However, given the world we live in, it was only a matter of time before malicious actors sought to capitalise on this newfound interest in NFTs. In this blog post we will dissect what NFTs are, the astonishing amounts they sell for and the social engineering that carried out the successful theft of almost a quarter of a million pounds.
The best way to define an NFT would be to start with the NF (or non-fungible) part. To say something is non-fungible is to say that the asset cannot simply be replaced with something else of a similar value. For example, you cannot replace something non-fungible in the same way you can replace one £10 note with two £5 notes and still have the same value. When something is non-fungible is not interchangeable. Put simply, the value of a non-fungible token is only limited by how much the buyer is willing to pay.
Similar to common assets, non-fungible assets can be tangible and intangible. For example, a tangible non-fungible asset would be a deed to a house or a piece of physical art. However, an intangible non-fungible asset would be copyright or digital art. NFTs sit in the intangible category and are unique files that live on a blockchain as a means to verify the ownership of the work of digital art.
The reason why NFTs have been making headlines is down to the sky-high prices some people have been willing to pay for an intangible piece of digital art. For example, on the 11th March 2021, popular artist Mike Winkelmann, who goes under the name of ‘Beeple,’ sold a piece of digital art for $69 million (approximately £50 million). Despite this astronomical price, the new owner does not get sole access to the piece of digital art. In fact, anyone can view the art online for free at any time. What the buyer does get is verification of ownership over the asset, which is essentially bragging rights.
There are many forums and marketplaces which allow you to purchase an NFT, like OpenSea. Or you can also check out traditional auction houses such as Christie’s and Sotheby’s, which have also jumped on the NFT bandwagon.
Whilst the sale of something as intangible as an NFT may seem a little farfetched to your average Joe, the potential for exploitation has not gone unmissed by opportunistic scammers. Just last month, a Banksy art collector named Pranksy was scammed into buying a fake Banksy NFT that had been linked to the street artist’s official website. The collector bid a whopping quarter of a million pounds in Ethereum on what they thought was Banksy's first-ever NFT piece.
How did the scammer get away with it? First, they created an NFT named Great Redistribution of the Climate Change Disaster, which they hosted on Banksy’s official website after finding a vulnerability to exploit on the site. This was a good enough social engineering attack to convince the buyer that the NFT was genuinely created by Banksy. However, shortly after the bid of almost a quarter of a million pounds was placed, accepted and transferred to the scammer’s account, the link disappeared. Following the incident, it’s safe to assume that the hacker exploited a vulnerability to plant the link on the official Banksy website.
In an unexpected turn of events, the funds were later transferred back to the victim collector, minus the $5,000 transfer fee. Whether the scammer was an ethical hacker attempting to point out vulnerabilities on Banksy’s official website, or they got spooked by the growing publicity remains to be seen, but what’s for certain is that the threat remains a problem.
Whilst this incident did result in the victim being refunded, it was a real display of malicious social engineering. The victim lost out on hard-earned money because of their passion for collecting. They got caught up in the moment and acted hastily instead of methodically, which is something that can happen to us all. We at FluidOne believe that these types of scamming attempts will only continue to grow as intangible digital assets become more valuable. Our recommendation is to take as much care as possible when it comes to purchasing NFTs, and if it seems too good to be true, then it probably is.
About the author
Dave Woodfine, Co-founder and Managing Director, Cybersecurity Associates
Dave is an ex Cyber Commander working for the Royal Air Force and GCHQ. Now with years of commercial experience, Dave is an expert in cyber risk management and shaping cyber security strategies.