Only the most ardent believer in NFTs would argue that the concept of non-fungible tokens hadn’t done more harm than good thus far in 2022. The general public was approaching the point of becoming open to cryptocurrencies and blockchain technology, but NFTs have driven them backwards again. The average person in the street doesn’t understand what they are or how they work, but they read plenty of news stories about NFT-related scams and thefts. Every time that happens, the whole idea of Web3 takes a hit. Unfortunately, it’s recently started to feel like it happens every week.
The most recent incident of theft and scandal to blight the NFT landscape happened on May 6th, when hackers targeted OpenSea’s official Discord with a phishing attack. Victims of the fraud are still adding up the cost of what was taken, but it’s currently believed that around £15,000 worth of NFTs were stolen. Any theft of this magnitude is cause for concern, but there are two reasons why anyone interested in NFTs should be worried about this latest incident. The first is that OpenSea is the biggest NFT marketplace on the internet, and should be the safest place to buy, sell, and trade NFTs. The second is that the phishing attack wasn’t even particularly sophisticated. A rogue bot posted a fake announcement inside the channel about OpenSea forming a commercial partnership with YouTube and invited members to click a link and claim a free “YouTube Genesis Mint Pass” NFT. The link was to a phishing site, and at least thirteen NFTs were stolen. Their estimated value comes from records of their last sale on the blockchain.
The theft might turn out to have been a redundant exercise for the scammers because the NFTs are unlikely to have any subsequent value. This is a problem for NFTs across the board, which tend to depreciate as soon as they’re sold or shortly afterwards. There are precious few examples of NFTs that have increased in value after being sold for high prices. Just as investing in cryptocurrency has always been a form of gambling, so is investing in NFTs. The difference is that cryptocurrency investments pay off more regularly, and performance can be more predictable. It’s like the difference between betting on sports and betting on slots at a casino website. Your knowledge and experience might help you return a profit with sports betting as the outcome isn’t random. The games at online slots casinos are random, so no amount of knowledge or experience can help you. A decent casino comparison website might help you identify the fairer casino sister sites and avoid rogue operators, but you’re still at the mercy of fate. All too often, that’s exactly what investing in NFTs feels like.
The attack on the OpenSea Discord channel is alarming, but it falls a long way short of being the most expensive NFT heist on record. It’s not even the biggest to happen in the past few weeks. That dubious honour goes to the Bored Ape Instagram account. It was reported at the end of April that hackers had targeted the official Instagram account of Bored Ape Yacht Club and stolen 134 NFTs from the wallets of multiple users, making off with art worth an estimated £2m. There’s been some discussion on the OpenSea Discord account that this attack may have been carried out by the same hackers. While the Instagram attack did most of the damage, there was also an attack on the Bored Ape Yacht Club Discord server that worked in a near-identical way to the OpenSea attack. A supposed “mint link” was posted to the channel offering a free allotment of digital land within the Otherwise metaverse project to all Bored Ape NFT holders. Rather than delivering on that promise, the link gave control of the crypto wallets of anybody who clicked the link to the hackers. The link was the same one that was posted on the Instagram account. Ironically, many of the stolen Bored Ape NFTs were later sold on OpenSea.
The lack of legal recourse for thefts like this is an increasingly serious problem for NFT holders and investors. Even OpenSea can’t prevent stolen art or NFTs from being sold on its channels. It can mark certain posts as “suspicious,” but it can’t prevent users from interacting with them. The law has not yet progressed to the point where there’s the legislature in place to deal with thefts of this kind, and even if it had, many of the thefts are international. The people stealing the NFTs are outside the legal jurisdictions of the countries where the victims of the thefts live. It shouldn’t be a perfect crime, and yet it is. The risks of being caught are incredibly low, and the gullibility of NFT holders appears to be incredibly high. For a criminal, that’s the perfect combination.
Scams like this work on NFT enthusiasts because of the fear of missing out on limited edition or short-run mints. Genuine NFT mints are often announced suddenly via a post in a Discord group, so it’s sometimes difficult to know the difference between what’s genuine and what isn’t. Waiting until later can mean missing out on an NFT altogether. The minting process is slower and more expensive, and it’s possible to run out of funds before it is completed. That’s why it’s necessary to have a “hot wallet” connected when clicking on such a link, but if the link goes to a phishing website, the “hot wallet” is left wide open to be exploited. Going back to the gambling metaphor we used earlier, it’s a classic case of risk versus reward for the people who choose to click the links. Most of them know that they should do more research before clicking, but if they do so, they could find themselves too far back in the queue to end up with their limited-edition prize. For all of those reasons, attacks like this are likely to continue happening. Until provisions are made in national and international laws, the victims of those attacks are very unlikely to see their money or their NFTs again.
