Non-fungible tokens (NFTs) are perhaps best known as a way to assign digital “ownership” to pictures of cartoon monkeys. But a new report from Elliptic claims that NFT-based platforms are being used to launder millions of dollars of illicit funds.
And money-laundering isn’t the only issue identified by the researchers, who describe an NFT landscape beset by phishing scams, “rug pulls” and theft.
But the picture is complex, with much of the financial activity associated with NFT being reportedly legitimate.
Industries from finance to media and payment services are purchasing millions of dollars worth of NFTs. These findings suggest that buyers should proceed with caution in this under-regulated market.
A Brief Explanation of NFTs
Like cryptocurrencies such as Bitcoin, NFTs are essentially entries on a blockchain—a digital ledger that links its records using cryptography.
But unlike Bitcoin, NFTs are non-fungible, meaning that each blockchain entry points to a specific, non-interchangeable digital asset.
So while you can exchange a Bitcoin with another Bitcoin (or a dollar bill with another dollar bill) and receive something of identical value, the same does not apply to NFTs. Much like a trading card or an oil painting, some NFTs are worth more than others.
NFTs are normally works of digital art, but be used to imply ownership of any sort of digital asset.
Unlike physical goods, digital goods are, in theory, reproducible at effectively zero cost.
If you like someone’s profile picture of a monkey smoking a cigar, you can download it and make a thousand copies—even if the person using the image paid an artist to create it.
But when a person purchases an NFT—for example, a digital picture of a monkey smoking a cigar—the transaction is recorded on the blockchain (or “minted” via a “smart contract”), and the person receives a certificate of authenticity.
There are other uses of NFTs (some theoretical) besides cigar-smoking monkey pictures, including proving membership of paid groups or providing a digital identity in gaming and the metaverse.
The Ukrainian government also briefly,ran a scheme to secure donations of NFTs to fund its military defence programme.
Purchasing an NFT does not inherently confer ownership in a traditional legal sense and has no established impact on copyright or intellectual property.
However, many people—and companies—have invested in NFTs in the hope that the value will rise if the model of digital ownership becomes better established.
NFT sales surged in 2021, but the value of NFTs has fluctuated with the rest of the crypto market. As of midday Thursday, though, the value of the most popular NFT collection, Bored Ape Yacht Club, stands at over $1.9 billion.
NFT Thefts
Blockchain analytics firm Elliptic’s report looked at around 80 NFT scams reported since July last year. The report found evidence that over $50.6 million in NFTs has been stolen—at least 4,650 NFTs.
Five popular NFT collections—Bored Apes, Mutant Apes, Azuki, Otherside and CloneX—constituted over two-thirds of the value of stolen assets, partly because these collections contain some of the most highly-valued NFTs on the market.
The report estimates that 1.7% of Bored Ape NFTs have been stolen since the collection began.
The majority of NFT thefts are achieved via phishing. This should not be surprising, as phishing also represents one of the most common and successful methods of cybercrime in general.
The researchers note, however, that attackers tend to leverage a “fear of missing out” mentality that is common in a community of people hoping to invest early in strongly-appreciating assets.
Messages including phrases such as “act fast” were commonly used to encourage victims to click phishing links.
The report cites evidence of other common forms of phishing, including account recovery scams and impersonation scams via social media and email.
The researchers also describe how proceeds from stolen NFTs are laundered via “crypto mixers”, such as the recently-sanctioned Tornado Cash platform, or through exchanges that do not conduct know-your-customer (KYC) checks.
Rug Pulls
A “rug pull” is a scam whereby the developer of an NFT builds up funds from investors and then steals them. While NFTs and other crypto assets have become notorious for rug pulls, they occur in traditional finance and retail settings, too.
The largest NFT rug pull on record involved the “Evolved Ape” collection and cost victims around $2.5 million.
Elliptic’s report offers case studies of two rug pulls perpetrated by the same group of scammers.
The first incident involved a project called “Doodled Dragons” in January. The founders encouraged investors to buy into their collection of NFTs and promised the profits would go to charity.
But moments after announcing a $30,000 donation to World Wildlife Fund (WWF), a scammer tweeted that they were changing their chosen charity to their own bank account.
The following month, the same group launched the “Balloonsvillle” project with help from “paid promotions from known influencers”. After stealing investors’ funds, the scammers tweeted that their victims were at fault for being “too stupid” to ask for ID.
Money-Laundering
Another type of NFT-related criminal activity cited in the report is money laundering.
The authors note that while money laundering via NFTs does occur, the practice is “by no means occurring at an endemic level”. NFTs’ volatile pricing also means they are supposedly unsuitable for most types of money laundering.
Gauging the source of NFT funding can be difficult. The researchers estimate that over 99% of funds used to purchase NFTs are from legitimate sources, with 0.02% ($8 million) from illicit sources.
However, around $329 million in NFT funds was reportedly processed by an obfuscator, such as a crypto mixer.
Crypto mixers allow crypto holders to pool their funds before mixing them and redistributing at random intervals, thus obscuring the source of funds.
The use of crypto mixers is highly controversial, and critics say the main purpose of such platforms is money laundering.
Regulators have shut down crypto mixers before, including, as mentioned above, Tornado Cash, which was sanctioned by the US Treasury Department last month after having been used to launder money from ransomware attacks.
This is perhaps another sign that regulators are slowly beginning to catch up with developments in crypto trade and assets.
21 Readers' comments