Many people have never even heard of non-fungible tokens. And yet, it’s become such a hot trend that scammers have taken notice and are attempting to lure current and prospective traders onto NFT-themed phishing and fraud websites.
For the uninitiated, NFTs are unique tokens that accompany original and collectible digital artwork or videos that can be sold or traded as a form of cryptocurrency, with transactions registered on the blockchain. Many of the earlier NFTs involved illustrations of kittens, but they can take the form of just about anything.
For instance, a collage created by digital artist Mike Winkelmann, aka Beeple, recently earned $69.4 million in an auction, while the first-ever tweet from Twitter CEO Jack Dorsey was digitally pawned for $2.9 million. Meanwhile, it was also just announced NFL quarterback Tom Brady is forming his own NFT company, Autograph.
No wonder scam artists are taking notice and jumping on the bandwagon. Online fraud and phishing company Bolster recently reported that criminals are starting to stand up fraudulent, imitation NFT websites that impersonate actual digital marketplaces such as Opensea and Rarible, then are using fake tweets and other social engineering tactics to lure victims to these phishing pages.
For a quick cash-grab, these fake sites can sell counterfeit artwork or products that don’t even exist. But in other cases they are attempting to trick users into inputting their account credentials or credit card data, allowing the perpetrators to steal their valuable information.
The report notes that the number of suspicious-looking domain registrations copycatting the names of genuine NFT stores jumped nearly 300% in March 2021 compared to February.
Shashi Prakash, chief technology officer and chief scientist at Bolster, told SC Media that NFTs are especially ripe for scamming right now because of the very fact that some people are chasing this fad without really understanding how the process works.
“These days, people who may not be technically savvy are getting into this,” said Prakash. “And just by not understanding [what] is legitimate and which is fake, people can fall for these scams.” And “because of how many people are falling for these attacks, the scammers are now incentivized to create more of these scams.”
Indeed, right now “there is a fervor created by FOMO [fear of missing out]… that bad actors can use to entice victims into partaking in scams,” said Dave Jevans, CEO of CipherTrace.
Prakash also said NFTs are an alluring opportunity for cybercriminals because the law hasn’t caught up to the concept yet, and because fraudulent or counterfeit transactions are hard to trace.
“Criminals are often at the forefront of adopting new technologies, and cryptocurrencies are no exception,” said Jesse Spiro, chief of government affairs at Chainalysis, noting that scams were the most lucrative form of crypto-crime in 2020, earning almost $2.7 billion in 2020. “We saw this with the early success of the darknet market Silk Road, which accounted for a huge part of the early crypto economy.”
There are also notable parallels with the initial coin offering (ICO) craze of 2017, “as regulators are only just starting to catch up, and scammers are using the momentum and hype to lure people into participating in fraudulent schemes,” noted Jevans.
Another form of scam listed in the Bolster report consisted of fake giveaways in which scammers “target crypto enthusiasts by offering them free crypto/NFTs/tokens related to NFT marketplaces,” sometimes posing as famous brands and personalities.
And it’s not hard to speculate when scams could go from here.
For example, “Scammers could build fake NFT user interfaces that steal cryptocurrency without providing the value they claim,” said Spiro.
Or cybercriminals could try to compromise the marketplace or NFT exchange platform itself, so that users performing a transactions are actually sending funds to a malicious actor’s cryptowallet. “I think if you look at the previous history of how cryptocurrency exchanges were targeted, it makes sense that that's possible… that that may be the next thing that we'll see” said Prakash.
It’s also very possible that we will soon be hit with phishing campaigns built around NFT lures.
“As we see with any trending topic, threat actors will find ways to leverage the theme in their phishing campaigns,” said Tonia Dudley, strategic advisor at Cofense. “By leveraging a trending theme, the likelihood of a recipient engaging with the email is increased. We saw this same trend last year when COVID-19 began to spike across the globe.”
There are also non-cyber crimes that bear watching with NFTs.
“Just as money laundering can be conducted through purchases of high-value art, so too can money laundering leverage the digital NFT art market for their own ends,” noted Jevans. In fact, “The global Anti-Money Laundering (AML) watchdog, The Financial Action Task Force (FATF), recently updated their proposed cryptocurrency guidelines to suggest NFTs that can facilitate money laundering and terrorism financing should be subject to these new guidelines.”
Spiro similarly pointed out that money launderers could “take advantage of some of the NFT marketplaces that sell NFTs at subjective prices – in other words, in marketplaces where NFTs are worth whatever someone is willing to pay – similar to the art market.”
Due to their potential for abuse and fraud, Jevans suspects that NFTs will eventually “fall under the securities definition as characterized by the SEC, especially considering that “the provenance of many NFT assets is unclear and can be leveraged by bad actors to defraud investors.”