The FBI Las Vegas Field Office wants to ensure community standards for buying, selling, and trading NFTs are followed by interested parties. By following common-sense community standards, you can help the NFT community thrive and keep participants free from life-altering financial losses or worse.

NFT theft

Even in down traditional and crypto markets, NFT theft has increasingly become a community targeted by criminals of all stripes. Some NFT collections have become valuable and the darling of high-tech theft. NFT collections such as Bored Ape Yacht Club, Mutant Ape Yacht Club, Cyber Punks, Azuki, and Cool Cats have elevated floor valuations and contain individual NFTs that are highly valuable. It shouldn’t be any surprise these are being targeted by thieves.

How they do it

Typically, it’s social engineering coupled with some technical know-how. Criminal adversaries will find NFTs they’re interested in on social media or on exchanges and target them. Social media platforms are popular for chatting about buying, selling, and trading NFTs, amongst many other NFT topics. Owners of valuable NFTs can be lured into using a social media site rather than the exchanges to complete a transaction by attempting to avoid commissions, higher prices, and/or unbalanced trades (in favor of the legitimate owner). Once a trade agreement has been reached between the legitimate owner and the criminal, the criminal sets up the trade and returns with a link in a direct message. Upon clicking the link the legitimate owner will see exactly what they expect to see. What the legitimate owner is really seeing, however, is a fake (phishing) site styled to look exactly like a legitimate site. It all looks good to the legitimate owner, and he/she links his/her digital wallet to the site and executes the trade. Upon doing so the legitimate owner has granted full access to his/her digital wallet and will quickly notice all his/her NFTs have been stolen. The stolen NFTs are listed on an exchange at a discounted price and quickly sold. The funds from the resulting sale are run through several wallets and/or mixers to “wash” it. Viola, a new victim is born.

How to defend against it

Since NFT theft can take place as a “drive-by” theft or over a period using social engineering tactics, it’s important to adhere to community standards to protect yourself.

1. Do your due diligence. Check multiple NFT exchange sites to see if the NFT(s) you’re interested in have been flagged for suspicious activity.
2. Check social media sites for chatter related to NFT(s) you’re interested in.
3. Be suspicious of deeply discounted NFTs. For example, if you know the floor price of a collection is 100 ETH, be suspicious if you can buy into the collection for 50 ETH.
4. Don’t be afraid to contact current or previous owners. There are a myriad of ways to contact owners—even anonymously—either via blockchain explorer or the applications you use.
5. Transactions are written permanently to a public blockchain. To add an extra layer of protection, you can view anyone’s wallet activity on a blockchain explorer such as Etherscan. You can also view a specific NFT’s activity on NFT exchange websites and/or the blockchain. Blockchain explorers can provide a wealth of useful information.
6. Store your NFTs and other digital assets in a hard-wallet as opposed to software wallets or on an exchange. As the old saying in crypto goes “not your keys not your crypto". The same can be applied to NFTs.
7. If you are going to execute a trade, initiate it from a trusted trading website or exchange and not from a social media DM containing a link. If you see one of these, chances are good you're being phished.
   Adhering to these community standards will keep the NFT markets fun and more importantly, safe.
   What to do if you become a victim
8. First thing to do is report it. You can report it to your local FBI Field Office or report it to IC3.gov. Have as much detail as possible ready for the complaint and for when an FBI agent reaches out to you.
   Important reminder
   If you knowingly buy, sell or trade an NFT you know or suspect is stolen, you could be committing a crime.