Over $100 million worth of non-fungible tokens were stolen in various scams between January and July this year, according to a new report from blockchain analytics firm Elliptic. The thieves got away with an average of $300,000 per scam.
“The most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers shortly after the theft on November 13, 2021 for $490,000,” Elliptic reports. “Meanwhile, the single largest heist of an individual victim resulted in the loss of 16 prime NFTs worth $2.1 million on December 28, 2021,” the report said.
Elliptic collected the data on NFT scams through open source research on major social media sites. All thefts included in the report were (a) reported stolen on social media, (b) showed a clear pattern of theft based on Ethereum transactions, and (c) occurred between July 2021 and July 2022.
The report describes the various scams tricking crypto art collectors. Phishing scams, in which users accidentally share their cryptocurrency wallet credentials, are the most common. Fraudsters can achieve this by squatting domains on similar website names or hacking the owner’s social media accounts. In one of the most high-profile cases, $3 million worth of NFTs were stolen from Yuga Labs’ Bored Ape Yacht Club after an Instagram hack.
“Scammers have also been known to pay to advertise their sites on search engines,” the Elliptic report states, “meaning that unwitting people searching for the spoofed NFT platform will see a slew of phishing links at the top of their search results”.
In more elaborate scams, a “Trojan” NFT will lure the potential buyer with a “smart contract” or token that will drain their account after being accepted. Elsewhere, a counterfeit NFT that has the same name and image as the unique digital asset can trick someone into a “like-for-like” exchange, in which the scammer receives a valuable NFT but leaves a fake without value.
Elliptic notes that 52% of the NFT scammers it tracked used the Tornado Cash service to launder their loot. The service, which was on a US sanctions list this month, “was the source of $137.6 million in crypto-assets processed by NFT markets,” the report notes, adding, “Its prolific use by Threat actors engaging with NFTs further highlights the need for effective sanction screening by NFT platforms.