On September 28, 2022, Bloomberg – in pure clickbait fashion, published a blurb article using data from three-year old Unicorn, Dune Analytics, that claims the collectible and digital art market went from a high of $17 billion at the start of the year to $466 million this month. The author ties this downswing to the “$2 trillion wipeout in the crypto sector as rapidly tightening monetary policy starves speculative assets of investment flows.” Whether or not Dune’s data is on the money is almost beside the point.
If investors are buying NFTs solely as an investment vehicle, they are not truly art collectors. It’s that simple. No collector buys art purely for speculation – unless you manage a fund tasked with doing exactly that. On the other hand, those who purchase collectible NFTs almost always buy for speculative reasons.
When it comes to deciding what to do during this significant downswing – if it indeed exists, there is not much thinking that needs to be done. If you enjoy the digital art you purchased, this blip does not matter because it was never solely about making a profit. Over time, art has been the most favored non-correlated financial asset for the affluent but it was also always more than just a financial vehicle. That will not likely change in the future. In other words, if you don’t want to see it hanging in your home, it probably should not be in your financial portfolio anyway.
No matter how noble its motivations, Andreessen Horowitz cannot unilaterally dictate when licenses will be “legally irrevocable” in the same sense a smart contract deployed on one platform may not be enforceable when a minted NFT using that same smart contract is sold on another platform. Given the many different NFT platforms deployed, this is just one of many issues that likely more pressing. As for what a suitable NFT intellectual property framework would actually look like, that really depends on the platform used.
On July 15, 2022, several of DeeKay Kwon’s Twitter followers were the latest victims of scammers feasting in the NFT space. DeeKay is an animator and part of a growing number of innovative artists developing the Digital Art Movement spurred on by NFTs. One of DeeKay’s admirers is Calvin Cordozar Broadus Jr. also known as Snoop Dogg also known as Cozomo de’ Medici – who acquired DeeKay’s “Life and Death” for “$1m USD, or 310 ETH.” According to this very important art collector, “all of this [NFT profile picture] mania is bringing massive attention to NFT. And when they come in for an azuki, punk, bored ape, or their choice of “culture token” . . . But then stumble across an @XCOPYART, a @fewocious, a @deekaymotion . . . That’s when one realizes the true power DIGITAL art can have, beyond any traditional art they have ever seen before.”
DeeKay reported his Twitter account was hacked and “and the hacker has been tweeting a fake mint site. I reacted to it ASAP and spread the word but could not stop the damage in time.” An unknown number of DeeKay’s over 179,000 followers clicked on a phishing link found in the below fake Tweet – a Tweet that purportedly brought them to a new collection from the artist:
According to Deekay, “[t]he fake mint site was made two weeks prior, 100% copied my original website. I assumed he studied my time when I am inactive too.” While trying to claim the purported free NFTs on the fake site, victims instead approved transactions granting the scammer access to their wallets and allowing the removal of various digital assets. It is not yet fully known how many NFTs or other crypto assets were stolen from Deekay’s Twitter followers. Most reports currently peg the number at $150,000 worth of digital assets.
DeeKay has been trying to “work something out” with those have been scammed. For example, one victim was gifted “something special” by DeeKay to “help ease” his loss. Interestingly, DeeKay recognizes the problem with reimbursing victims given that it “also encourages hackers to keep doing their thing since I am the one covering the mess. Part of me says reimbursement should not be a standard way to react, and another part of me says I should still find a way to compensate and find a balance.” This is no different than the problem caused by insurers who continually reimburse ransomware victims and why ransomware payments should be self-insured.
DeeKay’s Twitter phishing scam comes on the heels of another phishing exploit days earlier targeting Uniswap liquidity providers that used a similar scheme but obtained a much larger $8.6 million in crypto assets. As reported in Crypto Briefing, the Uniswap fake site “instructed the victims to claim the malicious UNI tokens as a reward for providing liquidity on the exchange, but when the victims agreed to the claim, they inadvertently approved a transaction that granted the attacker access to their wallets. From there, the attacker could make token transfers to drain their wallets.”
The phishing technique used in these scams is relatively easy to pull off given most folks still click on links without really thinking and many users of crypto wallets such as MetaMask have no clue as to what they are really providing consent for when clicking on the consent button. After going to what appears to be a genuine site, they just assume they are obtaining what they are pitched as the reason for going to the site in the first place, namely freebies of some sort. In a similar way an email address can be spoofed in a phishing exploit, consents can say whatever a scammer wants it to say.
Whether it’s DeeKay’s Twitter followers or Uniswap’s liquidity providers, these pools of potential victims are publicly known and easily reached by scammers. One way of getting away from this vulnerable crowd is by using multiple wallets and intermediaries such as fine art galleries that can work with collectors to improve their security hygiene. More to the point, until art galleries become a mainstay part of the Digital Art Movement, these sort of scams will continue to proliferate.
UPDATE: July 20, 2022
On July 19, 2022, DeeKay let everyone know he was targeted again – likely by way of another phishing exploit. He suggested that his collectors be aware that he would “NEVER do a free mint.”
On May 17, 2022, actor Seth Green announced to the world that he got “phished and had 4NFT stolen”. Apparently, he clicked on a link that led him to a website that requested and obtained access to his wallet – a wallet containing four high-profile collectible NFTs. After he provided the necessary consent, a scammer promptly emptied his wallet of these four expensive collectible NFTs.
Disregarding whether what was lost was actually “art” in the sense of fine art – they are likely more properly described as innovative collectible NFTs with significant speculative value based on community growth, utility, endorphins, and numerous other intangible measures, Green’s loss presents a valuable security lesson for all NFT collectors and raises issues that will not go away anytime soon. All of this is now ripe for discussion.
Green asked OpenSea not to allow trades in his four missing collectibles. It is doubtful any marketplace will affirmatively identify, tag, and refuse to trade in Green’s four NFTs. As it stands, there are huge numbers of fake collectible NFTs sold on marketplaces – especially on OpenSea. Despite recent OpenSea changes aimed at addressing “copymints” – fake listings using copies of actual collectibles, the collectible fraud problem will not subside any time soon given this sort of fakery does not require much effort and can be very lucrative for scammers – as well as the marketplaces that thrive on trading fees. More to the point, even the upgraded OpenSea controls do little to address the core issue of compliance.
To its credit, there are no current OpenSea listings tied to Green’s collectible NFTs but that might change at any time given at least one marketplace has them listed. As of May 19, 2022, Rarible has MAYC # 19182 listed by public wallet address # 0xae7f30d77b367afe64f04dfd94e95f71f8e4ae66.
And, Rarible apparently also has BAYC # 8398 listed by public wallet address # 0xaf20e2e1dca5dffd0efa1a8055099a947beec8be.
These are not Green’s collectible NFTs simply because they reference the correct collections, point to the right image files, describe the correct collectible rarity properties, and use the right numbering scheme. On the other hand, both have sold – perhaps in wash trades or maybe not, for significant amounts – 106.5 ETH on May 8, 2022 or $268,912 for BAYC # 8398 right around the time it was purportedly removed from Green’s wallet and 31.5 ETH on March 17, 2022 or $87,129 for MAYC # 19182. Without a way to provide a universal and easily accepted means of verifying the authenticity of these collectibles, collectors will need to be part detective and part forensic investigator and use ETH explorers to track the relevant wallet addresses.
Assuming someone did the legwork to confirm these are the actual pilfered collectibles, Mr. Green has several options. He can continue pressuring marketplaces to refrain from listing them. That would not get them back, but it might prevent further monetization and may cause the current owners to cut a deal with Green for their return given this lack of monetization.
As with many film actors, Seth Green lives in California where knowingly receiving actual stolen property is a criminal offense punishable for up to a year in prison. See Cal. Penal Code § 496(a) (“Every person who buys or receives any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained, or who conceals, sells, withholds, or aids in concealing, selling, or withholding any property from the owner, knowing the property to be so stolen or obtained, shall be punished by imprisonment in a county jail for not more than one year, or imprisonment pursuant to subdivision (h) of Section 1170.”). Almost all NFT marketplaces are non-custodial – which means this statute would not really apply to them under any reading of the law.
Given this lack of custody, a marketplace would also not likely be liable for conversion. “The tort of conversion is established when one who owns and has the right to possession of personal property proves that the property is in the unauthorized possession of another who has acted to exclude the rights of the owner.” Angiolillo v. Christie’s, Inc., 103 N.Y.S.3d 244, 260-61 (N.Y. Sup. Ct. 2019). Similarly, a cause of action of replevin requires that the defendant actually possess the property in question before its return can be obtained in court. All of this assumes ownership of the constituent parts of an NFT, namely private keys, smart contract software code, IPFS content, etc., constitutes personal property in the first place.
Green’s likely best avenue for redress would be going after current holders of his lost NFTs who might be considered bona fide purchasers or good faith purchasers for value not having knowledge of the tainted title. Mr. Green lives in California and the “stolen” property could be in wallets belonging to persons anywhere in the world. Assuming he knows the public wallet addresses of the current owners, Green would still not know the country of origin let alone name and address. If the purchaser is identified, however, negotiating a deal or filing suit will be viable options.
Knowing the applicable law for a claim is significant given in some jurisdictions such as New York the law favors rightful owners seeking their stolen personal property. See e.g., Solomon R. Guggenheim Found. v. Lubell, 77 N.Y.2d 311, 320, 567 N.Y.S.2d 623 (1991) (“To place the burden of locating stolen artwork on the true owner and to foreclose the rights of that owner to recover its property if the burden is not met would, we believe, encourage illicit trafficking in stolen art.”); Barnard v Campbell, 55 N.Y. 456, 461 (1874) (“The general rule of law is undoubted that no one can transfer a better title than he himself possesses.”); DeWeerth v Baldinger, 38 F3d 1266, 1278 (2d Cir. 1994) (“New York case law has long protected the right of the owner whose property has been stolen to recover that property, even if it is in the possession of a good-faith purchaser for value.”).
In some states and countries, however, it is quite different. For example, under Swiss law, a bona fide purchaser becomes the owner even if the chattel was stolen or otherwise transferred without the authorization of its owner.
On the other hand, even New York law distinguishes between fraud and theft because the owner who is defrauded acted affirmatively and could have protected herself by due diligence, “whereas the owner from whom property is stolen has not acted affirmatively, and, in many instances, could not have protected herself. The [bona fide purchaser] may be equally innocent in both cases, but the original owner from whom property is obtained by fraud is more blameworthy than the original owner from whom property is stolen, and the former is entitled to less legal protection than the latter.” Shubert Org., Inc. v. Partridge, 2020 NY Slip Op 32748 (N.Y. Sup. Ct. 2020).
This legal distinction raises an interesting point regarding Green’s “stolen” NFTs. After all, Mr. Green was led to a website by way of a fraudulent email in the hope of minting himself some Gutter Cat Gang NFTs but instead connected his wallet to an imposter website. All the while, he would have consented to everything done, including his wallet connection and any subsequent activity. In other words, he was defrauded. No one went to his home or computer, stole his private key, went into his wallet, and transferred his collectibles to another wallet. If Green could bring to court a bona fide purchaser of his quartet of valuable NFT collectibles such a buyer could certainly raise all of this as a defense.
Beyond the security hygiene lessons and potential difficulties in retrieving lost collectibles, Green’s mishap also shines a light on the need for due diligence when using a marketplace. In sharp contrast to collectible NFTs such as BAYC NFTs, purchasing fine art NFTs from a reliable source such as an established art gallery provides justifiable trading confidence.
UPDATE: June 7, 2022
On May 30, 2022, Seth Green announced he had struck a deal with the buyer of his Bored Ape #8398.
He also mentioned he was “working together to prosecute the original thieves” so presumably law enforcement is involved. The following day, Green made a somewhat cryptic statement: “Had to track the NFT to the current holders & make a deal between us to get them back- although we get to prove the friendship & community we all are building around these artists & collections. Plus now we work together to prosecute the original thief who scammed us both”.
In other words, Green was able to convince the buyer to send Green’s Ape back home for an unknown price. For all we know, it may be what the buyer paid or even a premium on that price. What will be of most interest to the ending of this story is what sort of prosecution takes place against Green’s scammers.
On April 4, 2022, the UK Royal Mint was asked to mint an NFT. As with many announcements today, the Royal Mint’s announcement came in a tweet.
Either the above announcement demonstrates supreme ignorance or utter brilliance. Offering for sale non-fungible representations of currency – the most fungible of assets, certainly seems on its face nonsensical. Disregarding the typo, however, it may have been a brilliant marketing gambit – with the Chancellor’s goal of placing the UK on the crypto map furthered. What happens this summer might be a major step in that direction. Who knows? There may even be a Royal Mint NFT drop at NFT.NYC in June.
On March 29, 2022, the developers behind the Ronin Network – an Ethereum sidechain used to support the decentralized game Axie Infinity, announced a major exploit. The developers revealed that an attacker used hacked private keys from four Ronin Validators and a third-party validator run by Axie DAO – out of a total of nine, to forge withdrawals of 173,600 ETH and 25.5M USDC – valued at over $625 million.
This sort of 51% consensus attack plagued the proof of work crypto community since its early days but largely fizzled out as a threat as the major blockchains grew more complex and the number of mining nodes grew into the thousands. The fact that the Ronin sidechain only had nine validators for its exit bridge – with a majority being a mere five of the nine, was a security failing by most vantage points. Not surprisingly, to “prevent further short term damage”, the Ronin Network immediately “increased the validator threshold from five to eight.” And, more importantly, the network “will be expanding the validator set over time, on an expedited timeline.”
The race to mass adoption of new networks has caused many DeFi platforms to forego a security-first design. Rather than viewing such an approach as time-consuming or stifling growth, new networks competing with Bitcoin and Ethereum and underlying many new DeFi platforms, must recognize that only with trust will this community ever grow beyond its current early adopters.
UPDATE: March 30, 2022
According to a text message sent to Bloomberg by Aleksander Leonard Larsen, chief operating officer of the developer behind the Ronin Network, Sky Mavis: “We are fully committed to reimbursing our players as soon as possible. . . We’re still working on a solution, that is an ongoing discussion.”
It’s worth noting that this problem arose as a result of the intended design of OpenSea, a centralized service that uses decentralized coins. It’s difficult to classify this as a hack or even a bug. OpenSea informs consumers that this is how its service works, which has resulted in numerous scams. The OpenSea bug shows that it is a sloppy marketplace, and if users aren’t cautious to follow proper practices, they may be exploited by more savvy users. Whether the OpenSea bug is being treated as an open security flaw or a result of user error is currently unclear.
After some time elapsed, owners would transfer the NFT back to the original wallet and list again. That’s when the exploit comes into play. If there is another auction using the original wallet’s address someone could possibly obtain the NFT using a bid that is based on an earlier offer – in essence, buying the NFT for a fraction of its true current value.
OpenSea said it’s been quiet on the issue to avoid notifying “bad actors who could abuse it at scale” before patching the problem. It’s apparently working on product improvements, including a new dashboard that shows all active listings, to address the issue.
Moreover, OpenSea suggested that this loss was caused by a “loophole” and was not an exploit or a bug – “it was an UI issue caused when a user creates a listing, then transfers the NFT to a different wallet to avoid the gas fee that comes with nixing a listing.” In other words, it was as presumed by those looking at what originally took place.
OpenSea also said in its private statement that it is changing the default listing duration for NFTs from six months to one month, so that if an NFT is transferred back into a wallet after the new time frame the listing will have expired.
It goes without saying that a $13.3 billion company having such a large share of a nascent market should not disclose on a piecemeal basis its security and design failings – either wait until the coast is clear or open the spigots to everyone who can ask meaningful questions.
On January 9, 2022, creators of the Frosties NFT Collection abandoned their project after investors spent over $1.2 million buying the entire inventory of digital “cartoon ice cream” characters. The money received by the creators was transferred the same day.
Relying on the Chinese lucky number 8 four times over, the collection of 8,888 Frosties was described as “Cool, Delectable, and Unique” and quickly sold out based on claims made by the creators. Their project website – which has since been taken down, promises the following:
Frostie NFTs are made up of over a hundred exciting traits of backgrounds, body, clothing, eyes, mouths, eyewear, hats, toppings, and items. Each Frostie is a unique, non-fungible token (NFT) on the Ethereum blockchain.
Frosties will have staking, metaverse, breeding functions, and so much more!
Holding a Frostie allows you to become eligible for holder rewards such as giveaways, airdrops, early access to the metaverse game, and exclusive mint passes to the upcoming seasons.
The Frosties presale will take place on January 7th and the main sale will take place on January 8th.
Join the Frosties community on Twitter and Discord!
After the January 8, 2022 public drop of Frosties at a floor of 0.04 ETH, the project’s Twitter and Discord server accounts were taken down and in a “rug pull” the floor price was removed. It was also a cash grab given the NFTs stayed with their new owners whereas the creators stopped all further efforts to build or benefit the community.
What happened next is instructive. First, the value of the underlying NFTs have been selling both low and very high. In other words, the market is now dictating the pricing and life goes on with how these assets are going to be priced.
As for moving forward with the project, the Frosties Rug Pull demonstrates that projects can go forward with or without the original creators. The key is to have a passionate community and at least a few folks who can help lead the charge from a technical perspective.
In the case of Frosties, someone named EsahcHslaw took charge and posted on reddit: “We are wrapping Frosties under a new contract for those who want to continue to hold while the project kicks off again. Old dev won’t gain royalties this way. The community will own the funds. Community ran, doxxed multisig, roadmap, website, new Twitter. DM for DC server invite.”
By removing the possibility of creators obtaining future royalties, Frosties owners effectively removed the creators from the project going forward. And, if the Frosties community continues growing organically – with new social media channels and active community involvement, the Frosties Rug Pull will demonstrate that an active community is the primary engine for driving NFT value.
UPDATE: March 25, 2022
Federal prosecutors New York charged two in a criminal complaint with conspiracy to commit wire fraud and conspiracy to commit money laundering, in connection with the Frosties rug pull.
As set forth in the March 24, 2022 DOJ press release, “Mr. Nguyen and Mr. Llacuna promised investors the benefits of the Frosties NFTs, but when it sold out, they pulled the rug out from under the victims, almost immediately shutting down the website and transferring the money. Our job as prosecutors and law enforcement is to protect investors from swindlers looking for a payday.”
On January 6, 2022, the newest draft of the proposed New York Privacy Act now being jointly worked on by the Senate and Assembly was published in the Senate as S6701A and in the Assembly as A680B. A review of this latest draft shows that even though a great deal of important changes were newly inserted into this bill , it still requires some tweaking or it will end up having the same loopholes found in other privacy laws implemented around the country.
Hopefully, the NY legislative has the will to fully take on the data oligarchs – who have been very aggressively working behind the scenes fighting against this bill.
The BitMart theft comes on the heels of a report by London-based consulting firm Elliptic revealing billions of dollars stolen from DeFi platforms. According to Elliptic’s recently released report, the overall losses caused by DeFi exploits total $12 billion and of that amount, fraud and theft accounted for $10.5 billion, seven times the amount from last year.
Thefts hitting crypto exchanges such as BitMart and DeFi protocols such as Poly Network shine a light on the fact DeFi is largely driven by startups lacking cybersecurity maturity. In contrast, the financial institutions that literally spend billions on cybersecurity want no part in helping DeFi projects; and more likely, welcome cyber incidents that tarnish DeFi’s reputation. Until they reach a higher level of security and such incidents become less commonplace, DeFi projects will continue making platform users whole after a security incident – or risk a total collapse in the market for non-money laundering usage.
Depending on their popularity, open-source products can be highly secure and DeFi should be no different. At some point in time – after decentralized protocols are adequately security tested and implemented and DeFi projects become fully independent and organic and not reliant on any centralized cloud solution or centralized servers, breaches such as the one that hit BitMart will be rare. In other words, as the market and business opportunities for DeFi increase in scale and scope DeFi’s security profile will naturally evolve.