How Do People Steal NFTs?
And Why Does It Seem To Be So Easy?
In May 2022, the NFT Bored Ape #8398 was famously stolen from Seth Green, an actor who planned to use the NFT in an upcoming TV series. A hacker, using the pseudonym Mr. Cheese, transferred the NFT from Green’s wallet after Green fell for a phishing scam.
Green’s story has a happy ending (depending on how you look at it). He recovered Bored Ape #8398 but at the steep price tag of 165 Ether, which amounts to roughly $297,000 at the time. (Green originally paid $200,000 to purchase the NFT.)
This well-publicized theft has people wondering, if blockchain technology is supposedly so secure, then how do scams like this happen? Why does it feel like we regularly read about cryptocurrency and NFT theft? In this article, we'll explain how NFTs work and some of the common ways hackers get their hands on them.
The Short Version
- Non-fungible tokens (NFTs) are stored on a blockchain in digital wallets. Whoever owns the digital wallet has access to the NFT.
- Despite the overall security of blockchain technology, NFTs are vulnerable to scams through deception, exploitation, and user error.
- Investors can keep their NFTs safe by keeping their private keys secure and avoiding opening or responding to suspicious messages.
NFTs 101: What They Are and How They’re Stored
An NFT — short for non-fungible token — is a unit of data that represents a digital asset and tracks the ownership of that asset. NFTs are stored on a blockchain and can represent various assets, including music, artwork, images, videos, and more.
Unlike other digital assets, such as cryptocurrencies, NFTs are unique and can’t be replicated. Think of it this way: millions of people can own Bitcoins that are virtually identical and interchangeable with one another, while only one person can own a specific piece of art.
Like cryptocurrency and other digital assets, NFTs are stored on a blockchain, usually the Ethereum Blockchain. The blockchain records ownership of the NFT and any transactions as the NFT changes hands. The blockchain is mainly anonymous, meaning it doesn’t record the person that owns the NFT. Instead, it records the wallet the NFT belongs to, and the owner has the private key to access that wallet.
Read more >>> How to Explain NFTs in Under 30 Seconds
How Do People Steal NFTs Anyway?
If you’ve read about blockchains, you’ve probably heard they are incredibly secure. But if that’s the case, why do we continue to hear stories about NFTs and cryptocurrency theft, like in the case of Seth Green?
As we mentioned, a blockchain doesn’t attribute ownership of an NFT to a specific person. Instead, it attributes ownership to a digital wallet. The wallet's owner has the information and private key to access it. For a hacker to steal an NFT, they would have to gain access to a wallet, usually by getting their hands on the private key.
So how do hackers get their hands on other people’s private keys? There are a few different ways this can happen.
- Deception: One common way hackers steal NFTs is through deception; they trick an NFT holder into transferring their assets to them or sharing access to their digital wallet. This often happens in emails or direct messages. Someone with a fake profile might convince someone to transfer assets into a different digital wallet. Or they might send a phishing link the NFT owner clicks on, and then they share their private key.
- Exploitation: With this strategy, rather than targeting the NFT holder, the hacker targets the NFT platform itself. The hacker finds a weak point in the platform’s security or contracts to steal someone’s NFT or “sell” it to themselves for nothing.
- User Error: Unfortunately, many cases of NFT theft are simply a result of user error. It could be that the NFT owner didn’t adequately protect their private key, didn’t secure their online account with two-factor authentication, or failed to take other precautions to protect their NFTs.
Gone Phishin’: NFT Thefts and Scams
Green’s story may be just the latest to garner public attention, but it’s far from the only high-profile NFT theft. There are plenty of other examples of people falling victim to these scams.
For example, in 2021, cryptocurrency and NFT investor Chris Chapman listed his Bored Ape NFT for sale on OpenSea with an asking price of about $1 million. But just two months later, a scammer exploited a weakness in OpenSea’s system to buy the asset for 70% less than its selling price.
Another well-known theft happened in early 2022 when former tech executive Eli Shapira had an NFT stolen. Rather than targeting the NFT platform, the hacker targeted him directly, similar to Green's situation. The hacker sent Shapira a link that, when clicked, shared access to his digital wallet. The hacker made off with more than $100,000 of stolen NFTs, which Shapira couldn’t recover.
Finally, in one of the largest well-known NFT heists, art gallery owner Todd Kramer lost more than $2 million of NFTs stolen from his personal collection on OpenSea. The collection included Bored Apes and Mutant Apes, some of the most valuable NFTs on the market.
Read more >>> How to Spot an NFT Scam
How To Make Sure Digital Assets Are Secure
Sometimes it seems like we’re constantly reading about high-profile thefts of NFTs and other digital assets. So how can you prevent yourself from falling victim to one of these hackers? Here are a few tips:
- Key your private key private. The most important step you can take to secure your NFT is to keep the private key to your digital wallet private. Avoid sharing it with anyone and avoid leaving it somewhere that someone else could find it.
- Don’t respond to messages from people you don't know. Many hackers gain access to other peoples’ NFTs by messaging them from a fake social media account. Avoid responding to messages from anyone you don’t know. And remember that hackers may try to impersonate someone you know or a public figure. Before answering, make sure the person you’re responding to is really who you think it is.
- Avoid clicking on untrustworthy links. Phishing scams are a common way that hackers gain access to the information and private keys needed to steal someone’s NFTs. A good rule of thumb is to avoid clicking on links altogether. For example, if you receive an email you believe to be from an NFT platform, rather than clicking on the link, type the platform’s URL into the browser directly.
- Enable two-factor authentication. By enabling two-factor authentication on your accounts, you ensure that someone can't use your password alone to access your account without your permission. The extra layer of security prevents hackers from getting into your account and could alert you if someone makes an attempt to log in.
- Store your digital assets in a cold wallet. Hot wallets — wallets connected to the internet — are far easier for hackers to access because they can do it from anywhere. But if you keep your assets in a cold wallet, they must actually get their hands on your hardware wallet to steal your NFTs.
How To Avoid Buying Fake or Stolen NFTS
One of the best ways to ensure the NFTs you’re buying are legitimate is by researching the seller. Check their marketplace account to ensure their account is verified. You can also check their social media accounts, other listings, or online reviews from other buyers. If someone is selling fake or stolen NFTs, someone may have already discovered what they’re up to, and you could find out about it on Twitter or Reddit.
Another way to ensure the legitimacy of the NFT you’re buying is to ensure its originality. NFTs are supposed to be unique, so if you find an NFT for sale but then find an identical one for sale on another platform, there’s a good chance it’s not the real deal.
Another thing to remember is that blockchains store the transaction history of each digital asset. As a result, you may be able to see previous transactions involving an NFT you’re considering buying. If someone is selling an NFT the same day they purchased or acquired it, that could be a bad sign.
Finally, make sure you’re always using a reputable NFT marketplace. While these exchanges aren’t always 100% safe and scam-free, they are more legitimate than buying an NFT from an individual without a marketplace or exchanges there to act as the middleman.
Read more >>> The 10 Best Crypto Exchanges for 2022
The Bottom Line: Are Anyone’s NFTs Safe?
The more you read about scams where cryptocurrency or NFTs are stolen, the more hesitant you may be about buying these assets in the first place. Yes, there are some risks to owning these assets (just as there are with any others).
But you might be surprised to learn that you have much more control than you think to protect your NFTs from hackers. By taking common-sense precautions, you can keep your digital assets safe and avoid falling prey to the most common NFT theft schemes.
- Why Is It So Hard To Insure NFTs?
- Are NFTs Protected by Copyright?
- 3 Reasons You Should Buy an NFT (And 1 Big Reason You Shouldn’t)