You’d have to have been living under a rock to have avoided the excitement surrounding Non-Fungible-Tokens (NFTs) in the last year, which have taken both the cryptocurrency and art world by storm. NFTs have been in existence since 2014, existing as a digital receipt recording ownership of digital and physical assets; this includes art, videos, wearables, or objects on a blockchain. Many have suggested NFTs have allowed regular people to enter the world of art ownership, a space traditionally reserved for the wealthy. Others are more critical, having suggested that many NFTs are low in quality and ultimately are being sold for a ridiculous price given their actual use case (I tend to agree with many of these sentiments). NFTs also have a more cynical role within the world of cybercrime. In this blog, we’ll explore NFTs and how cybercriminal actors use them.
The rise of the NFT
The last 12 months will likely be remembered for several reasons. Euro2021 (still feeling the hurt from that one), the Winter Olympics in China, the Netflix series Squid Games, and of course, that infamous Oscars incident. One other thing that may also crop up is the introduction of NFTs and cryptocurrencies into mainstream culture. The hype around NFTs has been generated through so many recent events. There was the sale of an NFT produced by digital artist Mike Beeple for $69m, the introduction of play-as-you-earn games—which heavily use NFTs for in-game content—and fervor surrounding the “Bored Ape” series and several spinoffs. Generally, while NFTs have entered the realm of public discussion, the general sentiment appears to be that the use of digital assets in this fashion is a bubble or a result of “crypto bros” hyping to an extraordinary level.
While the current sale of NFTs may raise a few eyebrows, there is a use case for online ownership of items in an increasingly digital world. Why do people buy fancy cars with a particular brand, or clothes with an expensive label? NFTs at this time likely represent prestige, or in other words, a way to show off in the digital world. Their increased use in the future will coincide with the development and adoption of the so-called “MetaVerse”, which is difficult to define but perhaps best described as the move toward a greater online digital environment where users can make sales, explore, and converse with other users. If you haven’t seen the official Meta advertisement for the Metaverse from February 2022, you can check it out here (which was a little tragic, if you ask me).
NFTs may be used to identify ownership or customization of items within the MetaVerse, which will be accompanied by a greater role to play for virtual reality (VR), augmented reality (AR), and cryptocurrencies. For example, Alfa Romeo are providing NFTs with newly purchased sports utility vehicles, which contain the car’s service history. This likely has the use case of being useful from a service perspective whilst also giving owners an additional limited item that could potentially generate value in the future. Think of it like a limited edition sporting card or old currency no longer in circulation. As with anything, scarcity can drive value. While the sale of some NFTs may seem preposterous, we’re likely at just the beginning of identifying the various use cases for this emerging technology.
Tax avoidance, wash trading, money laundering
We previously reported the link between ransomware activity and money laundering through cryptocurrency. Unsurprisingly, NFTs have also been linked with facilitating payments for several crimes.
Crime, in general, has long been synonymous with art, which if you listen to many NFT enthusiasts, that’s what many NFTs should be viewed as. This association is due to the ease with which art is moved, the subjective prices, and to permit allowances on certain taxes. The association between NFTs and crime is exacerbated by the increased anonymity that cryptocurrency can provide users. The UK’s tax watchdog HMRC (Her Majesty’s Revenue and Customs) also recently identified this link between tax fraud and NFTs, with three individuals arrested as part of an investigation into a suspected VAT fraud scheme involving 250 fake companies. HMRC seized the NFTs, with the three individuals detained attempting to defraud HMRC out of £1.4m.
Some NFT sellers have also been linked with “wash trading”, which refers to a transaction in which the seller is on both sides of the transaction; i.e. they own both the selling cryptocurrency account and buyer account. In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it is by selling it to a new wallet the original owner also controls. Wash trading is achievable because many NFTs trading platforms fail to require identification to process a transaction.
While many wash traders actually could lose money through the gas fees needed to process the transaction, it does open an opportunity for money laundering or otherwise processing funds taken from other avenues into what appears to the naked eye as a legitimate transaction. Other methods of gaining money from wash trading result from selling the artificially inflated NFT onto unsuspecting buyers who believe the NFT they’re purchasing has been growing in value.
Malware, social engineering, and fraud
The world of NFTs is also rife with fake and inflated products and out and out fraud. One of the most common scams facing investors in NFTs and the crypto space is the “rug pull” in which a startup or influencer promotes a crypto token, NFT, or a Decentralised Autonomous Organization (DAO) project, solicits public investment, then vanishes with the cash or stops updating the project.
NFTs are also prone to the usual deluge of social engineering attacks, which is commonplace with every emerging technology. Many of these attacks work in the same old manner we’ve reported time and time again, by using phishing or other common tricks to con users into handing over their credentials. Many of these attacks originated on social media like Twitter, in which users were contacted about opportunities to buy owners’ NFTs through dedicated marketplaces. Users were presented with a malicious Google Document containing a screen saver file (SCR file). When downloaded by the unsuspecting NFT owner, it would result in the propagation of malware and their credentials being harvested. The attacker could then access accounts for financial theft or otherwise hold sensitive data for ransom.
With the crypto world rapidly developing and being adopted by many enterprise companies, threat actors will undoubtedly continue to adapt their social engineering campaigns to include crypto-related scams. Due to the quickly changing nature of the crypto industry, these scams can be challenging to spot and leaves enthusiastic but naïve investors at significant risk.
What can be done to stop the abuse of NFTs?
Much of the activity related to NFTs and money laundering exists due to a lack of identification used across many crypto and NFT platforms. Introducing a greater level of regulation—gulp, please don’t all come for me at the same time—may assist in reducing the likelihood of such technology being abused to facilitate financial crime. In particular, the introduction of Know Your Customer (KYC) processes will greatly impact money laundering activities. These should include establishing the customers’ identity and monitoring to understand the nature of their activity—including whether the sources of any transactions are from a legitimate place. Many crypto exchanges have already signed up to KYC processes to aid in the transparency of their services.
In addition to greater identification of marketplaces, efforts need to be made to ensure safety and trust across NFT marketplaces. The average consumer will be largely ignorant of the risks associated with NFTs and put their faith that transactions are safe. Ensuring that guidance is provided on safe usage—including methods to secure accounts and spot suspicious requests—will allow the NFT marketplace to grow.
Do you have a curiosity for the intricacies of the cybercriminal world? Do you have a passion for everything ongoing in the world of cyber threat intelligence? If so, Digital Shadows is the best place for you to keep abreast of the latest developments. Why not take a seven-day test drive of our SearchLight service, or sign up for a live demo.