How much would a daring art thief charge for the Mona Lisa? Well, about a century ago, a certain gentleman demanded about $100,000 for the painting, a sum way below the price tag estimates at the time. Stealing the painting was as easy as hiding in the closet for a night and walking out with Mona Lisa the next day. Getting arrested was also a piece of cake, all it took was a single meeting with prospective buyers.
The Mona Lisa drama illustrates a problem that art thieves have long struggled with. Most museums hold dozens of valuable objects that tend to be relatively easy to move around or store. At the same time, these facilities often can’t afford top-notch security measures. In theory, this makes them a perfect target for thieves, but thieves who try it in practice often struggle to turn their loot into hard cash — unless they have an arrangement with a specific buyer ahead of the theft. Otherwise, the art they steal may end up stuck in the basement of their Evil Lair for years to come.
Just as an example, it took the Italian Cosa Nostra 14 years to get rid of two famous Van Gogh paintings they stole in 2002. And “get rid of” in this case means having them seized by anti-Mafia police, which is hardly the outcome they were hoping for in the first place. In a similar vein, a thief who stole a unique Picasso from Greece’s National Gallery in 2012 kept it stashed for about nine years before it was, again, seized by the police. And there are many more stories like that.
Still, thieves will never stop going after art because it is worth money — often big money. Come 2021, and a whole new art world emerges: auction houses are now dabbling in NFTs, and celebrities are flaunting their ape pics to one another. Non-fungible tokens made up a $25 billion market over the past year. And where the money goes, thieves follow.
A tale of nine stolen monkeys
As a matter of fact, cybercriminals are already exploring this novel space, stealing NFTs from collectors and enthusiasts through social engineering and vulnerabilities on marketplaces. One of such thefts saw three Bored Apes purportedly stolen from development coach Calvin Becerra, who had three major NFT marketplaces blacklist the stolen apes, making it impossible for hackers to put them up for sale on their platforms. It didn’t take long for OpenSea to do the same for another batch of stolen apes.
Now, let’s do some quick blockchain sleuthing and take a look at a recent alleged NFT theft. On February 1, NFT collector Larry Lawliet reported losing several valuable NFTs, including Bored and Mutant Apes, in a suspected social engineering attack. A quick look at Larry’s wallet reveals a rapid sequence of NFT transfers to an address beginning with 0xd27 (the presumed hacker) late on January 31. Here is what happened with the apes next, at the time of the article’s writing:
- Bored Ape #1606: sold by 0xd27 for 136 WETH (wrapped Ether) on OpenSea to an address beginning with 0x366. On February 5, the wallet sold the NFT back to Larry on the decentralized LooksRare NFT exchange for about the same amount in WETH.
- Bored Ape #4250: sold for 100 ETH on OpenSea to 0x1b5, who in about six hours sold it for 111 ETH to an address beginning with 0xa25 through LooksRare. At the time of the writing of the article, the token still sits in that wallet.
- Bored Ape #9138: sold to 0x62b at 100 ETH through OpenSeas. The new owner soon re-sold the token for 115 WETH to 0xecb, who quickly sold it to Larry at 115 ETH using BatchSwap smart contract.
- Bored Ape #7985: sold to 0xc9d at 100 ETH through OpenSea. On February 4, 0xc9d sold it to 0x840 on LooksRare for more than 140 WETH, with no further activity as of right now.
- Mutant Ape #25971: sold to 0x3ea for 30.01 WETH on OpenSea. Not long later, 0x3ea re-sold the token back to Larry for just over 30 WETH through LooksRare.
- Mutant Ape #25970: sold to 0x43b for 25 ETH on OpenSea, then re-sold to 0xab5 for 28.5 WETH on LooksRare.
- Mutant Ape #8464: sold to 0x3ea for 30.1 WETH on OpenSea. On February 4, the address sold the token back to Larry for more than 33 WETH on LooksRare.
- Mutant Ape #3770: sold for 24 ETH to 0xf4f, who within minutes re-sold the token for 26.49 ETH to 0xe2b, both sales on OpenSea.
- Mutant Ape #2499: sold for 25 ETH to 0xa2a though LooksRare. Then, on February 2, the new owner re-sold the token to 0xd9c at 20.8 WETH on the same platform. In a few hours, the new owner sold the token to Larry for 20.9 ETH using BatchSwap.
Bear in mind that the hacker, 0xd27, sold off most of the tokens right on OpenSea, one of the biggest centralized NFT platforms, within minutes after the purported hack and before Larry posted his tweet. Even after the platform flagged the stolen tokens, they continued to change hands, mostly through the decentralized LooksRare marketplace.
But there is a caveat here. The blockchain doesn’t care whose hand holds the wallet, so it is possible to sell something to yourself if you have two or more wallets. Therefore, the entire situation may have been a case of wash trading, bouncing NFTs between wallets controlled by the same entity to amp up their perceived value. In this specific case, the presumed wash trader would have to hold enough coins on their multiple wallets to make the payments on every transfer. They would also incur hefty losses in platform and gas fees.
That said, unless proven otherwise, we can also take the situation at the face value and assume that the addresses above were controlled by different people. In this case, the theft has clearly worked out in the attacker’s favor, as they were able to sell off the stolen goods within literal minutes after the scam. The victim, on the other hand, only managed to recover five of the missing apes, incurring massive extra losses to pay for their return.
Too techie to catch
Whichever way you prefer to interpret the above example, it still highlights some of the features that differentiate NFT thefts from your regular art heists. First, the logistics are lightning-fast, and a savvy attacker may sell off the loot before the victim has even learned of the theft. Second, even if the major centralized exchanges ban listings for stolen assets, there’s always another platform to turn to. Third, even assuming every marketplace in existence red-flags the stolen NFT, you can still sell it peer-to-peer if you find a buyer.
Furthermore, a criminal looking to cash in on the stolen NFT art has more options than a simple sale. They can stake their NFTs into yield platforms, effectively handing them over to a smart contract in return for rewards based on the rarity. This removes the need for a buyer as such. Similarly, with gaming NFTs, such as Axies from Axie Infinity, they can opt to lease them out to new players looking to skip the investment needed to start playing, much like the regular “scholarship” programs.
There’s no seizing the stolen goods unless someone gets a hold of the thief’s private keys. As NFTs sit on the blockchain, an immutable decentralized ledger, once the transaction moving ownership from one wallet to another is on the chain, you cannot revert it without forking the entire chain.
A mechanism propagating the reports on thefts across marketplaces and yield platforms, both centralized and not, could help thwart thieves’ attempts to sell stolen NFTs. The marketplaces using it would red-flag the stolen NFTs, making it harder for a hacker to sell the loot. In practice, this system would itself have challenges to overcome, such as the prospect of malicious reports flagging legitimate transfers and transactions and the need for timely probes into every alleged incident. Furthermore, good luck with getting everyone on board, and don’t forget about the P2P sales.
With more and more hype around them, NFTs do shape up into lucrative assets for hackers to go after. This means that collectors and marketplaces alike must pay more attention to their defenses, whether it comes to general vigilance, bolstering their backend, or developing their own custodial services based on top infrastructure. Security cannot be an afterthought, and every stakeholder in the NFT space must make sure to only rely on the best solutions and practices in the field.