NFT trading involves serious amounts of money. With Bored Ape tokens raking in millions of dollars and lesser-known projects still bringing in thousands, it’s no surprise that the NFT space has attracted thieves. While blockchain technology makes property bulletproof, creative NFT thieves are still finding ways to get their hands on your treasured collectibles.
To keep your tokens safe, we described below how thieves steal NFTs. If you’re unlucky enough to become a victim of theft, we’ve also explained how to report a stolen NFT on Opensea and Rarible.
How are NFTs stolen?
While blockchains such as Ethereum are virtually impossible to hack thanks to cryptography, hackers and exploiters are exploiting vulnerabilities elsewhere in the chain of custodianship. So NFT theft is usually the result of human error in one form or another.
Phishing is a form of method that hackers and scammers use to steal your NFTs. It usually involves using a fake message sent to you regarding NFTs that leads you to click on a particular link.
This link may contain a malware or virus that could potentially hack your computer. Normally, however, clicking on such links nowadays can take you to another website, that is Asks you to enter your secret recovery phrase from your NFT or crypto wallet.
There are many instances where many people who have no knowledge of such things fall for such attacks and get their NFT and Crypto stolen.
While the blockchain itself is very difficult to hack, hackers can steal NFTs using phishing attacks. This is dangerous and common on social media apps like Discord, where hackers create identical profile copies of different Blue Chip NFT projects and notify the user about a fake giveaway or Mint releases. Many people who fall for this have to enter their secret recovery phrase. If the victim falls for it, they will lose their NFT and crypto assets completely.
So, never give your Secret Recovery Phrase to any website, not even Opensea, Rarible or any other NFT platform.
If you ever come across such websites or someone asks you, secret recovery phrase, you can be 110% sure that it is a scam or a phishing attack that you have fallen victim to.
Finally, beware of any links or spam links you click on your email and especially Discord as these links can sometimes contain malware or viruses that can attack your computer.
The more sophisticated form of theft involves hackers identifying exploitable code in websites and smart contracts. These holes in the code’s logic allow attackers to run unintended code or gain permission to do things they wouldn’t otherwise do. Recently, for example, the Treasure Marketplace (https://twitter.com/Treasure_DAO/status/1499386558230769664) was hit by a wave of thefts where a hacker discovered an exploit and was able to mine hundreds of NFTs for free.
These kinds of exploits are hard to avoid because they rely on the underlying code of the website and smart contract to be good, something out of the hands of the typical collector. Fortunately, as with Treasure’s market operation, NFTs were quickly returned and the situation was resolved. As the nascent NFT space takes shape, these bugs and vulnerabilities are likely to become less commonplace.
Falling victim to a phishing scam is a common occurrence in the NFT space. With so much money involved in NFTs and trading happening at breakneck speed, phishing is commonplace right now. Recently, for example, scammers have used OpenSea’s migration of old listings to trick people out of NFT ownership. Ingenious yet devious scammers used phishing links that looked and sounded official to make over a million dollars worth of NFTs including Bored Apes, Mutant Apes and Azuki tokens.
Hackers also search for information through communication channels such as Discord, Twitter and YouTube comments. Presenting themselves as well-known investment gurus, these fake accounts are simply looking for wallet information such as seed phrases and passwords. Give these scammers enough information and they will drain your wallet of your NFTs and crypto.
A growing form of scam in the NFT space is also theft of works of art. These are collections of tokens where artists are completely unaware that their work is being used for this purpose. These often include fan art from popular games and shows or conceptual art from places like DeviantArt (https://www.deviantart.com/). A good source of information on how to solve this form of theft is the Twitter account NFT theft (https://twitter.com/NFTtheft), which specializes in artists removing NFTs with their work.
NFTs are safe. Exploits are extremely rare and phishing scams can be easily avoided. With the NFT space still in its infancy, the ecosystem’s security is surprisingly robust, despite some exploits being identified. Phishing will forever remain a problem as people try to separate investors from their valuable NFTs, but as the space evolves, these types of attacks will be easier to spot.
Ways to prevent phishing attacks include:
- Do not click on links: hover over clicks and carefully inspect the URL before continuing.
- Never disclose personal information: this can be used to access accounts and possibly crypto wallets.
- Change your passwords regularly: hackers are ingenious and can find passwords in all sorts of ways. Changing them regularly will help you avoid losing your Marketplace account.
- Never give your secret recovery phrase to anyone or any site: This is the most important one, your secret recovery phrase is like your main key to your NFT and crypto assets, never give it to anyone. It should only be used to recover a Crypto wallet. Once you lose, you will lose all your NFT and Crypto assets.
If you’ve discovered that your NFT has been stolen, deleted, or frozen on OpenSea, here’s what you’ll want to do:
- Email [email protected]
- Use the term “Stolen NFT” in your subject line
- In the body detail the token ID, URL, collection and leave a contact address.
- You should also include as much information as possible about how the NFT was obtained illegally.
Reporting a stolen or fraudulent NFT to Rarible is also relatively easy:
- Go to Rarible.com (https://www.rarible.com)
- Find the search button and type the name of your NFT collection and the ID of the token
- Once you have found your stolen NFT list, look for the “…” button next to the title of the NFT
- Scroll down this list and click on “report”
- A pop-up will appear where you can describe the problem.
- After reporting the NFT, proceed with an email to [email protected] describing the situation with as much information as possible.
While you will hopefully never need to know how to report a stolen NFT on Opensea and Rarible, at least with this knowledge you now know the best way to quickly resolve the situation should the worst happen.