Schedule a demo


Our Blog and Media Coverage

The Modus Operandi of Successful NFT Heists

the mo of successful nft heists2

An opportunity for better security and revenue generation for NFT marketplaces

The NFT (non-fungible token) market ‘virtually’ exploded in 2021, and it’s not only the crypto-natives (‘degens’) showing interest. Auction houses are now dabbling in NFTs, corporations such as Adidas and Coca-Cola have taken the leap, and celebrities are flaunting their ape pics to one another.  According to Reuters, non-fungible tokens made up a $25 billion market over the past year while Bloomberg actually put the value at $40 billion. Also, Chainalysis, says: “Some $37 billion have already been spent on NFTs in 2022 compared to the $40 billion total paid through 2021.”

As popularity skyrockets, blockchain’s security infrastructure space has lagged. Cybercriminals are already exploring this novel space, stealing NFTs from collectors and enthusiasts through social engineering and vulnerabilities on marketplaces. As reported on Coinmarketcap, the current value of stolen NFTs stands at 24,000 ETH – a whopping $29 million at current market prices. 

An example crime scene 

On February 1, NFT collector Larry Lawliet reported losing several valuable NFTs, including Bored and Mutant Apes, in a suspected social engineering attack. A quick look at Larry’s wallet reveals a rapid sequence of NFT transfers to an address beginning with 0xd27 (the presumed hacker) late on January 31. Here is what happened with the apes next: 

  • Bored Ape #1606sold by 0xd27 for 136 wETH (wrapped Ether) on OpenSea. On February 5, the Ape was sold back to Larry on the decentralized LooksRare NFT exchange. 
  • Bored Ape #4250sold for 100 ETH on OpenSea, and was resold within about 6 hours for a profit of 11%. 
  • Bored Ape #9138sold at 100 ETH through OpenSea. The new owner soon re-sold the token for a profit of 15%, and then it was sold back to Larry using BatchSwap smart contract.
  • And the list goes on.

Bear in mind that the hackers, sold off most of the tokens right on OpenSea, within minutes after the purported hack and before Larry reported the theft. Even after the platform flagged the stolen tokens, they continued to change hands.  

What makes it so difficult to catch the crypto ‘perps’?

Crypto heists differ significantly from ‘real world’ heists. Here are but a few ways: 

  • Logistics in the world of blockchain are lightning-fast and a savvy attacker may sell off the loot before the victim has even learned of the theft. 
  • Decentralization makes for an open marketplace. Even if the major centralized exchanges ban listings of stolen assets, there’s always another platform to turn to or peer-to-peer to sell to. 
  • There are no take-backs. As NFTs sit on the blockchain, once ownership is transferred from one wallet to another, it cannot be rolled back.
  • Selling the NFTs is not the only option. Stolen NFTs can be staked on yield platforms, effectively handing them over to a smart contract in return for rewards based on their rarity.

Safeguarding your NFT collection

NFTs collections are being increasingly targeted, as reports show.  This means that collectors and marketplaces alike must pay more attention to their defenses, and keep their private keys safe. Up until now, ‘retail’ (hot) wallets were considered decent, low-cost solutions. The increasing sophistication of hackers suggests that these may not be enough and that NFT marketplaces, like other institutions, need an enterprise-grade custody solution to manage their NFTs.

Crypto hackers understand how to identify attack surfaces, inject malicious code, and access backdoors into the world of private keys. Once hackers have control of the marketplaces’ private keys, they can funnel NFTs directly into their own accounts. More importantly, in the case where the marketplace has its own NFT collection, hackers, according to the business logic of the smart contract, might also be able to control the minting and burning of the NFTs. This can lead to a loss of the whole collection. 

It might be time for NFT marketplaces to consider advanced enterprise-grade, self-custody solutions, which enable them to manage and monetize their NFTs (just like any other blockchain-based digital assets), in a more secure fashion. As opposed to ‘outsourcing’ custody to a 3rd party custodian (which might seem like a quick and simple solution), self-custody solutions come with the benefits of lower costs, less risk, and more flexibility in offering new services according to the evolving strategy down the road.

Not just a marketplace anymore

Additional revenue generating opportunities lie in offering custody as a service. Given the hacks mentioned above, it is likely to assume that marketplace patrons would appreciate some help safeguarding their NFTs. With a self-custody solution, marketplaces can offer ‘custody-as-a-service’ – thereby helping patrons safeguard their NFTs until they are willing to part with them. 

From here, the potential revenues are virtually unlimited. The custody solution becomes part of the company’s infrastructure ‘on top of which’ the marketplace can offer a wider variety of services according to the supported functionalities of the protocols. Security is not just a threat, it can also be an opportunity. 

To learn more about GK8’s innovative custody solutions, click here.


Share on facebook
Share on twitter
Share on linkedin

most popular in media