1
NFTs are rarely used in terror financing, but they remain highly vulnerable to fraud and scams, the U.S. Treasury Department said. Marco Verch/flickr

KEY POINTS

  • Criminals may use NFTs to carry out rug pulls, the Treasury Department said
  • Copyright and trademark vulnerabilities may also be used by criminals to conduct their illicit activities
  • Remilia co-founder claimed earlier this year that hackers stole millions worth of ETH and NFTs from his wallet

The U.S. Treasury Department has raised red flags about the vulnerability of non-fungible tokens (NFTs) to fraud and scams, reiterating that such vulnerability can be exploited by criminals.

"The assessment finds that NFTs are highly susceptible to use in fraud and scams, many of which are traditional schemes that involve NFTs, and can be stolen from victims," the department said in its latest National Money Laundering Risk Assessment report.

It cited a blockchain analytics firm report that revealed over $100 million worth of NFTs were pilfered through scams between July 2021 and July 2022. The department believes the number may be understated, since victims often do not publicly state their losses in scams.

Aside from the common rug pulls in the digital assets space wherein developers raise funds through a seemingly legitimate project but disappear after taking the funds, the assessment said criminals may also create fraudulent NFT platforms to steal victims' funds.

The report said NFTs and NFT platforms have so far been rarely used in terror financing. However, it warned that criminals also use NFTs to launder proceeds "from predicate crimes, often in combination with other techniques or transactions meant to obfuscate the illicit source of funds."

The department also pointed out how cybersecurity vulnerabilities related to NFTs, as well as copyright and trademark issues, can enable criminals to carry out fraudulent operations and theft in the NFT space.

According to the assessment, law enforcement observed that threat actors have often taken advantage of the customer information vulnerabilities in NFT platforms, specifically those that do not require customer data before using the platforms. "Many platforms lack controls to identify customers or otherwise mitigate illicit finance risks."

The department said the "highly automated nature" of selling NFTs and the tokens' availability across different platforms enable illicit actors to launder the assets by utilizing leveraging rapid transactions that make it complicated for blockchain analysts to trace illicit transactions. Criminals may also launder proceeds using mixers, including Tornado Cash, the report added.

The Treasury Department's warnings came about two months after Krishna Okhandiar, the co-founder of Remilia, which is known for launching the popular Milady NFT collection, claimed that his digital wallet was hacked. In the supposed exploit, millions worth of NFTs and Ether (ETH) were stolen.

Probably one of the biggest NFT-related incidents was the takeover of Ethereum co-founder Vitalik Buterin's X (formerly Twitter) account in mid-September. Hackers took over his X handle and posted a phishing link that offered fake NFTs. Victims lost nearly $700,000 in the said scam.