A report from Elliptic, an organization that focuses on blockchain analytics, shows that cybercriminals stole non-fungible tokens for more than $100 million, which makes $300,000 per taken digital asset. Hackers target their victims on social media platforms such as the Bored Ape Yacht Club, OpenSea, and Twitter. Over 23% of the incidents occurred in these communities.
Most of the NFTs that was stolen came in the form of unique digital art pieces generated by its creator. Since July 2021 – when NFTs started gaining popularity among the mainstream crowd – malicious attacks have become rampant, extracting millions of dollars and plunging the NFT community into the fear that the protocols for the assets may not be as secure as the developers say. Other reports speculate that some NFTs could be worth more than what Elliptic stated in their criminal study.
“Over $100 million worth of NFTs were publicly reported as stolen through scams between July 2021 and July 2022, netting perpetrators $300,000 per scam on average,” Elliptic’s key findings said. “July 2022 saw over 4,600 NFTs stolen – the highest month on record – indicating that scams have not abated despite the crypto bear market.”
While NFTs may have had their share of hacking incidents, companies still stand firm about the future value of unique, exclusive tokens. For example, Meta gave the green light to allow users to post their NFTs on Facebook and Instagram, while the US military now has Devil Dogs NFTs for sale to fund the veterans directly.
The Root of the Hacks
Based on Elliptic’s findings, most of the attacks stem from Tornado Cash: a crypto mixer sanctioned in the US. Here, over “$137.6 million of crypto assets processed by NFT marketplaces and the laundering tool of choice for 52% of NFT scam proceeds before being sanctioned by OFAC in August 2022.”
Hackers use a method called threat actors to engage with NFT holders, which fool users into transacting with them. Since its multiple incidents, Tornado Cash was marked as one of the most significant catalysts for consecutive protocol breaches and unregulated suspicious payments. The crypto mixing platform filed for bankruptcy in July 2022 and has since been blacklisted by the US treasury.
Some of the Worst Digital Heists in Blockchain
Axie Infinity
Furthermore, Lazarus Group, a North Korean organization of hackers, was the main culprit in the March 2022 hack of Axie Infinity which caused one of the worst breaches in blockchain history, with $625 million stolen. Lazarus Group used Tornado Cash as the tool for stealing the money via Axie Infinity’s Ronin Network. From Ronin Network, the North Korean group flowed millions of dollars to Tornado Cash and got away.
Bored Ape Yacht Club
The following month, the multi-billion dollar collection Bored Ape Yacht Club was the primary target for hackers. Yuga Labs, the creator of BAYC, suffered a $3 million loss when an attacker took over the official BAYC Instagram account and shared a phishing post with a fake link. This allowed the victims’ crypto wallets to link to the attacker’s makeshift smart contract. The attacker took four Bored Apes along with other unspecified NFTs.
Meanwhile, an Ape owner under the name “s27” was also a victim who singlehandedly lost $500,000. He was fooled in a trade where the scammer used fake NFTs that was deceivingly identical to the BAYC collection, which even had the green “verified” tick on them.
Similarly, another BAYC member, Todd Kramer, lost $2.2 million to a phishing scam. He may have recovered a fraction through OpenSea, an NFT marketplace, but his infamous tweet “All my apes are gone” went viral and became a meme for the NFT skeptics.
Beanstalk Stablecoin
Crypto project Beanstalk was supposed to be pegged for $1 until it fell victim to an attacker who used a get-rich-quick method as an instant loan. In just 13 seconds, the hacker stole $180 million, recorded as one of the fastest malicious attacks ever.
Developers Acting Quickly to Prevent Future Breaches
Theft has become more prominent in cryptocurrency, be it on direct exchanges or social media. Developers continue to partner with veteran cybersecurity groups and bluechip companies to enhance the defenses of platforms against malicious attackers.
The real value of NFTs is still debatable, although several corporations like Meta, Microsoft, and the NBA have pushed through with this technology.
