If you guessed these two things—a 10-kilo bar of gold and this image from the Bored Ape Yacht Club (BAYC)—cost about the same, roughly $600,000, you’d be right. And if it’s hard to believe this is true, you’d be like almost everyone else in the world. Basically, a one-of-a-kind cartoon in a type of video game is a similar cost to the greatest store of value in the history of humankind—gold.
There have been some astronomical overvaluations in the digital age, from pets.com and the dot-com bubble in general, to the seemingly never-ending supply of altcoins and the bubble of money that is still emerging. Still, this seems crazy, even by those standards. However, while there are ‘legitimate’ reasons for this exorbitant cost, non-fungible tokens (NFTs) are also being escalated to transfer money, and potential nefarious plans and activities, to criminals and terror cells. One of these threats has just been illustrated by the announcement of the recent BAYC NFT theft.
What’s an NFT?
First, the obligatory definition from dummies.com: “A non-fungible (meaning unique, non-replaceable) token is a unique digital code that represents some kind of digital item. It could be digital art or music, for example. An NFT is secured and stored on a public blockchain (like Bitcoin and Ethereum).” One token is not interchangeable for another, and a token cannot be further divided. Essentially, NFTs are like a “hyperlink” on the blockchain.
There are many purported uses of this new asset class because NFTs not only show ownership but also allow the owners to create features and expand the purpose through the programmable blockchain. NFTs can be used to gain access to chat rooms, a store, a game, or embed coded functions with a sort of pre-approved and validated ticket. The BAYC NFT (shown in the picture above) denotes membership in an online community that includes high-end merchandise, social events, and even an actual yacht party.
In 2021 alone, around $44 billion worth of cryptocurrency was sent to NFT-related smart contracts, up from just $106 million in 2020, according to blockchain analytics firm Chainalysis.
NFTs can also be used to identify physical items or to ensure traceability and origin of a product in the supply chain. However, for this blog, we’ll stick with what can be done from a criminal standpoint through NFTs.
Security Concerns for the Average Joe
Rug Pull Scams
NFTs provide ample opportunity for nefarious scams on the unsuspecting. Rug pull scams refer to criminals knowingly making false promises to buyers who are frenzied to get rich quickly. The GameStop stock hype and altcoin-craze of 2021 have plagued folks with a severe case of FOMO, and where there is money to be made, fraudsters are not far behind. It’s a bit like a Ponzi scheme: Convince people to convince their friends to buy into this once-in-a-lifetime opportunity. Then, once the price is artificially inflated, pull the rug out and vanish with the victims’ money. Anyone can pay for a social media influencer or some celebrity to hype up their subsequent big “world-changing” NFT project, making it seem like a “Get in on the ground floor!” opportunity. The designers of the scheme get the cash, and the rest of the folks are left with an essentially worthless picture or token that has no value because the project is defunct. A recent example of a rug pull scheme in the Southern District of New York demonstrates the ease with which this can happen.
Stealing Goods Through Social Engineering
Ah, phishing—it seems that no matter how much social engineering awareness training we all take, a good phishing pretext can still fool folks. It’s simple: Stand up a domain, or even just a document, and add some verbiage to make it appear legitimate. Then persuasive imposters entice folks to click on malicious links, hand over their private keys, or share their screen with a QR code on it that they can copy and use to transfer the NFT into their own account.
Discord is another excellent medium that fraudsters can use for social engineering. A good amount of NFT communities use Discord as a primary means of communication. You can program Discord bots to appear to be legitimate humans from an organization, ask an unsuspecting user to “check their security settings” or “verify their account,” and you’ve got a nice set of Bored Apes, all for a few hours spent coding.
Another FOMO swindle is wash trading. With any wash trading scam, the goal is to make an asset appear more valuable than it is. It’s an old con whereby two people (or the same person with multiple accounts) will bid up an asset by buying and selling it to each other at increasingly higher prices. Once the victim has seen the astronomical rise in price, they want to take part in the gains and buy it up. The scammer has created a fake demand for the asset. Since many cryptocurrency wallets don’t require identity verification, it’s simple to stand up multiple accounts and trade the NFT back and forth without really knowing if it’s the same people doing the transactions. One interesting point is that although many wash trading scams have been tracked, there has yet to be a case of legal enforcement for this type of scam. Wash trading is strictly prohibited in most financial sectors, although not so much in the NFT space.
Criminal Terrorist Concerns
Criminal exploitation of NFTs can go beyond mere theft. “There are a lot of concerns, particularly on the terror financing piece,” said Eric Smith of the Cleveland FBI. “A domestic terror cell creates an NFT, and a foreign terror group or nation-state actor buys the NFT at an inflated value and funds the cell. The end-to-end encryption in the NFT makes tracking the fund transfer almost impossible, along with the steganography involved. The NFTs can embed pics and messages that only the seller and the purchaser can see—attack plans, targets, you name it—can all be discussed without fear of disclosure.
“It’s ingeniously simple. A domestic group spends two hours to open an account and upload a pic of Yosemite Sam with a blue mustache. A foreign terror organization buys it for whatever the cost of financing the plot is, plus a little walking-around money. They embed the plans and boom—untraceable financing and planning. No more cloak and dagger meetings, drop phones, or brush passes.”
New Technology Enables Old Motives
New technology can often enable new avenues for crime and terrorism. Despite the commonly held belief that NFT or cryptocurrency hacks require a high level of technical sophistication, some of the cons used are very low tech and have been around for centuries. Others are using these technologies to mask communications with the same goal as cyphers or encryptions in times of wars to subvert the laws of the land. A tool is neither good nor bad—it depends on if the person leveraging the tool uses it to improve society or to destroy it.
In the security space, we are always trying to use the concepts, policies, and components to minimize risk while gaining the maximum reward. Unfortunately, we must always be on the lookout and be prepared when responding to potential threats. Still, it’s entirely possible a multi-colored tooth ape is worth a bar of gold.