No room for compromise: marketplaces must do more to tackle stolen NFTs

Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news’ editorial.

The non-fungible token (NFT) space spares no one, not even those who call themselves NFT God. An experienced investor like Kevin Rose also got duped in early-2023, losing NFTs worth $1 million or more. Cracks like these betray the troubled state of NFT security across platforms. Over 13,650 NFTs have been stolen since mid-2021, amounting to over $29.5 million.

Leading NFT marketplaces are adopting and implementing processes to mitigate thefts and scams, or at least minimize their impact, but with very limited scope. It mostly involves some compromise, either on the part of creators or victims. 

There’s much debate around whether creators must compensate users who suffer NFT thefts. But one considerable aspect is that the stakes of swiping and flipping NFTs — especially the big, “blue chip” ones — are pretty high. So phishers constantly up their game and stopping them is a tough challenge. 

It’s thus high time to revisit a very basic question — why does someone steal NFTs? To sell them for profit. And that’s also a soft spot for malicious actors. Their efforts are futile if not profitable. Most scammers will change their livelihood if they’re unable to sell stolen NFTs easily for good prices and without accountability.

This’ll be possible only with collective effort though. Any one marketplace or security company or developer can’t stop NFT scams and thefts. Industry stakeholders must collaborate to block the thieves’ profit-making pathways, much like stopping viruses in the human body.

Behind the scenes of NFT thefts

Robbie Acres’s case is an eye-opening example of what happens when NFTs are stolen, even on leading marketplaces like OpenSea. It was most likely a phishing attack, targeting two NFTs from the HAPE PRIME and Karafufu collections.

Though Robbie and his lawyers believe there was enough scope to stop the stolen NFTs from being resold, the marketplace sent a “delayed response” conveying their inability to recover the lost assets. 

The situation escalated into a full-on legal battle, even with allegations about OpenSea freezing Robbie’s account for several months. But what’s more prominent here is how marketplaces as big as OpenSea can’t stop: one, NFT thefts, and two, the sale of stolen NFTs. 

One shouldn’t completely blame them either. Given the current security models, there’s only so much a marketplace can do in the fight against attackers. OpenSea, for one, has put the effort into devising a comprehensive anti-theft policy for NFTs. They’ve even implemented systems to automatically detect and block stolen NFTs, as well as disable scam links as such. Though it’s clearly not working. 

Finding a needle in the haystack

OpenSea, or any individual marketplace for that matter, isn’t the only place where NFT thieves can sell off their exploits. There are many ways out. And there are even more unwitting buyers who ultimately receive the stolen NFTs.

The unaware buyer is also at the receiving end of increasing NFT scams — i.e., the second key victim after the original owner. Scammers are often smart enough to offer irresistible deals on stolen NFTs because whatever they get is currently more than their cost of attack, and hence profitable. But the buyer essentially receives zero value and can also land in trouble for no fault of theirs. 

At the same time, constantly monitoring and tracing NFT transactions isn’t a viable option as it conflicts with decentralized principles like autonomy, privacy, etc. That’s partly why relying solely on marketplaces to tackle NFT thefts is a naive over-expectation. They can offer a bunch of compromises and consolations at best. 

On a very practical level, catching stolen NFTs once they start moving across brimming terrains is like finding a needle in the haystack. Simply asking users to exercise caution or avoid getting phished isn’t enough either. Especially when industry experts like Robbie, Kevin, and NFT God are on the victim list.

Focusing on the “unwitting” part

So much to pinpoint the problem. Now for the solution, it’s important to see that stopping NFT thefts requires a two-tier effort. First, promptly identifying stolen NFTs. Second, stopping their post-theft resales.

Security innovators like Zengo and Forta, among others, have built robust preventive analysis and threat detection models that can identify NFT attacks in real time. For instance, Forta’s NFT Threat Detection Kit has multiple detector bots to analyze anomalous transfers, abnormal transaction volumes, ice phishing incidents, exploiter address interactions, and so on. 

They can also send real-time alerts to subscribing end-users and marketplaces. But when it’s about acting on these alerts, the current framework is still too slow and sloppy. Now imagine a scenario where stolen NFTs are promptly and clearly earmarked as such, letting everyone know their nature. Except perhaps some darknet participants, who’d be willing to buy ‘stolen’ NFTs for a premium? 

An NFT scammer’s business model collapses the moment we introduce accountability into the picture. Because they primarily leverage the buyer’s lack of knowledge that a particular NFT is stolen or compromised in some other way. And as defenders of NFT value, we must also focus on the “unwitting” part — that’s a key to solving the crisis at hand. 

Putting a persistent ‘stolen’ tag on such NFTs hampers the profitability of scams by making the cost of attack more than flipping returns. Ideally, reselling stolen NFTs must fetch less than the gas fees for scam transactions — that’ll completely tip the odds against scammers. And as the time-tested resilience of, say, the Bitcoin network proves, economic disincentive is ultimately the best deterrent for attackers. 

The call for industry-wide collaboration

Coupled with smart attack detectors, effective flagging mechanisms for stolen NFTs will make scams less common. They’ll enable the holistic defense mechanism necessary in this regard. But while such innovations lay the technical foundation, there’s a crucial social factor at work. 

Especially marketplaces, but also other industry participants, must adopt and implement the said capabilities in unison. There can’t be any gaps for thieves to evade — stopping them for good requires a complete lockdown. 

That’s when the profit from NFT scams will be the lowest, i.e., the point where we can safely call NFTs safe, at least from a specific point of view.

Christian Seifert

Christian Seifert is the researcher-in-residence at Forta. Prior to joining Forta, Christian spent 14 years at Microsoft leading security research and applied research teams supporting Microsoft Defender security offerings. Christian also led The Honeynet Project, a global non-profit security research organization bringing passionate security researchers together working on open-source honeypot tool development and threat intelligence.


Follow Us on Google News

Share with your friends!

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *