• S Fetouh and M Bacina

The Black Market for Stolen NFTs: Elliptic Report




The rise of non-fungible tokens (NFTs) with secure ownership on the blockchain has been followed swiftly by scams seeking to steal NFTs and flip them for a profit, leading to a distinct economy for the stolen goods. Thanks to the traceable nature of blockchains, however, that economy can be identified and studied faster than would be the case for a traditional black market.


A new report from blockchain analytics' company Elliptic gives us an update on NFT-based scams, sanctions risks, market manipulation and money laundering. The risk to marketplaces and exchanges is presently small but significant and growing. Some exchanges have been subject to lawsuits over their management of stolen assets, alleging that marketplace operators have failed in a duty to flag or freeze onward sales. In particular, marketplace operators need to be vigilant at all times for scammers within the NFT community, as it only takes seconds of complacency or accidental clicks to result in losses which can run into the millions of dollars.


How are scammers operating?


Scammers often use social media to steal NFTs using phishing links and impersonate NFT marketplace support staff. Scammers often then list stolen NFTs at very low prices, taking advantage of bots deployed by other NFT traders on marketplaces which are designed to detect and acquire NFTs at cheap prices.


In February 2022, a phishing attack occurred where over 200 NFTs worth USD$5.1 million were stolen and represented the single largest NFT phishing heist on record. The scammer ended up returning two thirds of the stolen NFTs back to their owners but kept the higher-value NFTs. The scammer sold the remaining assets across 3 NFT marketplaces. Of those, 45 were purchased and sold by their buyers within 5 days of the attack. The scammer gained USD$1.42 million from the 45 stolen NFTs, for around 8% lower than their total floor price at the time (USD$1.54 million). All but 10 of these were flipped for a profit by the subsequent buyers who grossed USD$1.77 million from their sales, meaning that 13% of the monetary gains were made by the initial buyers rather than the scammer. This demonstrates the attractiveness of this emerging black market of stolen NFTs. Additionally, one user minted an NFT and sent it to the scammer with a note saying:

Hello, I am interested in buying the NFTs you have on you [right now]. I can buy them in bulk at 50% of floor price.

Nevertheless, buyers often purchase stolen NFTs without realising their stolen nature, and on becoming aware of the theft, these buyers prefer to sell them at a loss rather than flip them for a profit. The reasons for this include avoiding negative publicity in the NFT community or disposing of stolen assets as quickly as possible to mitigate the risk of complicity. The community actively calls out users interacting with stolen NFTs and openly urges the return of the NFTs or sale back to the victims, as is what happened to the 3 stolen Mutant Apes which were subject of a phishing scam on 20 February of this year. Two of the stolen Apes were sold by their initial buyers at a loss as a result.


What can marketplaces and exchanges do to combat this?


Some ways in which marketplaces and exchanges can fight these types of scams:

  • Have procedures in place to flag, freeze or delist stolen assets once a credible theft report has been made.

  • Scammers risk being banned from major marketplaces and potentially be left with unsellable assets if a report is made. Therefore, encouraging scam victims to report and lock NFTs during negotiations with scammers, even offering to buy back their assets at reduced prices is a successful strategy for that reason.

  • Highly public campaigns through the use of social media and other channels frequented by the NFT community can be a huge success in being able to block sales on major NFT marketplaces at once. An example is the Calvin Becerra campaign on Twitter in regards to stolen BoredApeYC NFTs. Successful campaigns such as this leave scammers and potential onward buyers with no avenue to sell stolen assets, with the only viable option being the return of the stolen NFTs at a negotiated ransom.

NFT marketplaces and exchanges need to be proactive in reporting and responding to theft reports and detecting malicious activity through their services, including using wallet screening and transaction monitoring tools like Elliptic, Chainalysis or TRM Labs.


Red flags for exchanges to consider include:-

  • where an NFT has been sold in quick succession over several marketplaces and swap services;

  • where an NFT has been sold at well below the floor price;

  • where NFTs that have been quickly sold have been bought by the same set of users who may be running bots;

  • if funds have gone into Tornado Cash or other mixers shortly after NFTs have been exchanged;

  • the transaction wallet has numerous comments on its blockchain explorer page about being involved in prior hacks or scams; and

  • a search of the associated wallet address on a search engine or social media reveals that it has been implicated in prior hacks or scams.

The key for exchanges is to act swiftly, be vigilant and on alert with action plans in place and ready to be implemented as soon as potential scam activity is detected. Scam reports may originate from numerous sources so NFT marketplaces and cryptoexchanges alerted can act swiftly to block suspect addresses identified through different platforms. The more marketplaces which do this, the more scammers can be prevented from easily cashing out the stolen assets, decreasing incentives for NFT theft overall.