Recent months have seen an explosion in consumers’ interest and investment in non-fungible tokens (“NFTs”). March 2021 has already seen the sale of some of these NFTs for tens of millions of dollars. The proliferation of these tokens and sites dedicated to the sale and custody of these tokens has, however, also led to increased criminal activity. Investors and buyers can take certain basic steps to protect themselves from these attacks.

What are NFTs?

NFTs refer to unique bits of code (hashed “smart contracts”) that are typically (though not always) stored on the publicly-accessible Ethereum blockchain. These “smart contracts” in turn point to content (e.g., an artist’s digital painting, a sports highlight) that resides at a location on the internet (and which can be viewed).

The provenance of these NFTs can then be tracked across the public blockchain, providing end-purchasers with a built-in chain of authenticity.

However, because of the nature of blockchain transactions, if an NFT is compromised or stolen, it may not be recoverable by the rightful owner. It is therefore important to take even greater caution with these assets than with traditional online accounts. It is best to view NFTs as more closely akin to a physical piece of artwork than to an online bank account.

What are scams and risks to know about concerning NFTs?

• NFTs that resemble a reputable source’s content and that purport to have been created by reputable sources can be faked. These counterfeits may be passed off as the real thing and sold.
• Given that any piece of content can be tokenized, NFTs that purport to have been created by a reputable source can be passed off as a real, new creation, and sold.
• Phishing sites that mimic reputable NFT exchanges can steal log-in credentials, leading to the theft of a collector’s NFTs.
• Scammers have set up unauthorized customer support channels and social media accounts that pretend to be affiliated with NFT exchanges in an effort to steal customer information and compromise accounts.
• Owners of an NFT may unscrupulously hype an asset in order to inflate the value, only to cash out leaving others to suffer from the subsequent decline in value.

What steps can I take to protect myself?

• Where possible, implement two-factor authentication protocols for account access. Physical token generators, device-based authenticator apps, and push authentication are more secure than text message or email-based two-factor.
• Protect username/password – don’t hand it out to anyone; no one legitimate would ask for it. As with any online account, it is important to change passwords regularly, and refrain from using the same password across multiple accounts.
• Ensure that the site on which you’re purchasing the NFT is legitimate. Don’t click on links sent to you via email or social media from a person you don’t know; when in doubt, don’t follow links and enter the known URL into the browser yourself.
• Conduct due diligence on the NFT you’re buying: perform a reverse image search on what you’re buying, andif it appears on a number of NFT exchanges/markets, it may not be legitimate; make sure that the release comes from an expected source, i.e., the artist’s own social media/website.

As a technology and a medium, NFTs are still in their infancy, so it’s important to keep informed of new developments in the industry, and new precautions that you should take to secure what could be valuable assets.

If you believe you have been a victim of a scam involving NFTs, please call our Cybercrime and Identity Theft Bureau at 212-335-9600. You can also submit tips anonymously to our Office through Signal, Wickr, Telegram, or WhatsApp at (347) 463-2198.