How are Non-Fungible Tokens Stolen?

Written by Marilyn Sim | Edited by Josh Lee Kok Thong

We’re all law and tech scholars now, says every law and tech sceptic. That is only half-right. Law and technology is about law, but it is also about technology. This is not obvious in many so-called law and technology pieces which tend to focus exclusively on the law. No doubt this draws on what Judge Easterbrook famously said about three decades ago, to paraphrase: “lawyers will never fully understand tech so we might as well not try”.

In open defiance of this narrative, LawTech.Asia is proud to announce a collaboration with the Singapore Management University Yong Pung How School of Law’s LAW4032 Law and Technology class. This collaborative special series is a collection featuring selected essays from students of the class. Ranging across a broad range of technology law and policy topics, the collaboration is aimed at encouraging law students to think about where the law is and what it should be vis-a-vis technology.

This piece, written by Marilyn Sim, seeks to discuss a question that has as of late not yet been dealt with in most jurisdictions – how are Non-Fungible Tokens (“NFTs”) stolen? More specifically, what does it mean for an NFT to be stolen in fact, and if it can indeed be stolen, what are the chances of an individual reclaiming his or her NFT? This paper surveys available material and comes to the finding that NFTs can be stolen in direct and indirect ways.

Introduction 

This paper seeks to discuss whether non-fungible tokens (“NFTs”) can be stolen and proposes solutions that may be employed to prevent the “stealing” of the NFTs. Part II explains what NFTs are, Part III discusses why NFTs cannot be said to be “stolen” per se, and Part IV details the ways in which theft has nevertheless been committed on NFTs.    

 For the purposes of this paper, the term “original NFT” will refer to the NFT that the author has created or allowed to be created of his/her own artwork in question.

A brief primer on NFTs

NFTs are a relatively new phenomenon in the cryptocurrency world. They have been described as a “cryptographically unique, indivisible, irreplaceable and verifiable token that represents a given asset, be it digital, or physical, on a blockchain”.^[1] What this means, essentially, is that every NFT is unique, and each one of them points to assets which include collectibles, music, deeds or even cars.^[2]

When NFTs are sold, the rights acquired by the buyers will vary according to the whims and fancies of the creator. These creators can retain ownership rights over their own work, and claim royalties from every resale.^[3] Sometimes, the seller can agree to take down the original digital object, such as in the case of the 2007 viral video “Charlie bit my finger”, which was sold as an NFT for $760,000.^[4] As part of the sale, the video was removed from YouTube.^[5]

Popular examples of NFTs include NBA Top Shots, which are NFTs linked to the National Basketball Association’s digital highlights videos.^[6] Another example would be the digital art piece known as “Everydays – The First 5000 Days” by Mike Winkelmann, which was sold for USD 69.3 million on 11 March 2021.^[7] Jack Dorsey, Twitter’s Chief Executive Officer, also recently sold his first tweet as an NFT for $2.9 million.^[8] It can be observed that, almost bafflingly, NFTs are worth a lot of money, and ergo, a rather lucrative trade. 

The process of tokenising an asset and transforming it into an NFT is as follows. First, the owner creates a digital item (an entry in a blockchain ledger) that will be linked to an asset. This can be done by way of incorporating a web uniform resource locator (“URL”) within the NFT which links to a particular digital artwork, for instance. The creation of this digital entry is known as “minting”, and the digital entry is the “token”. After its minting, the token is sold as an NFT.^[9]

Therefore, because each token minted has “a unique identifier” that is linked to one address, it is not directly interchangeable with other tokens.^[10] This, therefore, is what makes NFTs distinguishable from other tokens – like snowflakes, no two NFTs (minted on the same platform) are the same.

NFTs cannot be stolen

The next preliminary question to consider is whether NFTs can be “stolen” as a matter of fact. The literature generally offers two reasons why NFTs cannot be stolen: First, NFTs do not actually incorporate the asset, and second, NFT transactions are recorded on the blockchain. 

NFTs do not actually incorporate the assets referred to 

Because NFTs merely “point” to the asset in question,^[11] the token is therefore not the asset itself.^[12] Hence, ownership of the NFT attributes no rights to the owner.^[13] The asset that is represented by the NFT can be viewed, circulated, and reproduced by anyone.^[14] In short, the NFT functions very much like a digital placard, in that it merely refers to the asset in question. Following this train of thought, it is thus meaningless and incongruent to speak of “stealing” an NFT.

NFT transactions are recorded on the blockchain 

Next, it has been noted that when an NFT is purchased, the transaction is registered on the blockchain, which is “the public database of transactions”. As such, it is impossible to “question, challenge, obfuscate or compromise” ownership of an asset.^[15] This is because the blockchain is “transparent” in that “all transactions” are publicly visible, such that the creator, current and previous owners of the NFT in question can be viewed by anyone.^[16] As such, since any purchase of an NFT will be logged onto the blockchain, the purchaser’s ownership of the NFT is concomitantly recorded on the blockchain. This therefore also means that, as the blockchain cannot be altered,^[17] a prospective thief would not be able to steal an NFT by attributing ownership of the NFT to himself or herself. 

Other forms of NFT-related theft

Notwithstanding the two commonly raised objections as discussed above, there are still a few ways in which individuals have managed to “steal” NFTs from its owners, or rightful creators of the assets the NFTs refer to – to name a few. 

Stealing the identity of popular artists or celebrities 

The first way that an NFT can be “stolen” is via stealing the identity of popular artists. In this scenario, the thief is not stealing from the buyer of the NFT in question – rather, the thief is stealing from the creator of the artwork which the NFT represents. More specifically, the thief is stealing from the creator the ability to create NFTs of the latter’s own artwork, by posing as said creators and profiting off their work in the process.  

This is possible because it is extremely easy to “mint” a digital piece, as the individual need not prove ownership of the asset in question.^[18] Further, many platforms selling NFTs have an extremely basic verification process. They may, for instance, simply require users to submit their social media account usernames, without requiring proof that they in fact own these usernames.^[19] Some platforms such as OpenSea have also completely abandoned verification, placing the burden on its buyers to do their own research instead.^[20]

A good example of such a form of “stealing” relates to Qing Han, a famous digital artist whose art was converted to NFTs and sold by certain people after her death. One of these art pieces was “Bird Cage”, a piece Qing Han had posted on social media.^[21] Other artists who have had their identity stolen include Banksy^[22] and Derek Laufman,^[23] both of whom had their artwork minted and sold on NFT marketplaces without their consent. 

There is even a web service called “Tokenized Tweets”, which turns any “tweet” it is “tagged” in into NFTs.^[24] Corbin Rainbolt, a digital artist who had been affected by this, ironically had his tweet complaining about the phenomenon also made into an NFT.^[25] Therefore, it can be seen that this practice is rather common. It seems as if these thieves need only be the first to mint and sell an NFT of a particular artwork, to be able to do so successfully. One may propose that these artists may seek recourse by requesting that the platforms take the NFTs down. The effectiveness of this solution, however, may be subject to the goodwill of the platforms. This is because if the asset in question (e.g. a digital artwork) is viewed by the platform as having “long been in the public domain”,^[26] then it has been said that anyone has the right to turn them into NFTs.^[27]

For instance, the “DEAL WITH IT” meme depicting a dog in sunglasses had been made into an NFT by its purported originator and sold for $27,000. However, a commentator noted that since there was a proliferation of DEAL WITH IT memes circulating on the internet, this was a right “anyone had before”.^[28] Therefore, it remains to be seen how effective owners’ attempts to control the use of their artwork will be, especially since it is unclear whether the commentator’s opinion is indeed accurate.^[29]

It might also be prudent to note the controversy surrounding these platforms’ intervention in the blockchain.^[30] Since the main appeal of the blockchain is its decentralised nature, these platforms may consequently approach these requests with reticence.   

Additionally, even if the platforms were agreeable to taking the listing down, it may be rather tedious and unfeasible for these artists to be constantly checking the legion of NFT-hosting platforms available. It therefore seems rather difficult for artists to completely prevent their work from being made into NFTs. 

Stealing via making copies of the NFT on multiple platforms 

Next, another way NFTs can be “stolen” is by stealing the likeness of the original NFT. This is because the token only refers to the artwork; it does not incorporate the latter.^[31] Therefore, coupled with the fact that there are many NFT platforms, multiple NFTs that refer to copies of the same artwork can be created, with each fraudulently claiming to be the original NFT.^[32]

Therefore, while the original NFT is not stolen directly from the owner, its likeness is, in the form of other NFTs which refer to copies of the same art piece. It is therefore difficult to determine which one is the original. It also consequently diminishes the value of the original NFT, since a similar NFT referring to the same asset can be easily obtained – one need only purchase it on another platform that hosts NFTs. 

Hence, in order to protect their NFTs from being duplicated without their consent, the original artists or sellers may consider publicising their account address.^[33] This is because tokens offer a chain of digital signatures which, in the best case scenario, starts from the original artist or seller.^[34]

Therefore, using Ethereum as an example, each ERC-721 token (NFTs on the Ethereum blockchain) is created and signed by the creator account. When the creator sells it to another account, the transaction is signed again by the former after transferring the token to the latter.^[35] Therefore, assuming that the signing algorithm is protected and the blockchain is secured, this “verifiable chain of signatures is difficult to refute”.^[36] As such, since Ethereum accounts rarely contain intrinsic information about the owner, the owner should make their account address known so that potential buyers will be able to identify and trace the NFTs they are purchasing to ensure that said NFTs came from the original creator/artist himself/herself. 

Swapping out the asset linked to the NFT (“pull the rug” risk)

Additionally, the NFT could be indirectly stolen by thieves. This can be done by way of a swap out (known as the “pull the rug” risk),^[37] whereby the seller sells a buyer an NFT that links to a particular artwork, for instance, but switches that out by linking the NFT to another piece of media midway through the sale. Hence, the original NFT is consequently stolen from the buyer, since the thief has essentially sold an NFT of a different characteristic than expected to the buyer. The thief is therefore able to retain the original NFT so as to, perhaps, be able to “sell” it to someone else, and repeat the entire process. 

This would be especially lucrative for popular art pieces, since the thief can advertise and “sell” the NFT to many people, with all of them being none the wiser. 

In fact, the ease at which this can be done was demonstrated by a collector on OpenSea, who, in an attempt to showcase the cracks in the NFT concept, advertised 26 artworks for sale on OpenSea, and then changed all of them to photos of literal carpets before completing the sale.^[38]

Another example would be that of Ludwig Holmen, a digital artist whose work was used by an anonymous individual to not only auction off NFTs supposedly created for a collection of Holmen’s photographs, but also to later defraud the buyers by swapping them out for images of emoticons.^[39]

Therefore, through this loophole, thieves are able to continuously “steal” the NFTs linking to the actual advertised assets from unsuspecting buyers, as these buyers would have purchased NFTs linking to (most likely) invaluable digital images instead. 

While the NFT buyer may be left with no recourse if he or she ends up a victim of a “rug pull”, users can adopt these preliminary measures in order to heavily minimise the possibility of being one: ^[40]

1. Ensure that the artist is well-known in a top industry, or is active in the community, 
2. Ensure that the project does not only rely on marketing, but also provides value, 
3. Check if the team has conducted Ask-Me-Anything sessions to verify their sincerity and trustworthiness, and
4. Ensure that NFT projects do not insert alternative links to mint their NFTs on the day of launch, as minting should only occur on the official website. To illustrate how the insertion of alternative links is done, imagine a seller selling a title cert for BlackAcre written in using an erasable pen. After completing the sale, the seller then erases the title and changes it to “WasteAcre”, before handing the title cert over to the buyer. 

Hacking 

The final and most direct way NFTs can be stolen is via hacking.  Notwithstanding the immutability of blockchain records (as explained above), there are two ways in which the blockchain can nevertheless still be altered: by hacking NFT-hosting online platforms, and by trickery. 

Hacking NFT-hosting online platforms

Under this method, the thieves would log into platforms hosting NFTs and access the accounts of certain users, before selling the NFTs owned by them and/or buying and selling NFTs using their accounts. 

To do so, however, these thieves would have to have access to a user’s 12 word seed phrase, which is a recovery phrase given to users when they create their crypto wallets.^[41] Therefore, if these users were to link that wallet to any NFT platform, then as long as hackers are able to access the seed phrase, they would be able to steal a user’s funds and NFTs in his or her crytpo wallet. 

In fact, Nifty Gateway, one of the major NFT-hosting online platforms, was a target for such hacks. In mid-March 2021, some users who had not set up two-factor authentication saw their accounts hacked, presumably with key-logger malware. The NFTs they owned were then sold for thousands for dollars, and their credit cards on file were used to buy more NFTs, which were also subsequently sold.^[42]

This hack would be easily reversed (i.e. the NFTs would be recoverable) if the NFTs were to still be circulating on the Nifty Gateway Platform, and indeed, in this case, it was.^[43] However, it was noted that if the hackers had transferred the art outside Nifty Gateway, it would most likely be lost due to the “irreversible nature of blockchain transactions”.^[44] Therefore, once a stolen NFT is transferred either by the holder or smart contract, it cannot be reversed; this “immutability” is inherently a “part of the design of NFTs”.^[45] Therefore, should any hacker be tactful enough to transfer the stolen NFTs outside of Nifty Gateway’s (or any other NFT-hosting platform’s) wallets, those NFT keys would be irretrievable. 

Trickery

Sometimes, hackers have also managed to successfully trick individuals into giving up their NFTs. 

This happened to Calvin Becerra, who said that hackers had posed as interested buyers in a Discord channel and pretended to assist him in solving an issue concerning his cryptocurrency wallet. They then tricked him into choosing “an option and took everything” – with “everything” referring to three NFT images from the Bored Ape Yacht Club collection.^[46] Therefore, it is clear that hackers have also employed “social engineering”^[47] schemes in order to gain access to and subsequently steal NFTs. 

One proven (and informal) method to regain the NFTs lost in this manner is to publicise what had occurred on social media. As in Becerra’s case, doing so spurred NFT marketplaces such as OpenSea, Rarible, and NFT Trader to ban the sale of the stolen apes on their platforms, resulting in the thieves returning Becerra one of his apes.^[48] In fact, this is a good illustration of Lawrence Lessig’s idea that “code is law” – more specifically, Lessig explains that the code, or software, is able to set certain features that “constrain some behaviour” by “making other behaviour possible, or impossible”.^[49] Thus, by banning the sale of the stolen apes, the aforementioned NFT marketplaces had made it impossible for the thieves to sell and profit off of said stolen apes. 

This is clearly a rather exclusive method, however, as it depends on the amount of influence and reach one has on social media. Further, the intervention of these NFT marketplaces has already received flak. Many have pointed out that this was incommensurable with the decentralised nature of the blockchain, the very basis for the creation of the blockchain in the first place.^[50] Therefore, for subsequent situations, it may be unlikely that these marketplaces will often assist in the retrieval of stolen NFTs, if at all. 

Conclusion

It seems as if the prospect of recourse, should one’s NFTs ever be stolen via any of the above methods, is miniscule. It will therefore be prudent of users to be punctilious in adopting precautionary measures so as to reduce the risk of falling victim to any of the above methods of NFT theft (or any other which may arise as the NFT landscape develops and burgeons). 

This piece was published as part of LawTech.Asia’s collaboration with the LAW4032 Law and Technology module of the Singapore Management University’s Yong Pung How School of Law. The views articulated herein belong solely to the original author, and should not be attributed to LawTech.Asia or any other entity.

^[1]Foteini Valeonti et al, “Crypto Collectibles, Museum Funding and OpenGLAM: Challenges, Opportunities and the Potential of Non-Fungible Tokens (NFTs)” Applied Sciences 2021; 11(21) (“Valeonti”) at 4. 

^[2]Ethereum website <https://ethereum.org/en/nft/> (accessed 14 November 2021). 

^[3]Ibid.

^[4]Peter Fernandez, “Non-fungible tokens and libraries” Library Hi Tech News (2021) (“Fernandez”). 

^[5]Ibid.  

^[6]Wilson K.B., Karg A. & Ghaderi H., “Prospecting non-fungible tokens in the digital economy: Stakeholders and ecosystem, risk and opportunity” in Business Horizons, at 8.

^[7]Ibid.

^[8]Fernandez, supra n 5.  

^[9]Juliet M. Moringiello and Christopher K. Odinet, “ The Property Law of Tokens” (forthcoming 2022) Florida Law Review (“Moringiello”) at 5.

^[10]Supra n 3. 

^[11]Simon Mackenzie & Diāna Bērzina, “NFTs: Digital things and their criminal lives” Crime, Media, Culture (19 August 2021) < https://journals.sagepub.com/doi/abs/10.1177/17416590211039797?journalCode=cmca> (accessed 14 November 2021) (“Mackenzie”) at 10. 

^[12]Ibid.

^[13]Ibid.

^[14]Usman W. Chohan, “Non-Fungible Tokens: Blockchains, Scarcity, and Value” Critical Blockchain Research Initiative (CBRI) Working Papers 2021: 1–13 at 7.

^[15]Valeonti, supra n 2, at 7.  

^[16]Ibid.

^[17]Mackenzie, supra n 12, at 10. 

^[18]Keith Oliver, “NFTs and the rise of crypto frauds” City A.M. (12 April 2021) <https://www.cityam.com/nfts-and-the-rise-of-crypto-frauds/> (accessed 14 November 2021).  

^[19]Bijan Stephen, “NFT mania is here, and so are the scammers” The Verge (March 20 2021) <https://www.theverge.com/2021/3/20/22334527/nft-scams-artists-opensea-rarible-marble-cards-fraud-art> (accessed 14 November 2021). 

^[20]Ibid. 

^[21]Jacklin Kwan, “An artist died. Then thieves made NFTs of her work” Wired (28 July 2021) <https://www.wired.co.uk/article/nft-fraud-qinni-art> (accessed 14 November 2021). 

^[22]Mackenzie, supra n 12, at 10.

^[23]Laxitha Mundhra, “The dark side of NFT: Art & Identity Theft, Wash Trading And Environmental Damage” Inc42 (26 September 2021) <https://inc42.com/features/the-dark-side-of-nft-art-identity-theft-wash-trading-and-environmental-damage/> (accessed 14 November 2021).

^[24]Mackenzie, supra n 12, at 9. 

^[25]Ibid.

^[26]Ibid.

^[27]Daniel Kuhn, “The Node: The Problem of Authencity in NFT Art” CoinDesk (10 March 2021) <https://www.coindesk.com/authenticity-nft-art-column>  (accessed 14 November 2021) (“Kuhn”). 

^[28]Kuhn, supra n 28. 

^[29]Mackenzie, supra n 12, at 9. 

^[30]See [40] below. 

^[31]Mackenzie, supra n 12, at 10.

^[32]David Gerard, “NFTs: crypto grifters try to scam artists, again” davidgerard (11 March 2021) <https://davidgerard.co.uk/blockchain/2021/03/11/nfts-crypto-grifters-try-to-scam-artists-again/> (accessed 14 November 2021). 

^[33]Mikko Vinnari, “Potential Use Cases for Non-fungible Tokens in Combination with Physical Art” in Tampereen ammattikorkeakoulu (2021) (“Vinnari”) at 16. 

^[34]Ibid.

^[35]Gavin Wood, “Ethereum: A secure decentralised generalised transaction ledger”, Ethereum Yellow Paper (2 November 2021) <https://ethereum.github.io/yellowpaper/paper.pdf> (accessed 14 November 2021). 

^[36]Vinnari, supra n 34, at 16. 

^[37]Valeonti, supra n 2, at 6.  

^[38]Turner Wright, “OpenSea collector ‘pulls the rug’ on NFTs to highlight arbitrary value” CoinTelegraph (9 March 2021) <https://cointelegraph.com/news/opensea-collector-pulls-the-rug-on-nfts-to-highlight-arbitrary-value> (accessed 14 November 2021). 

^[39]Oliver Tapper, “Art collector’s court case signals potential legal and contractual issues with NFTs” Pinsent Masons (26 October 2021) <https://www.pinsentmasons.com/out-law/analysis/court-case-potential-legal-contractual-issues-nfts>  (accessed 14 November 2021). 

^[40]Karthik Guttha, “$30 Million lost in NFT Rug pulls in the last 2 months. Here’s how you can avoid being the next victim” itsblockchain (3 October 2021) <https://itsblockchain.com/nft-rug-pulls-30-million-dollar-loss/> (accessed 14 November 2021). 

^[41]NFT’s Street, “Can NFT’s be stolen? Must read! For your safety” NFT’s Street (6 September 2021) <https://www.nftsstreet.com/can-nfts-be-stolen/> (accessed 14 November 2021).

^[42]Valentina Di Liscia, “Reports of Stolen Art on NFT Marketplace Raise Issues for Crypto Collectors” Hyperallergic (16 March 2021)<https://hyperallergic.com/629328/reports-of-stolen-art-on-nft-marketplace-raise-issues-for-crypto-collectors/> (accessed 14 November 2021). 

^[43]Mackenzie, supra n 12, at 11. 

^[44]Ibid.  

^[45]Benjamin Powers, “Lessons From the Nifty Gateway NFT Heist: Not Your Keys, Not Your Art” CoinDesk (18 March 2021) <https://www.coindesk.com/tech/2021/03/17/lessons-from-the-nifty-gateway-nft-heist-not-your-keys-not-your-art/> (accessed 14 November 2021). 

^[46]Lorenzo Franceschi-Bicchierai, “Man Upset That Hackers Stole His Bored Ape NFTs” Vice (3 November 2021) <https://www.vice.com/en/article/qjb4nq/investor-says-bored-ape-nfts-were-stolen-by-hackers> (accessed 14 November 2021). 

^[47]Ibid. 

^[48]Jeffery Gogo, “Bored Ape NFT Collector Loses Million-Dollar Stash to Discord Scammers” beINcrypto (4 November 2021) <https://beincrypto.com/bored-ape-nft-collector-loses-million-dollar-stash-discord-scammers/> (accessed 14 November 2021) (“Gogo”). 

^[49] Lawrence Lessig, “The Law of the Horse: What Cyberlaw Might Teach” (1999) 113(2) Harvard Law Review 501 at 510.

^[50]Gogo, supra n 49.