NFTs (non-fungible tokens) seem to be everywhere these days. Even Gamestop entered the NFT marketplace, allowing gamers to buy and sell these digital tokens. Some even get a celebrity endorsement, like Brie Larson. So let's first discuss the basics of NFTs.
What is an NFT?
An NFT, or non-fungible token, is a blockchain-minted digital asset class unique enough to be considered a genuinely individual item in all but the physical capacity. Meta has its own NFT beginner's guide and uses the example of the Mona Lisa to describe an NFT. Of course, there's only one Mona Lisa in the world. Similarly, with NFTs, there's one of each, even if it's digital.
How is an NFT created?
NFTs are created through a process called "minting." This process is done so that a unique signature makes it one-of-a-kind and unable to be replicated. (As in, if someone took a screenshot of it, it wouldn't be authentic because it's missing its unique signature.) Once created, the NFT is stored on a blockchain. From there, creators or owners of each NFT can sell, trade, or purchase these unique tokens through marketplaces using one of the forms of cryptocurrencies.
The emerging risks of NFT fraud
With this high-profile billion-dollar industry, there comes the opportunity for fraudsters to enter marketplaces and take advantage of a growing market of consumers. Many consumers are purchasing NFTs for the first time. As a result, they may not be aware of the fraud risks associated with these marketplaces. Many known scams to watch out for depend on end-users not knowing the true capabilities of blockchain technology or being unaware of the legalities or lack thereof associated with these transactions.
Especially in the cryptocurrency world, where the culture of anonymity is paramount, it's increasingly tricky to deduce genuine NFTs from counterfeit ones.
Now, let’s discuss the most common types of NFT scams, how consumers can protect themselves, and how business can defend their sites against fraud.
Common Types of NFT Fraud
Generally, phishing relies on convincing even tech-savvy users that an email or web address link is legitimate. In July 2022, news broke of a spear-phishing attack on a popular NFT marketplace, Axie Infinity, where a reported $540 million was lost. How did this happen undetected before scammers stole hundreds of millions of dollars? This case is a consequence when one of these marketplaces lacks an anti-phishing strategy as part of its security methods.
The bad actors utilized sophisticated social engineering via email. One person had received an email from an organization they knew and were in previous contact with, and to some extent, trusted the sender or domain of the email. It contained a malicious PDF attachment that once downloaded, installed spyware on the company. They could then access private keys (private keys act as passwords to blockchain nodes) to four nodes within Axie Infinity. Once they had access, they could pay themselves in Ethereum and US currency.
Spear-phishing specific owners/users
Spear-phishing attempts most certainly do not stop at targeting only the marketplaces. Fraudsters are creating highly sophisticated phishing scams targeting even high-profile NFT owners. Including celebrity Seth Green, who was recently the target of a sophisticated phishing scam.
Green, the owner of several "Bored Ape Yacht Club" NFTs, fell victim to a phishing site. Fraudsters created a clone site of another NFT collection site and obtained the four NFTs in question by tricking Green into filling in his account credentials. It wasn't until the fraudsters resold them did he make progress on uncovering the missing NFTs.
Privacy standards differ depending on the cryptocurrency used. In this particular example, Ethereum was the cryptocurrency exchange. Since identities are anonymous in Ethereum transactions, Green could not see who stole them. However, the good news here is while Ethereum transaction participants are anonymous, the transaction action itself is public for anyone to see. So he was able to see they were purchased from the scammers by an unsuspecting third party. (If you want to understand the technical details of these transactions, I highly recommend Ethereum's official documentation.)
From there, they were able to confirm the art in question was the stolen NFTs, and with the help of a third-party NFT researcher, Seth Green ultimately was able to track down the third-party purchaser, reclaim the NFTs, and resolve the theft.
Counterfeit & Non-Existent NFTs
Even with unique signatures for each digital token, counterfeit NFTs have started taking over legitimate marketplaces. A fake non-fungible token is commonly when someone sells an art piece that is not the artist's original creator. Most of the time, the artist doesn't offer NFTs of their work, making it somewhat easier to impersonate the artist on marketplaces. One extreme, yet becoming an all too common example, is the story of one artist who has had over 86,000 counterfeit NFTs created of her artwork so far.
Counterfeit NFTs happen in a few different ways. The most notable is a method of minting called "lazy minting," allowed in some marketplaces such as OpenSea. Lazy minting is explained much more in-depth (complete with code examples!) on NFT School, which you can find here. So, from a high-level, instead of minting the NFT before purchase, on some marketplaces, you can list and sell an unminted NFT and roll the minting fees into the transaction cost. But, of course, this means the NFT isn't minted until the time of purchase. By lazy minting, scammers avoid the financial burden of minting fees for counterfeit NFTs and can list as many counterfeit items as they want.
To combat counterfeits, some NFT marketplaces have enacted new user verification policies, like Rarible, where they process thousands of manual verification requests daily.
This NFT scam has a few names, including AirDrop and Giveaway Scam. Still, it is essential when a fraudulent person claims to own an NFT and wants to give it away.
Here's how it generally works: They'll run a giveaway on social media, often through an impersonation account. Then, when it's time to deliver the NFT to the winning individual, they'll ask the winner to connect their cryptocurrency account, including their secret key or seed phrase. Now that the scammer has access, they can take over the account and transfer the cryptocurrency balance out of the account.
Reminder: In many cases, cryptocurrency is some combination of anonymous and untraceable, so the giveaway winner-now-victim can lose their entire wallet without any way of finding the perpetrator.
Other types of NFT fraud
We've covered only a few of all the possible types of NFT fraud - there are many other methods including bidding, investor, pump and dump scams, and most recently, phishing using highly sophisticated fake Discord servers. And unfortunately, more are emerging every month—all novel attempts to defraud users and marketplaces out of their cryptocurrency.
However, we do want to offer a few prevention and detection strategies to both those looking to purchase, trade, or sell NFTs, as well as businesses providing a safe, legitimate marketplace.
How consumers can protect against NFT fraud
Our top tips may not seem that far off from tips you might see for online transactions and email phishing scams. Bidding on andpurchasingNFTs may seem daunting and unsafe, but taking a few actions to keep your information safe and secure, can go a long way.
Keep your secret keys private.
Just like passwords, only you and your secure password manager should know your cryptocurrency secret keys and passwords to related services. We recommend turning on multi-factor authentication since these cases highly warrant an extra layer of security.
Be aware of suspicious links and messages.
Only click links and converse with verified users when discussing NFTs anywhere. That includes email, social media, and file transfers. Any link that takes you to an unknown website or requires you to download a file or PDF could contain malicious software, like spyware, giving scammers access to your devices and files. As mentioned above, scammers go to great lengths to be successful at their scams, including entire clone sites to capture NFTs or cryptocurrency wallet information.
A few things to look out for in a phishing email include incorrectly spelled email domains and poorly formatted email copy. There are a few more things you can keep an eye out for when opening unknown emails.
Verify NFT ownership before purchase
Make sure that you purchase NFTs, lazy or fully minted, from marketplace-verified sellers. Check the owner's transaction history, cross-check the prices of the NFTs, and search the NFT on a search engine before purchase to ensure you are getting the real deal.
Only shop on reputable marketplaces
There are many NFT marketplaces; do your research before joining one. Look at reviews and previous sales before joining and especially before giving them any of your information.
Marketplaces and Collection Sites: Adopt a device identification solution
Accurately identifying users is key to detecting and preventing NFT fraud. Manual user verification is time-consuming, inaccurate, and prone to costly errors.
By adopting a passive device identification solution, such as Fingerprint Pro, you can verify unique users with 99.5% accuracy. This is done without compromising a user's anonymity either. Our VisitorID allows teams to implement additional authentication for only the most suspicious logins, purchases, and transfers - and requires no further information from your users.
In the emerging world of blockchain, cryptocurrency, and NFTs, having a basic understanding of the associated risks can help save time and money and preserve hope that one day you will become the owner of one of the most valuable NFTs like Doge.