Crypto Crime

Stolen NFTs: To Buy Or Not To Buy?

Jun 19, 2023

Recent Exploration on Blur.io NFT Marketplace, I thought i had found some gems at great bargains... "Finally... i can get into this community with the right NFT at the right price!" - Right price for me would be not being overpriced with the potential of selling it at a higher price in the future in case i want to sell it.


If i were to buy them immediately, i could be in trouble... But if i were to go around fact-checking, someone else could have bought the great offer instead, and i would lose out on a great deal!


But still, i decide to take a look at the OpenSea.io marketplace for that particular NFT. The red triangle would tell us sometimes things are really too good to be true... Putting our mouse cursor over the triangle would reveal a message: "This item can't be bought or sold due to suspicious activity."

But that is just OpenSea way of conducting its business, doing its best not to support fraudulent activities, or maybe strongly encouraged by the local law. While the NFTs can't be bought on OpenSea, they can still be purchased at other marketplaces such as Blur.io.


A further look into the community in Discord, one could find the victim's story. Some may even just be gone, like all the valuable NFTs in their wallet.


While NFT has attracted more people to get into web3, there are also more scams, hacks, and wallet drainers during these bear market difficult times. "Times are Hard" could be a powerful motivator for someone to commit crimes...


How an NFT can be stolen?

The final nail in the coffin would be you approving the transaction without knowing what it meant. You could be thinking you are buying something, but in actual fact, you are signing your rights to transfer everything in your crypto wallet.


So how did you reach a situation where you are signing the transaction?


Here are some of the typical cases that happened so far...


A hacker took over a project team member's Discord account (be it the Founder, Dev, Moderator, etc), kicked every other team member out, and launch a new offer in the name of that project.


Or a hacker taking over a Twitter Account of an Influencer, and launching a new offer. They could also lead you to a Discord group, a Telegram group filled with bots celebrating the opportunity.


Some of the abovementioned Discord groups would then ask you to verify your digital assets (NFTs) through popular services like Collab.land, only this time, it's their own wallet-draining version of CollabLand.


The key point to note here is that verifying assets requires a sign-in, but definitely won't cost you any money in the transaction. A sign-in is just enabling the service to look at your wallet to "see" what it is supposed to look for - The NFT for the project to approve your membership in Discord.


Or someone approaching you through private message offering you an opportunity of a lifetime - That's also why every decent project would warn you against private messages.


The more advanced ones could be sending you a .exe the traditional hacker style, in the form of game testing, or a "document". And when you click on it, nothing seems to be happening on the surface, but the trojan or keylogger program is already working...


How Can We Protect Our Precious NFTs?


Website Basics: Knowing how a website structure is important to tell the difference between a fake malicious website and a genuine one. i cover briefly on how to identify a genuine website URL in the video below:

Minting Basics: Sometimes we don't know what we are actually "minting", especially in an NFT or coin launch especially if we are not programmers.


So the most basic thing to do is to have a burner wallet, one that you can just discard with minimum loss shall it be compromised as we can always easily create a new wallet in a few minutes - Just make sure your Seed Phrases are kept out of the computers or mobile phones.


However, do note to transfer the valuable asset (NFT or other tokens) into a more secure wallet after the initial launch. But do keep in mind that this doesn't protect you from further transactions like staking with the project.


Transaction Basics: If it cost you money aka gas to verify the NFTs that you have in your wallet, most likely you are signing for something else - something that allows the movement of assets, be it buying, selling, staking, transferring, and more.


Even with a programming background from 20 years ago, as NFT, Blockchain, and Web3 technologies are getting mass adoptions, i found myself investing in a browser-based extension "wallet protector" - MintDefense.


While its main function is to "read" the coding in a blockchain transaction to determine whether it is safe for us to transact... Being in such a community also helps to keep me up-to-date with some of the latest "issues".


Through my NFT community, i was offered a lifetime membership for a one-time payment in the early stage. So i would say i am biased with my choice as there are other such web3 security browser extensions. One of the more popular and free is Pocket Universe, Which I didn't get to use before, so can't comment much...


Back to Stolen NFTs, Would You Become a Fence?

In case you don't know the meaning of a Fence, according to Wikipedia: A fence, also known as a receiver, mover, or moving man, is an individual who knowingly buys stolen goods in order to resell them for a profit later.


In an NFT marketplace, there is a chance that we could become a fence "unknowingly" as we could place bids on the marketplace, and the scammer could accept our bid and sell us the stolen NFTs automatically.


So... To Buy or Not To Buy?


Buying stolen NFT is a bad idea, at least to me:

  • Unfair to the original owner, aka victim
  • Encouraging more criminals and such activities
  • Against the law, even though the police force may be limited by national boundaries.
  • "The Blockchain doesn't lie" - anyone can see your involvement in the transactions.


And a possible scenario to think about if you had bought it... The victim didn't contact you, you may think all is well... But somehow the NFT mooned, and the victim comes wailing to you... What would you do then?


Or the most likely scenario, you bought it and entered the community with every member "looking" at you and the victim sobbing in one corner... What would you do then?


P.S. I definitely won't buy stolen NFTs as my account is linked to my social profiles as transparent as the blockchain. So if you find me with a stolen NFT, most likely it came from a bid. =P