NFTs are New Fraud Types

I bought a non-fungible token (NFT) the other day. Not as an investment, I hasten to add. The market for these tradable, from cartoon apes to artsy doodles (as the FT frames them) has collapsed in recent weeks. The average selling price of an NFT has has dropped by around half since their peak before Christmas and volumes on OpenSea, the biggest NFT marketplace, fell by 80% over the last month. I think the line of mug punters waiting for their picture of a chimpanzee with sunglasses has evaporated.

There are those of us who appreciate art rather than speculation, though, so I went to the aforementioned OpenSea to buy something nice. In case you are interested, it is a cartoon from the talented artist Helen Holmes. In case you are an art buyer, this is the one that I bought. It is from her “originals” collection and is now proudly on display in my crypto.com wallet for all to see.

11 cashorcharge

I commission Helen to draw the cartoons that I use to illustrate my articles on Forbes, so I can testify at first hand that she is real, that the cartoons are originals created by her and that I have the right to use them due to our own agreement. And, I am happy to say, that if anyone buys one of them, the money goes to her, the deserving artist. As it turns out, this makes “my” NFT one of the small number of legitimate examples of same, because recently OpenSea said that over 80% of the NFTs created for free on the platform are “plagiarized works, fake collections, and spam”.

(I say “my” NFT, although owning an NFT doesn’t give me any rights in the underlying intellectual property, which still belongs to Helen, or unique access to the image itself which anyone can download just be right-clicking on the picture above.)

Even the NFTs that are not fakes and frauds are often dodgy, to say the least. I include in this category the NFT of an X-ray of one of the survivors of the Bataclan massacre in Paris, which was offered for sale for $2,776 by the surgeon who treated her. And this isn’t about OpenSea, it’s about the entire market. A recent study found that “the top 10% of traders alone perform 85% of all transactions and trade at least once 97% of all assets”. Looking at the numbers, the top 10 percent of “buyer–seller pairs” are as active as everyone else combined. It is market almost completely captured by whales.

When the platform that sold the NFT of Jack Dorsey’s first ever tweet for three million American dollars halts most transactions because counterfeit creators were selling tokens of content that did not belong to them, then I think we can all agree that there is a fundamental problem in the digital assets market.

Innovation

It looks as if NFTs are providing a platform for innovation in fraud as well as innovation in creative works. One of the most common kinds is what is known as “wash trading”, where groups of fraudsters trade an NFT between themselves, for an ever-higher price, until someone who is not part of the group and who thinks that the price is real (in colloquial English investment banking parlance, such individuals are known as “mug punters”) steps in to buy the “art”. At which point, the group split the proceeds between themselves, rinse and repeat. 

This kind of trading is rampant. OpenSea was recently overtaken in volume by LooksRare. LooksRare financially rewards users for their trading volume, which predictably means rogues gaming the system. Crypto analytics firm CryptoSlam estimated that more than four-fifths of the total trading volume since launching is in fact wash trading.

(Interestingly, a detailed Chainalysis study of the problem discovered a strong asymmetry: Most wash traders have been unprofitable, but the successful ones have profited so much that, as a group, wash traders have profited immensely.)

Having said that NFTs are a platform for innovation in fraud, I am forced to admit that I sometimes admire the ingenuity of some of the crypto hackers/loophole exploiters who have been getting work in this new world. Take, for example, the OpenSea “loophole” that was exploited because some NFT owners were unaware that their old sale listings were still active. These old listings were found, and the NFTs were purchased. This led to the loss of multiple expensive NFTs at rock bottom prices. The problem is that the NFTs were getting sold at old offer prices made when the NFTs were much less valuable. To give a specific example, one attacker paid a total of $133,000 for seven NFTs before quickly selling them on for $934,000 in ETH. (Five hours later this ether was sent through Tornado Cash, a “mixing” service that is used to prevent blockchain tracing of funds.)

As Tom Robinson of blockchain analysis company Elliptic explained, this ingenious (although I have to say, not that complex) fraud then led on to an even more fun fraud because OpenSea sent an email to users who still had old NFT listings, and were therefore susceptible to this fraud. However, cancelling the old listing requires an ETH transaction so the enterprising freelance alternative finance enthusiasts behind the original fraud then created bots to look out for these particular transactions and front-run them to purchase the NFTs before the listing was cancelled. In other words, by trying to be helpful and tell users to cancel the vulnerable listings, the marketplace gave away precisely the information need by the perpetrators to automate their attacks.

Scale and Scope

Not all frauds are particularly complex. An awful lot of money has been lost to very basic frauds such as the “rug pull”, whereby innovative cryptocurrency engineers announce the realise of a fabulous new digital asset that will do amazing things in the future, increase 100x in value in next to no time and cure cancer on the way. The public respond with enthusiasm and deluge the issuers with cash, at which point the issuers vanish, deleting their web site, Telegram chat and phoney LinkedIn profiles on the way. The public let the virtual cats out of the virtual bags and discover that they are left with nothing.

(MonkeyJizz was a scam! Who knew!)

There are frauds, though, that take more advantage of the nature of the new infrastructure. The “honeypot” is one such example. In a honeypot, the programmer of the smart contracts that control a new token inserts surreptitious code to ensure that only their own wallet can sell the tokens. Everyone else’s money is stuck in the honeypot while the scammer who created the tokens can sell at any time.

Mention of honeypots takes us on to the main point. Many of the most notable frauds that abound involve decentralized finance, or DeFi, projects, with more than $10 billion lost to DeFi theft and fraud last year. The ability to automate fraud in the DeFi space is a fascinating and terrifying development because of the sheer scale of the frauds that can be perpetrated but automated fraud is not limited to the web3 world, of course. PayPal (PYPL) recently closed 4.5 million accounts (and lowered its forecast for new customers) after discovering that bot farms were exploiting its incentives. The payments had offered $10 as an incentive to open new accounts, at which point the bot farmers stated tilling the PayPal fields.

The combination of automation and complexity is toxic and needs to be tackled up front. But how? Surely it should be one of the most basic tests of eligibility for a payment account that you are an actual human being! How is it so difficult to ensure that certain transactions are executed by people and not by bots! I hate to say it yet again, but the way forward is through a working, fit-for-purpose digital identity infrastructure. It should not be possible to open an account without an IS_A_PERSON credential, which as I insist on forecasting, will one day be the most valuable credential of all.

Leave a Reply