The story of an art gallery owner who had $2.2 million worth of Bored Ape Yacht Club and other NFTs stolen is just the latest example of crypto theft, illustrating the vulnerability of buyers as a broader set of consumers venture into the field.
With NFTs, the issue has grown in importance as the market has transformed from a niche hobby to an active market filled with speculators and investors.
Todd Kramer of New York’s Ross+Kramer gallery fell victim to a phishing scam in late December, according to a now-deleted tweet. He stored his NFTs using an internet-connected hot wallet — a less secure method — and a thief made off with 15 digital tokens worth $2.2 million.
Hot or cold
Phishing scams are common in the crypto world. While these are also common across the internet, targeting everything from work credentials to credit-card numbers, in crypto they are especially popular because once a user's crypto is stolen, transactions are nearly impossible to reverse.
OpenSea, the most popular NFT marketplace by far, doesn’t keep custody of tokens for users. Consumers are responsible for storing their own NFTs.
Many crypto developers and enthusiasts see self-custody as part of the technology’s ethos. A crypto buyer has total control of their assets. That also makes them easier to steal.
After a user clicks on a phishing link, how NFTs are stored becomes a critical question. If they’re kept in an internet-connected hot wallet, an option many prefer for its simplicity and the ease of trading assets kept online, the hacker can easily get access. Hot wallets can be standalone software applications, online accounts maintained by an exchange or even simple browser extensions like the popular MetaMask.
There are typically few ways to remedy a breach or insure against losses, though Lloyd’s offers a crypto wallet policy. Coinbase insures its accounts for up to $250,000, but it doesn’t cover a breach of users’ account credentials. OpenSea blocked the sale of the stolen NFTs, but acknowledged that it couldn’t prevent the NFTs from being transferred off of its marketplace.
Phishing the crypto sea
There are many variations on the phishing scam. One used Google Ads to get access to people’s crypto through Metamask. In May, MetaMask warned of a phishing scam that looks like a Google Docs form from MetaMask support that asks for a user’s wallet recovery phrase, which can grant a hacker access.
Hardware wallets, also known as cold storage, are one way that crypto holders attempt to protect themselves from hackers. These involve a hardware device that holds the user’s private key offline so that it can’t be accessed even if a hacker gets access to a browser or other device.
But as the Kramer case shows, many users, even those with millions of dollars worth of NFTs, don’t bother with hardware wallets. They’re more complicated and can slow things down when trading.
Discord in the ranks
An emerging vector for crypto attacks is through the Discord app. Many crypto projects use Discord for discussion and organizing work, and some are designed to build community among owners of NFTs. These groups are often open for anyone to join.
Hackers often go into these Discord groups trying to get people to click links or give up private keys or other information. Justin Kan’s new project Fractal was the victim of this kind of attack, in which almost 400 people were scammed.
The growth in the NFT market seems to guarantee more incidents of theft and scams. A recent report from Chainalysis found $14 billion in criminal crypto transactions in 2021, up from $7.8 billion in 2020. That’s a very small slice of the overall market, which saw $15.8 trillion in crypto transactions last year, Chainalysis researchers pointed out, but it’s still a huge opportunity for hackers.
Besides better insurance policies and improved security, one market opportunity that’s emerging is hardware wallets. Ledger, a maker of hardware wallets, raised $380 million in June, valuing the company at $1.5 billion. And Block, Square’s parent company, has announced plans to make hardware wallets among its other crypto initiatives.