Over $100 million in NFTs have been stolen in the last year, according to a new report by blockchain analysis firm Elliptic. The report released on Wednesday, "NFTs and Financial Crime," covers nefarious crypto activity between July 2021 to July 2022.
🚨Over $100 million worth of NFTs were publicly reported as stolen through scams between July 2021 and July 2022, netting perpetrators $300,000 per scam on average.
Head to https://t.co/u6iPLjXgpR to read our NFTs and Financial Crime Report.#nft #crypto #aml— elliptic (@elliptic) August 24, 2022
In addition to stolen NFTs, over $8 million in illicit funds has been laundered using NFTs since 2017, according to Elliptic. Non-fungible tokens, better known as NFTs, are cryptographically unique tokens linked to digital and physical content that provide proof of ownership.
Elliptic says cybercriminals netted an average of $300,000 per scam. Its report notes that $24 million in NFTs were stolen through scams in May 2022 alone, with July 2022 being the highest month on record for the number of NFTs stolen at 4,600.
“Actual numbers are likely to be higher, as thefts are not always publicly reported,” Elliptic says. These unreported thefts, the firm says, are typically lower-priced NFTs.
According to the report, 23% of all NFTs stolen in 2022 came from compromised social media platforms like Discord and phishing messages sent to members.
Other attack methods tracked by Elliptic include phishing emails, malicious websites, and—as in the case of the Solana hack, earlier this month—an exploit in a mobile wallet.
According to the firm, the most valuable NFT ever stolen was CryptoPunk #4324, which netted the thieves $490,000 in November 2021. (The collectible has since been "reported for suspicious activity" on OpenSea.) The most significant theft, Elliptic says, resulted in the loss of 16 “blue chip” NFTs worth $2.1 million in December 2021.
Elliptic says the bulk of NFTs lost to scams include Bored Apes, Mutant Apes, Azuki, Otherside, and CloneX.
“Together, these five collections constitute over two-thirds of the stolen NFT value since July 2021,” Elliptic says.
Unsurprisingly, Bored Ape Yacht Club NFTs are the most sought after by cybercriminals. According to Elliptic, the theft of Bored Apes accounts for $43.6 million in stolen NFTs.
In June, Family Guy star Seth Green paid $300,000 to recover his stolen Bored Ape NFT after being the victim of a phishing attack.
The report also cites the March 2022 hack of Axie Infinity’s Ronin Ethereum sidechain bridge by the North Korean Lazarus Group. Also mentioned, the more recently sanctioned Tornando Cash mixing service, saying that digital assets worth more than $160,000 originating from sanctioned entities have been used to purchase NFTs.
“Although crime represents a small proportion of overall NFT trading, it has a disproportionate impact on the industry’s reputation and undermines the quality of experience of legitimate users,” Elliptic says.
Adding to this impact on reputation, Elliptic says that cybercriminals are becoming more sophisticated and circumventing verification protocols like decentralized identity verification company Civic’s now-defunct “Verified by Civic Pass” program. In January, scammers made off with 9136 SOL, around $1.3 million at the time, despite being “verified.”
Counterfeit NFTs are also a major concern. Elliptic noted that in January, OpenSea reported that more than 80% of the NFTs that it removed from its platform for violations—including “plagiarized works, fake collections, and spam"—were created with its lazy-minting tool.
Editor's note: this article was updated to clarify that fake NFTs were removed by OpenSea.