When Ocean’s Eleven meets blockchain
We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
How much would a daring art thief charge for the Mona Lisa? Well, about a century ago, a certain gentleman demanded about $100,000 for the painting, an amount well below the estimated price tags at the time. Stealing the painting was as easy as hiding it in the closet overnight and going out with Mona Lisa the next day. Getting arrested was also a breeze, only one meeting with potential buyers was required.
The Mona Lisa drama illustrates a problem that art thieves have long grappled with. Most museums have dozens of valuable items that are relatively easy to move or store. At the same time, these facilities often cannot afford top-notch security measures. In theory, this makes them a perfect target for thieves, but thieves who try it in practice often struggle to turn their loot into hard cash – unless they have an arrangement with a specific buyer prior to the theft. Otherwise, the art they steal could get stuck in the basement of their Evil Lair for years.
For example, it took the Italian Cosa Nostra 14 years to get rid of two famous Van Gogh paintings that they had stolen in 2002. result they initially hoped for. In a similar vein, a thief who stole a unique Picasso from the National Gallery of Greece in 2012 kept it hidden for about nine years before it was again seized by the police. And there are many more stories.
Still, thieves will never stop looking for art because it’s worth money – often a lot of money. Come 2021 and a whole new art world is emerging: auction houses are now dabbling in NFTs and celebrities showing off their monkey photos to each other. Non-functioning tokens made up a $25 billion market last year. And where the money goes, thieves follow.
A story about nine stolen monkeys
In fact, cybercriminals are already exploring this new space, stealing NFTs from collectors and enthusiasts through social engineering and vulnerabilities in marketplaces. One such theft saw three Bored Apes supposedly stolen from development coach Calvin Becerra, who had three major NFT marketplaces blacklist the stolen monkeys, making it impossible for hackers to list them for sale on their platforms. It wasn’t long before OpenSea did the same for another batch of stolen monkeys.
Now let’s do some quick blockchain quests and take a look at a recent alleged NFT theft. On February 1, NFT collector Larry Lawliet reported: loss of several valuable NFTs, including Bored and Mutant Apes, in a suspected social engineering attack. A quick look at Larry’s wallet reveals a quick series of NFT transfers to an address starting with 0xd27 (the suspected hacker) at the end of January 31. Here’s what happened to the monkeys next, at the time of writing the article:
Bored Ape #1606: Sold by 0xd27 for 136 WETH (wrapped Ether) on OpenSea to an address starting with 0x366. On Feb. 5, the wallet sold the NFT back to Larry on the decentralized LooksRare NFT exchange for roughly the same amount in WETH. Bored Ape #4250: Sold for 100 ETH on OpenSea to 0x1b5, who sold it in about six hours for 111 ETH to an address starting with 0xa25 via LooksRare. At the time of writing the article, the token is still in that wallet. Bored Ape #7985: Sold to 0xc9d at 100 ETH via OpenSea. On Feb 4, 0xc9d sold it to 0x840 on LooksRare for over 140 WETH, with no further activity at this time. Mutant Ape #25971: Sold to 0x3ea for 30.01 WETH on OpenSea. Not long after, 0x3ea re-sold the token to Larry for just over 30 WETH through LooksRare. Mutant Ape #8464: Sold to 0x3ea for 30.1 WETH on OpenSea. On February 4, the address sold the token back to Larry for over 33 WETH on LooksRare.Mutant Ape #2499: Sold for 25 ETH to 0xa2a via LooksRare. Then, on Feb. 2, the new owner sold the token again at 0xd9c at 20.8 WETH on the same platform. Within hours, the new owner sold the token to Larry for 20.9 ETH using BatchSwap.
Please note that the hacker, 0xd27, sold most of the tokens directly on OpenSea, one of the largest centralized NFT platforms, within minutes of the alleged hack and before Larry posted his tweet. Even after the platform flagged the stolen tokens, they continued to switch hands, mostly through the decentralized LooksRare marketplace.
But there is a warning here. The blockchain does not care whose hand is holding the wallet, so it is possible to sell something to yourself if you have two or more wallets. Therefore, the whole situation may have been a case of wash trading, where NFTs bounce between portfolios managed by the same entity to increase their perceived value. In this particular case, the supposed laundry merchant should have enough coins in their multiple wallets to make the payments on each transfer. They would also incur significant losses in platform and gas fees.
That said, unless proven otherwise, we can also take the situation for granted and assume that the above addresses were operated by different people. In this case, the theft has clearly worked out in the attacker’s favor as they were able to sell the stolen goods literally within minutes of the scam. The victim, on the other hand, only managed to recover five of the missing monkeys, incurring huge additional losses to pay for their return.
Too tech to catch
However you interpret the above example, it still highlights some of the features that set NFT thefts apart from your regular art heists. First, the logistics are lightning fast and a clever attacker can sell the loot before the victim even learned of the theft. Second, even if the major centralized exchanges prohibit offers for stolen assets, there is always another platform to turn to. Third, even assuming every existing market spots the stolen NFT, you can still sell it peer-to-peer if you find a buyer.
Moreover, a criminal who wants to cash in the stolen NFT art has more options than a simple sale. They can wager their NFTs on yield platforms and effectively transfer them to a smart contract in exchange for rewards based on the rarity. This eliminates the need for a buyer as such. Likewise, with gaming NFTs, such as Axies from Axie Infinity, they can choose to rent them out to new players who want to skip the investment needed to start playing, much like the regular “exchange” programs.
The stolen goods cannot be confiscated unless someone gets their hands on the thief’s private keys. Because NFTs are on the blockchain, an immutable decentralized ledger, once the transaction that moves ownership from one wallet to another is in the chain, you can’t roll it back without splitting the entire chain.
A mechanism to spread theft reports across marketplaces and revenue platforms, both centralized and not, could thwart thieves’ attempts to sell stolen NFTs. The marketplaces using it would signal the stolen NFTs, making it more difficult for a hacker to sell the loot. In practice, this system itself should overcome challenges, such as the prospect of malicious reports flagging legitimate transfers and transactions and the need for timely investigation of any alleged incident. Also good luck getting everyone on board, and don’t forget the P2P sales.
With more and more hype surrounding them, NFTs are lucrative assets for hackers to go after. This means that both collectors and marketplaces need to pay more attention to their defenses, whether it’s general vigilance, strengthening their backend, or developing their own custodial services based on top-of-the-line infrastructure. Security cannot be an afterthought, and every stakeholder in the NFT space should ensure that they rely only on the best solutions and practices in the field.
Lior Lamesh is the co-founder and CEO of GK8.
DataDecision makers
Welcome to the VentureBeat Community!
DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.
If you want to read about the latest ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing an article yourself!
Read more from DataDecisionMakers
This post When Ocean’s Eleven meets blockchain
was original published at “https://venturebeat.com/2022/04/07/when-oceans-eleven-meets-blockchain/”