$100 million in NFT thefts over last year jumped mid–‘crypto winter’ – Fortune
“Crypto winter” or not, non-fungible token (NFT) scams are on the rise.
Investors reported over $100 million worth of NFTs as stolen—the result of scams between July 2021 and July 2022, according to a new report by top blockchain analytics firm Elliptic.
Scammers netted $300,000 on average as several shady records were broken over the past year. In July 2022—mid–crypto bear market, when NFT prices steeply declined—over 4,600 NFTs were reported stolen, the “highest month on record” for such scams, according to Elliptic.
Additionally, in May, just under $24 million in NFTs was stolen through scams. That’s the “highest confirmed value” to date, Elliptic wrote, noting that the actual number is likely even higher because victims don’t always publicly report being scammed.
Among the most common methods used were phishing scams, often where fake pop-ups encourage users to log in to their wallets or sign on to malicious transactions. Sometimes, for example, bad actors impersonate the site of a well-known NFT platform or wallet, or hack into the social media account of a popular NFT project, spreading malicious links that give scammers access when clicked.
Social media–based phishing scams have also surged, according to Elliptic, with about $20 million worth of NFTs stolen in 2022. Elliptic concludes this is due to an increased use of malware that can bypass two-factor authentication.
Scams aside, NFTs are often criticized as vehicles that can be used for money laundering. But in its investigation, Elliptic found that while illicit funds have been used to buy NFTs, that amount is comparatively small.
Elliptic analyzed 17 million Ethereum transactions between the fourth quarter of 2017 and the first quarter of 2022 from 22 NFT marketplaces, four NFT games or metaverse platforms, and two NFT swap services.
In its breakdown, Elliptic reported that funds from licit activity accounted for about $40 billion, or 99%, of the total used for NFT services. Under $329 million, or 0.81%, of funds on NFT services come from “obfuscators” like so-called crypto mixers, which allow users to hide the trail of transactions. And illicit funds, like those from theft, phishing, or Ponzi schemes, account for $8 million, or 0.02%.
Nonetheless, Elliptic sees a “growing threat to NFT-based services from sanctioned entities and state-sponsored exploits,” it wrote, citing the $540 million Axie Infinity Ronin bridge exploit by the infamous North Korean hacking outfit known as the Lazarus Group, among others.
For example, Tornado Cash, a notable crypto mixer now sanctioned by the U.S., was “the source of $137.6 million of crypto assets processed by NFT marketplaces and the laundering tool of choice for 52% of NFT scam proceeds before being sanctioned,” Elliptic wrote. “Its prolific use by threat actors engaging with NFTs further emphasizes the need for effective sanctions screening by NFT platforms.”
All in all, Elliptic concluded that although the “perceived chances of NFT-based crime occurring is higher than it actually is,” improvements still are required within the space.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions.