NFTs, the new playground for cybercriminals

Cybercriminals are actually « quite predictable. » After cryptocurrencies, they have made NFTs their new playground. The incredible craze surrounding non-fungible tokens could not fail to arouse their interest. These certificates of ownership of digital objects—photos, drawings, videos, etc.—registered in a blockchain and exchangeable for virtual currencies are the subject of a true speculative bubble.

According to Chainalysis, a minimum of $44.2 billion was spent on NFTs last year, compared to just $106 million in 2020. While NFTs were originally designed to allow creators to make a living from their art without going through intermediaries, their popularity has quickly spread beyond the artistic sphere to a wider audience.

All content is now NFT-able: from the virtual Easter egg hunt at the Cité des Sciences et de l’Industrie to Will Smith’s slap in the face to Chris Rock at the last Oscars. In Japan, e-tailer Rakuten has created its NFT marketplace and the CEO of Amazon recently said he was open to selling NFTs. The profile of the NFT owner has also changed. Young geeks are giving way to investors attracted by the lure of money.

New technology but traditional threats

Although NFT technology is supposed to offer an unfalsifiable certificate of authenticity, it is still vulnerable to commonplace threats, as a blog post by Tehtris reminds us. Nathalie Granier, a cyber content specialist for this French cybersecurity company, observes that « hackers use several techniques that they tend to combine. »

First of all, they exploit the vulnerabilities of NFT platforms. « They have been created recently and present themselves as online shopping platforms without necessarily having taken security into account when designing them, » continues Nathalie Granier. In January, a listing bug on the OpenSea marketplace led to the theft of NFTs worth at least $1.3 million. In the same month, Lympo, an NFT sports platform, was hacked for $18.7 million.

More typically, account spoofing allows cybercriminals to take possession of and resell certificates of authenticity that do not belong to them. In March 2021, Nifty Gateway users reported that their accounts had been compromised and their NFT collections stolen. Another common technique is typosquatting, which involves creating fake sites that look exactly like legitimate ones. Users of the Rarible platform have been victims of this.

Holders are also subject to phishing campaigns. « They are invited by the technical support of an NFT platform to change their password or to connect to their account to confirm a transaction or sign a contract, » illustrates Nathalie Granier. Smartphone hacking, also called SIM swapping, is used to take control of social media profiles.

Price manipulation and money laundering

There are risks to the authenticity of NFTs. Fake advertisements are circulating on instant messengers and social media such as Discord, Instagram or Twitter, or sometimes even fake tokens. An investor thought he was getting a good deal on the first NFT signed by the famous creator Banksy, but was scammed out of more than $300,000.

In the so-called « rug pull » technique, a malicious person creates an NFT project out of thin air with the sole purpose of defrauding unwary investors. In March, the U.S. Department of Justice charged the creators of the « Frosties » NFT collection with fraud and money laundering.

Cybercriminals can be both buyers and sellers to up the bidding and artificially increase the price of NFTs. Bots—known as scalpers—are used to automate this price manipulation. In its study, Chainalysis observes a growing trend in this « wash trading, » i.e. « the execution of a trade in which the seller is on both sides of the transaction in order to paint a misleading picture of the value and liquidity of a crypto asset. »

Chainalysis points to another drift: money laundering. According to the company specialising in blockchain analysis, this scourge skyrocketed in the third quarter of 2021, exceeding $1 million. However, it remains an epiphenomenon when compared to the $8.6 billion laundered in cryptocurrencies last year.

Hygiene rules and points to watch out for

How should NFT owners protect themselves in the face of increasing threats? According to Nathalie Granier, they must follow hygiene rules such as not opening a malicious link or a suspicious attachment in an email, a social network message, or an SMS. They should choose a strong password (12 characters) or, better still, use multi-factor authentication. They are advised not to store cryptoassets on a computer or a memory stick and to rather use dedicated cloud spaces or secure physical wallets such as those offered by Ledger.

For Kim Grauer, Director of Research at Chainalysis, it is also important to check the legitimacy of the selling platform and to ensure the identity of the seller. « Users should never deal with NFTs that are not verified and thus do not have a blue checkmark. » On a more basic level, an image recognition tool can detect crude fakes. There are also sites—such as BitDegree, Moby, or Rarity.Tools—that track NFT collections.

Lastly, the NFT market will be cleaned up by regulation, as pirates are currently taking advantage of a certain regulatory loophole. « For example, law governing intellectual property or gambling could be applied, » says Nathalie Granier. Similarly, Kim Grauer believes that the future of the NFT market will depend on institutional regulation of the market. She notes that things are moving in that direction. The Financial Action Task Force (FATF)—an intergovernmental body that fights money laundering and the financing of terrorism—has recently published its guidelines. In the U.S., the Financial Crimes Enforcement Network (FinCEN) may consider treating some NFTs as « currency substitutes. » « This would make the technology subject to anti-money laundering and anti-terrorist financing laws, » says Kim Grauer. For its part, the European Union is making progress on its draft regulation entitled « Markets in Crypto-Assets », also known as MiCA, which aims to regulate the crypto-asset markets.