The NFTs experienced a meteoric rise this year. reportedly, the booming NFTs market generated over $23 billion in trading volume this year, compared to just $ 94.9 million in 2020. However, greater commercial viability and an increase in the trading volume have also resulted in an increased risk of fraudulent activities such as AML/CFT risks, phishing attacks, and copyright violations. Naturally, the risks associated with NFTs have also captured the attention of regulators all around the globe. On February 4, 2022, the U.S. Department of Treasury published a study, warning the investors that NFTs may, potentially, become a tool for money laundering in the high-value art market. Shortly after that, on February 14, 2022, BBC reported that Her Majesty’s Revenue and Customs (HMRC), the chief tax authority in the United Kingdom, has seized three NFTs as part of a probe into a suspected value-added tax (VAT) fraud case involving 250 alleged fake companies.
Risks in NFTs
Phishing is a type of cyber attack where a malicious actor poses as a reputable entity or business to deceive people and collect their sensitive information. Within the context of the NFTs market, attackers often focus on obtaining the private key of the digital wallet.
To purchase an NFT, the users have to set up a crypto-wallet. Metamask is a popular cryptocurrency wallet on the Ethereum blockchain that provides support for NFTs. MetaMask customers were targeted in a phishing scam that involved phony ads asking for their private wallet keys and 12-word security phrases. On February 19, 2022, the leading NFT marketplace OpenSea, lost $1.7 million worth of NFTs in a phishing attack. The attackers exploited flexibility in the Wyvern protocol, an NFT exchange protocol used by OpenSea. Reportedly, the attacker posing as Opensea sent out an email to the users urging them to authorize a migration of their NFT listings to the new Wyvern contract. After clicking on the link, it appears the users signed transactions that gave the hacker permission to drain their wallets.
In order to protect themselves from phishing attacks, buyers should avoid keeping Bitcoin, Litecoin, and NFTs in a single wallet. Instead, the buyers should store NFTs in hardware wallets and enable two-factor authentication. Hardware wallets are offline wallets that store the users’ private keys in a secure hardware device. Since private keys are stored offline, it is difficult for attackers to gain access to them.
NFTs buyers and creators should double-check NFT marketplace offers and email links, since, attackers often create identical copies of popular collectibles or send out fake notifications impersonating popular NFT marketplaces. Further, attackers may also replicate popular NFT marketplaces, like OpenSea, in order to create fake NFT stores. Since these sites look identical to the original platforms, buyers can be tricked into spending large amounts of money on a fake artwork that is, in reality, worth nothing.
Counterfeit or plagiarized NFTs
The NFTs marketplace is ripe with plagiarism-related fraud cases. On February 6, 2022, Cent, one of the first NFT marketplaces to allow users to sell tweets as NFTs, suspended all of its activities due to plagiarism issues, In a tweet, digital artist Lois van Baarle said she had discovered “132 instances” of her artwork being minted as NFTs on the marketplace OpenSea, all without her permission. She further added that “NFTs are supposedly about authenticity, but these platforms do less than the bare minimum when it comes to making sure that the images are being uploaded by their original creators.”
Most NFT marketplaces do not have a mechanism for determining the authenticity of the NFTs being sold on their platforms. Some NFT marketplaces such as Rarible put a “verified” checkmark on the page of a creator whose works it has deemed authentic; however, the vast majority of artists on these platforms are unverified, this allows scammers to sell copies of original NFTs tokens.
Before buying an NFT from any marketplace, buyers must do their research to make sure that the NFT that they are buying is from a verified account. For instance, in the OpeanSea platform, they must look for a blue checkmark next to the creator’s profile picture.
A pump-and-dump scam is when a group of traders, such as founders or collaborators, spread misleading or false information to inflate the price of an asset before selling off their shares at a higher price. Pump-and-dump schemes in the NFTs markets usually involve influencers who are compensated for encouraging people to buy a particular NFT, in order to, increase its value. Once the value of the NFT rises and artificial demand has been created the scammers and influencers cash out and the buyers are left with worthless assets.
Smart contract risks in NFTs
NFTs are deployed using smart contracts. Further, using smart contracts developers place hard caps on the supply of NFTs and enforce persistent properties that cannot be modified after the NFTs are issued. Logic errors in a smart contract take place when a developer writes code that makes smart contracts susceptible to attacks, such as software bugs. Post-launch, CryptoPunks, a popular NFT token collection platform discovered a bug in their smart contract. After 10,000 Punks, a bug was discovered where sales could occur but no actual payment was received. Additionally, if the rights governing the ownership are not clearly defined in the smart contract, the buyer may lose his assets.
Like more traditional digital assets, NFTs face heightened money laundering risks due to the ease of conducting transactions and the pseudonymous nature of blockchains. NFT marketplaces are vulnerable to money laundering, both from bad actors buying and selling NFTs to criminals creating their own NFTs and self-dealing to launder the funds. Self laundering is a process in which users spend money on an NFT they already own to conceal transaction traces on the blockchain. Under this process, the criminals first purchase an NFT using illicit funds. They then continue to transact with themselves to create records of sales on the blockchain. Post this, the NFTs will be sold to an individual who will compensate the criminal with clean funds not tied to the prior crime.
Self-laundering is particularly concerning, as NFTs can be set up to provide a transaction fee to the NFT’s creator each time it is sold. This could allow bad actors to continue to profit from their illicit, self-dealing funds long after they are originally laundered, by selling NFTs to unsuspecting third parties.
NFTs Regulatory Landscape
The FATFs’ Updated Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), stated that though NFTs or crypto-collectibles generally fall outside the virtual asset definition they may be considered such if used for payment or investment purposes in practice.
The U.S. Department of Treasury, recently, published a study on the facilitation of AML/CFT through art trade. According to the study, platforms that support the sale and purchase of NFTs, as well as virtual mediums like metaverses can be regulated as money services businesses (MSBs) under the Financial Crimes Enforcement Network (FinCEN) regulations. These service providers, therefore, will be subjected to existing KYC/AML regulations. To this end, the study explains that “to understand the application of AML/CFT obligations, it is important to consider the nature of the business dealing in NFTs and their function in practice as well as the facts and circumstances of the platform or other person doing business.”
The U.S. Department of Treasury particularly emphasized that peer-to-peer transactions of NFTs in the absence of any intermediaries, with or without any record on a public ledger may also give rise to AML/CFT concerns. The report observed that “the ability to transfer some NFTs via the internet without concern for geographic distance and across borders nearly instantaneously makes digital art susceptible to exploitation by those seeking to launder illicit proceeds of crime because the movement of value can be accomplished without incurring potential financial, regulatory, or investigative costs of physical shipment.”
On February 15, 2022, the Monetary Authority of Singapore (MAS) in a written response to questions posed by the parliament on the subject of NFTs, MAS announced that it will not be regulating activities related to NFTs in the near future. However, the regulator also stated that will keep an eye on the NFT's space. “Should an NFT be structured to represent rights to a portfolio of listed shares, it will like other collective investment schemes be subject to prospectus requirements, licensing and business conduct requirements,” concluded Tharman Shanmugartnam, senior minister and minister in charge of the MAS
The HMRC seized three NFTs worth $1.89 million in a suspected case of a tax probe. The HMRC is the first law enforcement body in the UK to make NFT seizures. The seizure forms part of a suspected VAT tax fraud case involving 250 fake shell companies. Three suspects have been arrested on the suspicion of attempting to defraud the HMRC. Basically, the suspects tried to claim back more VAT than what was owed to them. Further, the HMRC stated the suspects used various sophisticated methods to hide their identities such as false and stolen identities, false addresses, pre-paid unregistered mobile phones, Virtual Private Networks (VPNs), and false invoices.