The prevalence of scammers on online NFT communities remains a key issue for traders and marketplaces, and can result in millions of dollars worth of asset losses with a few seconds of complacency or accidental clicks. Ethereum – the most popular blockchain for non-fungible tokens – constitutes most of the cases and data presented in this section, though examples from other blockchains are also considered.
According to Elliptic, it is difficult to find an NFT server on Discord that does not display a “beware of scammers” message on its introductory channel. The NFT marketplace OpenSea has advised its Discord community to switch off direct messaging due to an “overabundance of scammers”.
Users may find a direct message from a scam bot with a phishing link sent to them mere seconds after joining an NFT-related Discord server.
Most mainstream NFT projects also have “report scams” channels within their servers. These channels have registered over 75,000 messages across select NFT platforms since July 2021, of which 76% were sent in 2022.
Activity across Discord scam report sections across selected NFT-related servers
The Cost of NFT Scams
Elliptic has analyzed over 80 high profile NFT scams reported on social media since July 2021. At least 4,650 NFTs – worth over $50.6 million based on average collection prices on the day of theft – have been stolen in that time period.
14 July 2022 saw over 4,600 NFTs stolen – the highest month on record – indicating that scams have not abated despite the crypto bear market, which has seen the value of NFTs decrease significantly.
According to NFT Market Size Report, the most valuable NFT ever stolen is CryptoPunk #4324, which was sold by scammers soon after the theft on November 13th 2021 for $490,000. Meanwhile, the largest single heist from an individual victim resulted in the loss of 16 blue chip NFTs worth $2.1 million on December 28th 2021.
Emphasizing the persisting problem of scams, Assets #9650 and #5759 in the CloneX collection have been stolen twice in the space of three months – in two unrelated scam incidents – having been worth around $50,000 on both occasions.
Typically, when a scammer drains a victim’s wallet, they will take all assets — including NFTs, ERC-20 tokens and Ether (ETH) – beginning with the most valuable ones.
Although the crypto bear market caused the value of stolen NFTs in June and July 2022 to slump, the number of NFTs stolen reached a new record in July, standing at over 4,600.
These trends emphasize that scams continue to be a growing problem despite market conditions. Prominent collections such as Bored Apes, Mutant Apes, Azuki, Otherside and CloneX constitute the bulk of value lost to scams. Together, these five collections constitute over two-thirds of the stolen NFT value since July 2021.
However, scams of lower-priced NFTs are more likely to go unreported. As hype around the metaverse and virtual real estate continues, prominent virtual land NFT collections such as NFT Worlds and The Sandbox’s LANDs are being increasingly targeted.
Yuga Labs’ Otherside metaverse project – released on May 1st 2022 – already saw NFTs from its collection being stolen just two days after launch.
Value (bars) and number (line) of NFTs stolen by month based on scam type
NFT thefts by collection to July 2022
Elliptic has identified 167 confirmed and publicly reported instances of a theft of Bored Apes — one of the most prized ‘blue chip’ projects — affecting 1.7% of NFTs within this collection.
Across June and July 2022, thefts of valuable NFTs decreased while those affecting lower value early-stage projects rose.
This trend likely partially reflects valuable NFT owners ‘hodling’ their assets throughout the bear market and not engaging as actively with new projects vulnerable to scammer activity.
Phishing scams account for the majority of instances observed. However, more sophisticated variants – such as phishing links deployed through compromising administrator accounts of social media platforms are increasingly on the rise.
The following sections explore the different types of scams typically affecting the NFT community.
Breakdown of $69.5 million of identified losses based on scam type
NFT Phishing Scams
Phishing scams are possibly the most common scam observed in the NFT community, and perhaps across the wider crypto community as a whole.
They involve fake malicious sites that compromise victims’ cryptoassets through either one of two main ways:
- Through a fake pop-up – posing as the login panel of a reputable custodial wallet provider – that steals victims’ wallet information once they are entered.
- Through encouraging victims to inadvertently sign malicious transactions so that scammers, posing as a legitimate NFT project, can steal their NFTs. This makes use of the ‘SetApprovalForAll() function in the ERC721 and ERC1155 standards, which allow – per wallet owners’ approval – for others to manage their assets.
To incite clicks, scammers typically incite “fear of missing out” (FOMO). This is particularly prominent among NFT traders due to the rapid appreciation in value of numerous collections throughout 2021. As traders seek to seize opportunities at lower prices, scammers have exploited the frenzy to incite fast and careless purchases.
Phishing links can and have been deployed in numerous ways. As the community at large has become wise to typical direct messaging scams and other generic low-effort attempts, scammers’ methods have gradually become more sophisticated and ingenious.
New developments in the NFT space have also increased the opportunities for how scams can be deployed.
Domain Squatting and Impersonation
One of the most typical phishing methods – prevalent across cyberspace – involves mimicking the site of a well-known NFT platform or market.
These typically use very similar domain names where the difference from the legitimate site is difficult to notice. Scammers have also been known to pay to advertise their sites on search engines, meaning that unwitting individuals searching for the impersonated NFT platform will see a host of phishing links at the top of their search results.
Fake phishing sites advertised during a Google search for Decentraland.
Social Media Compromises
Scammers have managed to gain control of social media accounts of popular NFT projects to post phishing links. Vectors for doing so range from technical infiltration techniques to inadvertent mistakes by NFT project admins. Some compromise techniques include:
- Squatting expired invite links of Discord servers
- Exploiting faulty tools used by servers to manage support tickets, verify new joiners or other such processes
- Socially engineering developers to unintentionally hand over their admin credentials
Close to 5,000 NFTs have been stolen through social media compromises, with the practice remaining highly profitable. Between the first and second quarters of 2022, the value of NFTs stolen through such compromises jumped by 386% – from $3.2 million to $15.4 million. NFT security analyst OkHotShot calculated that 71 Discord servers were compromised in May 2022, 99 in June and 101 in July.
Social media compromises are particularly attractive to scammers, as they give them perceived genuinity. During the compromise, phishing links can be deployed from the NFT project’s official admin account – leading to victims assuming that the link is legitimate.
Elliptic has identified a possible link between the surge in NFT social media compromises and the increasing prevalence of available malware-as-a-service (MaaS) designed to compromise social media account login credentials – including multi-factor authentication. Potentially related to this or similar security threats, Yuga Labs – creator of Bored Ape Yacht Club, Otherside Metaverse and other well-known NFT projects – issued a tweet on July 18th, 2022.
More granular and temporal analyses of incidents throughout 2022 furthers the possibility of ‘batch’ compromises, where sophisticated malware or exploits are deployed across several servers at the same time – and likely by the same threat actor. For example, on June 10th 2022, 10 Discord servers were compromised on the same day. In contrast, there remain times across mid-2022 when there were no or comparatively fewer incidents.
Percentage of NFTs stolen each week in 2022 through social media compromises, compared to other scams
Airdrop Phishing Scams
An “airdrop” involves a certain amount of unsolicited new tokens being dropped into a user’s wallet. They may be a legitimate advertisement campaign for new token projects attempting to generate interest. These campaigns are usually frowned upon and viewed either as spam or with suspicion.
Airdrops may also target known celebrity or influencer wallets to generate the illusion that they have the backing of prominent individuals.
NFT scammers have utilized airdrops and the hype surrounding them in two main ways. Firstly, like many other fake social media-based scams, scammers have created malicious websites impersonating legitimate airdrops or entirely fake airdrops of their own. Upon clicking the “claim airdrop” button and connecting their wallet, victims give scammers access to their assets.
A second strategy involves scammers minting worthless NFTs and airdropping them into the wallets of potential victims. The NFT collection will claim that they can be redeemed for money, causing victims to navigate to the scammers’ phishing site and inadvertently sign transactions leading to the draining of their assets. Airdrop scams are not only specific to NFTs and have also been used to deliver phishing links in the wider DeFi community using scam tokens.
Red Flags & Warning Signal
- The site’s URL does not match the verified URL of the NFT marketplace or project.
- The site, social media account or Discord server has spelling or grammatical errors.
- The site’s name resembles a known crypto business, NFT project or financial service.
- The accessed site is slower, looks different or is of lower quality than the original site.
- The accessed site has no SSL certificate.
- A proposed or advertised trade, listing or swap is valued at significantly below the NFT floor price or is too good to be true.
- A communication calls on users to interact with a new minting or airdrop campaign and incites a sense of urgency.
- The contract or wallet seeking access permissions is not the verified address of the NFT project being interacted with.
- A communication has been received through a format that the alleged sender should not have access to (for example an email from an NFT platform to which an email address was never provided).
- There is significant online chatter on social media calling out a certain communication, account or Discord server as a scam.
- There is no online chatter pertaining to or confirming a call to action by an unsolicited message/email that urges users to access a site or change contract permissions.
- An identical email is sent out soon after one has been received by a verified NFT marketplace or platform.
- Sites where internal links – to “terms and conditions”, “contact us”, “documentation” or “roadmap”, for instance – do not link to any pages.
- Contract being granted permissions does not have the trading volume that would typically be expected from an NFT project of its size.
- Twitter accounts or Discord servers do not have the number of followers typically expected for the NFT collection or platform.
- An unsolicited NFT has been airdropped into a wallet, claiming that they can be redeemed for rewards on a certain site.
- Apparent prominent celebrities or known influencers – with little previous engagement in crypto – promoting airdrops or new NFT projects.
- Several tweets from numerous different individuals repeating the same or similar advertisement for a certain site
- Sites offer very detailed instructions on how to connect wallets but little other information about their alleged project or other details.
- A Discord server has suddenly brought in a new verification service or tool fulfilling a basic function without any particular explanation or obvious reason
“Trojan Horse” NFTs
In September 2021, one victim tweeted that their assets had been possibly stolen after interacting with maliciously-airdropped NFTs.
The prospect of scammers being able to steal victims’ assets by sending them malicious NFTs caused concern across the NFT community. After analyzing the victim’s blockchain activity, however, analysts suggested that it was more likely that the true culprit was a typical phishing link.
In the same month, cybersecurity firm Check Point identified a vulnerability that allowed NFTs to trigger a malicious pop-up upon interaction, causing the victim to inadvertently give scammers access to other NFTs stored in their wallet.
This scam – facilitated through a vulnerability on NFT marketplace OpenSea – was patched before its exploitation became mainstream. A similar vulnerability on the Rarible marketplace involving scammers’ ability to embed malicious pop-ups within .SVG images – also identified by Check Point – was patched in April 2022.
Trojan NFTs indicate the wider potential for NFTs to contain potentially malicious data or commands. In January 2022, Nick Bax from Convex Labs revealed a proof-of-concept NFT that can log a viewer’s IP address by encoding additional metadata into its animation URL21. This is one (arguably harmless) demonstration of how an NFT is not only limited to simple JPEGs – and can potentially facilitate malicious intent.
Impersonation scams involve criminals pretending to be support staff of NFT marketplaces or custodial wallet services. Active on social media, scammers prey on individuals publicly complaining about bugs and technical difficulties, encouraging them to make contact via direct message so that their issues can be resolved.
Scammers then ask users to provide their wallet seeds, to which victims – believing them to be genuine support staff – will comply.
The year 2022 has also seen the rise of phone scams in the NFT space. Scammers will typically attempt to obtain victims’ one-time passwords to access their password repository, which may contain their wallet seed.
Scammers may use phone spoofing services to make the entity they are impersonating – such as “Apple Support” – appear on victims’ phones when they call. Elliptic’s internal analysis has found that one such service has made over $93,000 in Bitcoin.
NFT Swap Scams
Besides NFT marketplaces, another way to trade NFTs is through “swap” services, where participants trade their NFTs rather than buy or sell them for cryptoassets. Since May 2021, swap protocols have facilitated over 20,000 NFT trades – worth over $490 million.
Typical scams involve perpetrators pretending to be traders on NFT-related Discord servers. Proposing an often highly-favorable deal to gauge interest, scammers then invite victims to facilitate the swap using their scam site that seizes their victims’ NFTs.
However, deficiencies in such services have resulted in an increase of related theft incidents in 2022.
In April 2022, a user agreed to swap one Bored Ape and two Mutant Apes for three Bored Apes in return. The victim used a reputable swapping service, which checks to ensure whether a collection is verified during the swap by visually assigning it a green check mark. The malicious user minted three fake Bored Ape Yacht Club NFTs with a “verified” mark embedded within the image, ensuring that they looked legitimate during the swapping process. Believing that they were legitimate NFTs, the victim approved the swap and lost NFTs worth $575,000 to the scammer.
Almost all publicly-reported NFT (or other) scams on social media automatically trigger numerous bots that urge the victim to contact some form of entity that can supposedly recover stolen assets. Some scammers may not be bots and instead engage in conversation before inviting the victim to contact a fake recovery expert.
All such messages are scams – and seek to defraud the victim further by inciting a ‘pre-payment’ for ‘recovery services’ that are never rendered.
Marketplace Invite Scams
NFT marketplaces have different rules on accepting sellers to host art on their platforms. Some are invite-only, while others require a certain amount of prior engagement on the platform before being provided with a redeemable “invite code” to sell NFTs.
Scammers have typically exploited such rules to defraud victims. The scammer usually reaches out to individuals on Discord servers or Twitter – offering a code in return for a payment. Once the payment arrives, the scammer disappears. Most marketplaces have a policy of banning any user who advertises an invite-for-crypto deal. Typical offenders on Discord offer to sell invite codes for around $300-$500.
The Stolen NFT Market
Many seasoned NFT traders utilize bots to detect and automatically purchase any NFTs being listed at competitive prices – typically those at or near floor values. In an attempt to cash-out their stolen assets as quickly as possible, scammers will typically list their stolen NFTs at near floor prices – ensuring their quick purchase by bots. This allows perpetrators to cash out their stolen assets by the time victims have raised the incident with NFT marketplaces and caused the NFTs to be flagged, frozen or delisted.
Stolen NFTs have emerged as a relatively distinct economy of their own. For some NFT traders, they are attractive assets as they can be purchased at low prices and flipped reasonably quickly for profit.
However, holding stolen assets runs the risk of restrictions being imposed by NFT marketplaces, vocal social media backlash or legal action. This can, in turn, reduce the demand and ability to trade stolen assets.
There are also indications that unwitting buyers of stolen assets have the tendency to sell them at a loss after becoming aware of their stolen nature. Motivations behind this may include a desire to avoid negative publicity on the vocal online NFT community or dispose of stolen assets as quickly as possible to minimize any inadvertent complicity. Online communities – particularly those of Bored Apes and Mutant Apes – actively observe and call out users interacting with stolen NFTs, urging them to return or sell them back to the victims.
Laundering the Proceeds of Stolen NFTs
The majority of scammers prefer using mixers to obfuscate their proceeds. Based on $67.1 million of ETH originating from 323 scammer wallets, 52.4% ($35.2 million) was laundered through Tornado Cash.
Despite this, 22.5% ($15.1 million) was laundered through further interactions with cryptoasset exchanges or NFT marketplaces.
Other high-risk obfuscation services such as no-KYC exchanges, bridges and gambling services accounted for 2.5% ($1.7 million) of preferred laundering destinations.
The exposure of centralized exchanges and marketplaces to scammers’ wallets indicates that these criminals still utilize direct non-obfuscated cash-outs. Blockchain analytics tools can assist such entities in managing their risk and exposure to scam proceeds.
The preferred laundering destination of a sample of 323 scammers attempting to cash out $67.1 million (ETH) worth of illicit proceeds
Different marketplaces will have varying policies for dealing with compromised assets. Most platforms have a “report” function that allows users to notify administrators of thefts. If a report is deemed credible, NFTs will often be flagged, delisted or have their sales or transfers restricted. However, unless an NFT marketplace is highly centralized and takes custody of listed NFTs, the flagging of an NFT by one marketplace will not prevent its sale on another.
The Implications of the NFT Scam Wave
Most scam attempts are easily identifiable and do not claim any victims. However, the abundance of scams across NFT communities has contributed to paranoia, hysteria and extreme caution – known as “fear, uncertainty and doubt” (FUD) – to a level that has the potential to significantly affect traders’ NFT experiences. Users are now almost forced to close their direct messages to protect from spam or even place notices such as “WILL NEVER DM YOU” in their usernames to prevent being impersonated by scammers.
All these precautions have the potential to reduce the accessibility or enjoyment of engaging with NFTs to both new and existing traders. Therefore, user experiences and potential future investment appears to be a key casualty of the NFT scam wave. Through effective wallet screening and transaction monitoring solutions, NFT marketplaces can reduce their risk – and users’ perception of risk – of inadvertently processing stolen assets.
AUTHORS: Eray Arda Akartuna – analyst Elliptic, Matthieu Nadini – data scientist Elliptic, Chris DePow – Senior Advisor for Financial Institution Regulation & Compliance at Elliptic, Tara Annison – Head of Technical Crypto Advisory Elliptic