When Ocean’s Eleven meets blockchain

We are excited to bring back Transform 2022 in person on July 19 and virtually July 20-28. Join AI and data leaders for insightful talks and exciting networking opportunities. Sign up today!

How much would a daring art thief charge for the Mona Lisa? Well, about a century ago, a certain gentleman demanded about $100,000 for the painting, a sum well below the estimated price at the time. Stealing the painting was as easy as hiding in the closet for one night and going out with Mona Lisa the next day. Getting arrested was also a piece of cake, all it took was a single meeting with the prospective buyers.

The Mona Lisa drama illustrates a problem that art thieves have long struggled with. Most museums have dozens of valuable objects that tend to be relatively easy to move or store. At the same time, these facilities often cannot afford first-rate security measures. In theory, this makes them a perfect target for thieves, but thieves who attempt it in practice often have a hard time turning their loot into cash, unless they have an agreement with a specific buyer prior to the robbery. Otherwise, the art they steal may end up trapped in your Evil Lair’s basement for years to come.

As an example, it took 14 years for the Italian Cosa Nostra to get rid of two famous Van Gogh paintings it stole in 2002. And “getting rid of” in this case means that the anti-mafia police seize them, which is not the best way to do it. . result they expected in the first place. Similarly, a thief who stole a rare Picasso from the National Gallery of Greece in 2012 kept it hidden for around nine years before police seized it again. And there are many more stories like that.

Still, thieves will never stop chasing art because it’s worth money, often a lot of money. Come 2021, and a whole new world of art will emerge: Auction houses are now dabbling in NFTs, and celebrities are flaunting their ape photos to each other. Non-fungible tokens made up a $25 billion market over the past year. And where the money goes, the crooks follow.

A Tale of Nine Stolen Monkeys

In fact, cybercriminals are already exploring this new space, stealing NFTs from collectors and enthusiasts through social engineering and vulnerabilities in the markets. One of those robberies saw three bored monkeys allegedly stolen from development coach Calvin Becerra, who had three major NFT marketplaces blacklist stolen apes, making it impossible for hackers to put them up for sale on their platforms. It didn’t take long for OpenSea to do the same with another batch of stolen apes.

Now, let’s do a quick blockchain investigation and take a look at a recent alleged theft of NFTs. On February 1, NFT collector Larry Lawliet reported lose several valuable NFTs, including Bored and Mutant Apes, in an alleged social engineering attack. A quick look at Larry’s wallet reveals a rapid sequence of NFT transfers to an address starting with 0xd27 (the suspected hacker) late on January 31st. This is what happened to the apes below, at the time of writing:

  • Bored Ape #1606 – Sold for 0xd27 for 136 WETH (wrapped ether) on OpenSea to an address starting with 0x366. On Feb. 5, the wallet sold the NFT to Larry on the LooksRare NFT decentralized exchange for roughly the same amount in WETH.
  • Bored Ape #4250 – Sold for 100 ETH on OpenSea to 0x1b5, who in about six hours sold it for 111 ETH to an address starting with 0xa25 via LooksRare. At the time of writing the article, the token is still in that wallet.
  • Bored Ape #7985 – Sold to 0xc9d for 100 ETH via OpenSea. On Feb 4, 0xc9d sold it to 0x840 on LooksRare for over 140 WETH, with no further activity as of this time.
  • Mutant Ape #25971 – Sold at 0x3ea for 30.01 WETH on OpenSea. Not long after, 0x3ea sold the token back to Larry for just over 30 WETH via LooksRare.
  • Mutant Ape #8464 – Sold at 0x3ea for 30.1 WETH on OpenSea. On Feb 4, the address sold the token to Larry for over 33 WETH on LooksRare.
  • Mutant Ape #2499 – Sold for 25 ETH to 0xa2a via LooksRare. Then on Feb 2, the new owner sold the token again at 0xd9c at 20.8 WETH on the same platform. Within a few hours, the new owner sold the token to Larry for 20.9 ETH via BatchSwap.

Note that the hacker, 0xd27, sold most of the tokens directly on OpenSea, one of the largest centralized NFT platforms, minutes after the alleged attack and before Larry posted his tweet. Even after the stolen tokens were flagged by the platform, they continued to change hands, primarily through the LooksRare decentralized marketplace.

But there is a caveat here. The blockchain doesn’t care whose hand is holding the wallet, so it’s possible to sell something to yourself if you have two or more wallets. Thus, the entire situation may have been a case of wash trading, bouncing NFTs between wallets controlled by the same entity to increase their perceived value. In this specific case, the alleged laundering merchant would have to have enough coins in their multiple wallets to make the payments on each transfer. They would also incur large losses on rig and gas fees.

That said, unless proven otherwise, we can also take the situation at face value and assume that the previous addresses were controlled by different people. In this case, the theft clearly worked out in the attacker’s favor, as he was able to sell the stolen goods literally minutes after the scam. The victim, on the other hand, only managed to recover five of the missing apes, incurring huge additional losses to pay for their return.

Too techie to catch

However you prefer to interpret the example above, it still highlights some of the features that set NFT heists apart from your usual art heists. First of all, the logistics are lightning fast and a clever attacker can sell the loot before the victim is even aware of the theft. Second, even if the major centralized exchanges ban stolen asset listings, there is always another platform to turn to. Third, even assuming all existing markets red flag the stolen NFT, you can still sell it on a peer-to-peer basis if you find a buyer.

Furthermore, a criminal looking to profit from stolen NFT art has more options than just a simple sale. They can stake their NFTs on performance platforms, effectively delivering them to a smart contract in exchange for rarity-based rewards. This eliminates the need for a buyer as such. Similarly, with gaming NFTs, like Axies from Axie Infinity, they can choose to lease them to new players looking to skip the investment required to start playing, just like regular “grant” programs.

Stolen goods are not seized unless someone obtains the thief’s private keys. As NFTs sit on the blockchain, an immutable decentralized ledger, once the transaction that transfers ownership from one wallet to another is on the chain, you cannot reverse it without forking the entire chain.

A mechanism that propagates reports of theft across marketplaces and yield platforms, both centralized and not, could help thwart attempts by thieves to sell stolen NFTs. Marketplaces using it would red flag stolen NFTs, making it difficult for a hacker to sell the loot. In practice, this system itself would have challenges to overcome, such as the prospect of malicious reports flagging legitimate transfers and transactions, and the need for timely investigations into each suspected incident. Also, good luck with everyone’s participation, and don’t forget P2P sales.

With more and more hype surrounding them, NFTs are becoming lucrative assets for hackers. This means collectors and markets alike need to pay more attention to their defenses, whether it be general surveillance, hardening their backend, or developing their own escrow services based on the best infrastructure. Security cannot be an afterthought, and every stakeholder in the NFT space must ensure that they rely only on the best solutions and practices in the field.

Lior Lamesh is co-founder and CEO of GK8.


Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including data techies, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read more about DataDecisionMakers

Leave a Comment