Nonfungible tokens (NFT) are virtual records of ownership of either physical assets or digital assets, such as digital artwork, concert tickets, or access to games. The value of NFTs differs based on the unique characteristics of the underlying asset. Their nonfungible characteristic differentiates them from fungible crypto assets (such as bitcoin), which are interchangeable with other units of the same asset. NFTs have existed since 2014, and their market value increased substantially as of 2021, when the NFT market was valued at several billion U.S. dollars. Daily average online NFT sales now equal over $50 million. The highest price for an NFT recorded so far was $69.3 million for a series of digital artwork by the artist Beeple, which was sold at Christie’s. Global participation in the NFT market is expected to further increase from 5 million users in 2021 to 20 million users in 2027 as more buyers and sellers become aware of NFTs (Statista, Market Insight, 2023, https://tinyurl.com/y949cdth). This article explains how NFT technology works and explores several types of NFT frauds and how the risks therein can be reduced.
NFTs are included on a blockchain by a smart contract, which is a self-executing code that creates (mints) the virtual record of ownership (a token), assigns a unique ID (hash value) to the underlying asset, and creates metadata about the unique properties of the underlying asset (a smart contract). The smart contract containing the NFT’s virtual record of ownership is kept on a blockchain, which is a cryptographically secure transactional singleton machine with a shared state. This facilitates verifying the existence of the NFT and the rights of the NFT owner, as everyone can consult historical ownership information on the Ethereum blockchain based on the 42-digit address (S. Ferris and P. Rehm, “What CPAs Need to Know About NFTs,” Journal of Accountancy, October 2022). Ethereum is the most popular blockchain for NFTs, followed by alternative blockchains such as Solana and Polygon.
The minting process takes place on an online platform that collects a minting fee for the creation of the NFT. After being minted, an NFT is stored in an online account (hot wallet) and can be listed for sale on an online marketplace. When an NFT is listed for sale, the value of the NFT is determined by the owner. NFTs can also be listed for auction. When an NFT is sold, there will be an NFT transfer from the seller’s wallet to the buyer’s wallet in exchange for crypto assets, and the new record of ownership is stored on the blockchain. Rather than being sold for crypto assets, NFTs can also be traded (swapped) between NFT owners. Since May 2021, over 20,000 NFT trades have taken place with a total value exceeding $490 million (Elliptic, NFTs and Financial Crime. https://www.elliptic.co/resources/nfts-financial-crime, 2022).
An NFT’s value is subjective and depends on the type of underlying asset, its scarcity, and its marketability (M. L. Murphey, “NFTs Come with Big Valuation Challenges,” Journal of Accountancy, July 2021). Single-use NFTs, such as virtual concert tickets, can decrease significantly in value. Reusable NFTs, such as digital art or music, can retain, appreciate, or decrease in value when they are resold on online marketplaces. Given that digital images can often also be copies from websites, the value of the NFT seems mainly driven by having unique rights to the asset. These rights are not necessarily full ownership, as it is possible that ownership rights remain with the artist who created the NFT. It is therefore important for investors to verify which specific rights are linked with individual NFTs by carefully reading the smart contract associated with the NFT.
Although the prevalence of crimes related to NFT purchases currently accounts for a relatively small proportion of total NFT transactions (Elliptic, 2022), the impact of NFT fraud for individual buyers can be significant, as criminals take an average of $300,000 per fraud event. These fraud instances also cause reputational damage to the NFT industry. Therefore, it is important for NFT buyers to have an understanding of fraud schemes that are prevalent in the NFT market.
The value of an NFT is based upon its unique properties and its popularity, which can be boosted by fraudulent means. Wash trading is a fraud technique that involves creating an illusion of high demand for an NFT through artificial NFT sales volumes (A. Jayant, “The Economics of Wash Trading,” Working paper, 2023, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4610162). This happens when fraudsters create seemingly unrelated wallets and sell NFTs to themselves to inflate their price. As the historical record of ownership is stored on the blockchain, interested buyers may incorrectly believe that these historical sales are a valid indication of price increases for the NFT. Price manipulations of digital assets are currently insufficiently monitored by any regulatory body (D. Dupuis, D. Smith, and K. Gleason, “Old Frauds with a New Sauce: Digital Assets and Space Transition,” Journal of Financial Crime, vol. 30, no. 1, 2023, 205–220).
Pump-and-dump schemes are another means to inflate the value of an NFT by using social media and celebrity endorsements to create an illusion of marketability. After its sale, the NFT does not sustain its value when the social media promotion or endorsement halts. For example, in 2021, Rapper Lil Uzi promoted Eternal Beings NFTs on his social media accounts. The NFT collection contained over 11,111 computer-generated avatars that looked like the rapper. The NFTs were sold for $335 per NFT. After the sale, the rapper deleted the social media posts that related to the NFT collection. It was unclear for buyers whether the rapper was on the actual team at Eternal Beings or if he was paid for the promotion. The price of the NFTs subsequently dropped to $225 each (M. Elibert, “Did Lil Uzi Vert Sabotage Eternal Beings NFT for Album Studio Time?” https://tinyurl.com/sdmfjw5f, 2021).
A second type of fraud scheme on NFT markets are “pull-the-rug” scams. These involve larger NFT projects where developers outline future plans, such as game development, and then raise funds via presales or auctions to achieve milestones for further development of the project. After buy-in from investors, scammers transfer the cryptocurrency collected from investors, shut down the project, and delete all online traces of it. Fraudsters prey on a fear of missing out, which is more prevalent when general market prices of NFTs are rising, allowing fraudsters to collect cryptocurrency from investors believing they are investing in legitimate NFT projects. In 2022, a pair of 20-year-olds were arrested in Los Angeles and charged with scamming buyers of NFTs for a total of $1.1 million (J. Godoy, “Two U.S. Men Arrested for $1 mln Non-Fungible Token ‘Rug Pull’ Scheme,” Reuters, 2022, https://tinyurl.com/a7r7s2at). Their NFT project, “Frosties,” depicted snowman-like characters, and NFT buyers were promised access to a metaverse game. However, the pair never developed the game and abandoned the project after transferring the cryptocurrency proceeds of the project to other accounts under their control. In total, over 250 NFT projects have so far been labeled as pull-the-rug scams (J. Huang, N. He, K. Ma, J. Xiao, and H. Wang, “A Deep Dive into NFT Rug Pulls,” Working paper, 2023, https://arxiv.org/pdf/2305.06108.pdf).
Fraudsters prey on a fear of missing out, which is more prevalent when general market prices of NFTs are rising, allowing fraudsters to collect cryptocurrency from investors believing they are investing in legitimate NFT projects.
Between July 2021 and July 2022, over $100 million worth of NFTs were publicly reported as stolen through scams (Elliptic, 2022). The actual numbers are likely to be higher, as thefts are not always publicly reported. The largest NFT theft to date—since the first recorded NFT theft in the spring of 2020—concerns the Lympo theft. Hackers stole tokens with a total value of $18.7 million from Lympo’s hot wallet in January 2022 (S. Mashchenko, “From Inception Till Today: The Biggest NFT Heists,” https://tinyurl.com/4943wtsb, 2022).
NFT theft often involves gaining access to victims’ wallet login information to steal digital assets. Frequently, login information is stolen by impersonating NFT marketplace staff and compromising their accounts. Login information can also be accessed through phishing links posted to the social media accounts of NFT projects.
Another technique involves tricking wallet owners into providing approval for others to manage their assets. This happens when scammers pretend to start a legitimate NFT project and ask victims to digitally sign false transactions to gain access to the wallet.
A last NFT theft technique involves “airdropping” NFTs into a user’s wallet. Receiving unsolicited NFTs in a wallet can be part of a legitimate advertising campaign to generate interest for a new token. However, scammers can also gain access to the victim’s wallet when the victim tries to claim the airdrop. Specifically, a victim may redeem the airdropped NFTs for cryp-tocurrency via a link to the scammer’s phishing website where a false transaction is digitally signed, thus providing information that subsequently leads to the theft of the contents of the victim’s wallet.
Stolen NFTs are typically sold as quickly as possible, and criminals list them at low prices so that bots will purchase them, often before the victim has realized the theft and reported the asset as stolen. NFT marketplaces should consider this a red flag when monitoring theft behavior. They have the possibility to mark NFTs as linked with suspicious activity, to freeze them, or delist them.
Smart contract audits can be useful before the launch of an NFT project, because they provide a thorough examination of the code that governs the smart contracts of an NFT to identify potential vulnerabilities and errors. For example, the audit will verify that the smart contract complies with regulatory requirements and will assess security vulnerabilities, such as unauthorized access and bugs. U.S. service providers for smart contract audits include Consensys Diligence, Trail of Bits, and OpenZeppelin, among others.
When buying or selling NFTs, one risk-mitigating strategy is to use mainstream NFT platforms. OpenSea is currently the largest NFT marketplace, followed by Rarible, AtomicHub Market, Nifty Gateway, and Mintable. Reputable NFT platforms usually require participants to prove their identity (e.g., passport or driver’s license) before they are allowed to mint NFTs. The URLs of these NFT platforms should also be checked to ensure that they are indeed the genuine URL of the platform’s website. It is also wise to verify the user’s wallet contents on their NFT marketplace profile and to trace the transaction history of the NFT to verify who owns it before initiating a transaction. Investors should be wary of large NFT projects that are unoriginal, vague, overly ambitious, or have an anonymous development team. Some crowd-source based channels maintain a list of NFT rug pull scams. Individuals should be vigilant of online platforms calling out a certain account or server as a scam, be cautious with airdropped NFTs, and not engage with NFTs that are marked by a marketplace as “reported for suspicious activity.”
The most common NFT fraud schemes are wash trading, pump-and-dump schemes, pull-the-rug schemes, and NFT thefts. As the market continues to grow, the ingenuity of fraud schemes unfortunately also evolves.
It is more secure to store NFTs offline in a cold storage hardware wallet, which has a unique ID and is password protected, rather than in a hot wallet. By storing NFTs offline, hackers cannot gain access to the wallet. Specialized software can also be purchased to screen NFT wallets and transactions to verify if funds originate from NFT scams, sanctioned entities, or other types of illicit activity such as dark web marketplaces. A list of specially designated nationals (SDN) is maintained by the Treasury Department (https://tinyurl.com/y5cvaact); as the majority of NFT scammers have laundered their proceeds via Tornado Cash, it has been included on the lists. Enabling two-factor authentication of the NFT platform is also an excellent feature to lower the possibility of unauthorized access. Finally, as a precaution, VPN services can be used to encrypt online transactions.
The market for NFTs has substantially grown during the last few years. Because NFT frauds typically result in significant losses for individual market participants, it is important for NFT investors to understand the typical NFT fraud techniques and how to lower their exposure to NFT fraud risk. The most common NFT fraud schemes are wash trading, pump-and-dump schemes, pull-the-rug schemes, and NFT thefts. As the market continues to grow, the ingenuity of fraud schemes unfortunately also evolves. Reducing exposure to NFT fraud risk can be accomplished by smart contract audit services, thorough research on NFT platforms and sellers, and strong cybersecurity practices.
The CPA Journal is a publication of the New York State Society of CPAs, and is internationally recognized as an outstanding, technical-refereed publication for accounting practitioners, educators, and other financial professionals all over the globe. Edited by CPAs for CPAs, it aims to provide accounting and other financial professionals with the information and analysis they need to succeed in today’s business environment.
The CPA Journal
200 Madison Avenue, 11th Floor
New York, NY 10016
CPAJ-Editors@nysscpa.org
Thomson Reuters Checkpoint
SmartBrief
View the NYSSCPA privacy policy
