club-nfts-stolen-in-instagram-phishing-attack.
 Playboy Enters. Int’l v. www.playboyrabbitars.app, 21 Civ. 08932 (VM) (S.D.N.Y. Nov. 13, 2021),
 Stamboulidis et al., supra note 4.
 Former Employee of NFT Marketplace Charged In First Ever Digital Asset Insider Trading Scheme, The United States Attorney’s Office Southern District of New York (June 1, 2022), https://www.justice.gov/usao-sdny/pr/former-employee-nft-marketplace-charged-first-ever-digital-asset-insider-trading-scheme.
 Stamboulidis et al., supra note 4.
 Lauren Bass & Lynn Tang, Fashion Brands Score with NFTs, But Market Trends Show Threats Abound, JDSUPRA (Aug. 29, 2022), https://www.jdsupra.com/legalnews/nft-market-research-published-crypto-9792339/ (Citing to NFTs and Financial Crime, Elliptic (Aug. 24, 2022), https://www.elliptic.co/resources/nfts-financial-crime?utm_campaign=NFT%20Report%202022&utm_content=218984818&utm_medium=social&utm_source=twitter&hss_channel=tw-1344645140).
 NFTs and Financial Crime, supra note 12.
NFTs and Financial Crime, supra note 12; Ian Talley, Islamic State Turns to NFTs to Spread Terror Message, Wall Street Journal (Sept. 6, 2022), https://www.wsj.com/articles/islamic-state-turns-to-nfts-to-spread-terror-message-11662292800.
 Talley, supra note 14.
 Crime and NFTs: Chainalysis Detects Significant Wash Trading and Some NFT Money Laundering In this Emerging Asset Class, Chainalysis (Feb. 2, 2022), https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-nft-wash-trading-money-laundering/.
 Misyrlena Egkolfopoulou and Bloomberg, OpenSea reimburses users $1.8 million after bug led them to accidentally sell their NFTs at deep discounts, Fortune (Jan. 28, 2022), https://fortune.com/2022/01/28/opensea-reimburses-users-1-8-million-bug-sell-nfts-bored-ape-yacht-club/.
 Brian Quarmby, Researchers find security flaw in Rarible: Users could have lost all their NFTs, COINTELEGRAPH (April 14, 2022), https://cointelegraph.com/news/researchers-find-security-flaw-in-rarible-users-could-have-lost-all-their-nfts.