NFT theft has been on the rise since the industry exploded became a part of popular culture. The February theft of three Azuki NFTs didn’t go unnoticed by Mintable’s management team. The team saw this as an opportunity to offer succor to the owners and bought back the stolen NFTs.
This raises many questions part of which are the responsibilities of NFT owners and those platforms need to take to securing digital assets. Other issues include the rising trend of scams within the space and telltale signs of digital assets stolen by scammers.
If left unchecked, NFT theft could become a factor that hinders the mass adoption of digital assets and their underlying technologies.
We reached out to Zack Burks, the CEO of Mintable on these and other issues. He was gracious in his answers. They provided depth into what is fast becoming a new niche for scammers and thieves. Here is what he told us.
Zach Burks CEO at Mintable
- Why did Mintable buy the stolen NFTs?
When we noticed that some of the NFTs we intended to buy for our sale were actually the ones stolen in the OpenSea exploit, we decided to buy them anyway to return to their owners.
These NFTs are worth life-changing amounts of money, and we realized we had an opportunity to turn this situation around, even just for a couple of people.
We certainly didn’t go out of our way to recover the lost property, but we saw an opportunity to help and we did what we could.
- Is there a moral obligation for NFT projects to recover stolen works through a buyback process?
Any marketplace or dApp that puts their users at risk of exploitation do have a moral obligation to recover lost property.
The NFT industry is fairly new, and until there are proper security frameworks and regulations in place, it’s up to us to set the standards and step up to protect our users.
- How did the NFTs get stolen?
In January, attackers exploited a bug on OpenSea where there was a mismatch between smart contract information and their user interface.
Some users would transfer their NFTs to a different wallet and back again instead of canceling listings, in order to avoid paying gas fees.
When they did this, their old listings would still remain active, but could not be seen on OpenSea’s front-end. The attackers were then able to accept these outdated listing prices and buy NFTs for far below market prices without the user’s consent.
To fix this, OpenSea had planned a smart contract upgrade, but hackers took advantage of the migration to target affected users through a phishing scam.
Users were directed to a fake website and asked to sign transactions that then allowed the hackers to steal their NFTs.
- How can NFT owners secure their property?
Make the effort to verify the legitimacy of any communications you receive that ask you to sign transactions with your wallet.
Check links with a malicious URL scanner, and always remove permissions from your wallet after you’re done interacting with dApps.
- What lessons can the web3 community learn from the OpenSea hack?
The OpenSea exploits were possible not just because of bugs on the platform, but also because users were trying to game the system without having a proper understanding of how smart contracts work.
In the most recent exploit, we saw that even experienced NFT traders can fall for phishing scams. As the market grows, scams are becoming more sophisticated.
Don’t get complacent, and don’t try to take shortcuts or find loopholes unless you really know what you’re doing.
Platforms like Mintable will do all we can to protect our users, but there’s a human element to these exploits that cannot be ignored.
Anyone participating in Web3 should be aware of the potential risks, and learn how to properly protect themselves. Knowledge is power.
- What has been the response from the NFT community about this?
If you’re losing tens of thousands of dollars in assets, obviously you’d be upset.
The two community members we returned the stolen Azukis to were extremely grateful that we’d helped them out, but many more were left with no recourse.
There’s certainly a sentiment that platforms like OpenSea should do more to protect the interests of their users.
We’ve also seen the community step up to educate one another about protecting themselves in Web3, which is great.
- Has OpenSea shown willingness to identify the thieves and owners?
What’s great about blockchain technology is that all this data is publicly viewable anyway.
Once the exploit was recognized, etherscan was able to label the scammer’s wallet. This is how we knew that the NFTs we bought were stolen.
- What kinds of collaborations are needed for preventing NFT theft?
Marketplaces need to discuss and share data on collections and items that are potentially dangerous and/or scams/stolen NFTs.
Unless we have a unified system to share data, the ecosystem is not really able to build a robust solution for preventing malicious actions effectively.
- Are there any other recovery projects that you’re currently on?
Not currently, but we did recently attempt to acquire and rebuild the Pudgy Penguins NFT project after its owners decided to basically cash out and leave.
They didn’t end up selling to us but we would have liked the opportunity to show what NFT projects can achieve with the right support.
- What has been the response toward the OpenSea investigation?
The OpenSea investigation concluded that the exploit happened because of a phishing scam, so nothing was done to help the affected users.
Obviously the community was not too happy about this. While the bug on OpenSea was not directly responsible for the exploit, it certainly created a situation where users were more vulnerable to social engineering scams.
I don’t think the community appreciated being blamed for the theft of their own NFTs.
- How can OpenSea as a premier NFT marketplace do more to prevent such thefts?
It’s important that platforms do proper testing to find and fix bugs that might put their users at risk, and are transparent about the risks inherent in the NFT market.
Once bugs have been found, fixing them should be the priority and users should be alerted about the various ways these bugs could be exploited so they don’t fall victim to scams.
OpenSea is also notoriously hard to get in touch with – they need better customer support
- What are the telltale signs of stolen NFTs that web3 users should watch out for?
There are none.
- What measures could have been taken by the LooksRare management team to prevent trading in a huge volume of wash trading and stolen NFT activities?
LooksRare could have blocked the scammer’s wallet or restricted the sale of the stolen NFTs once they had been identified.
We would not have been able to recover the stolen NFTs if they had done this, but it would have shown that LooksRare was taking the situation seriously.
As for wash trading, there’s little that could have been done because of the anonymity of wallets, but restricting token payouts to unique transactions could have mitigated that to some extent.
I have no doubt that they are aware of the measures they could take to prevent such activity, but there’s no incentive for them to do so.
For LooksRare, all that matters is maximizing their own trading volume. They don’t care where the money comes from, or if it’s hurting the community.
The fact that we were able to buy the stolen NFTs on their platform proves this.
- What do you think will be the effect of the Timothy McKimmy lawsuit?
While there is a good argument for negligence on OpenSea’s part as a cause of the theft, it’s hard to say how the situation will play out.
Regardless, I think the lawsuit shows that users’ expectations are growing as the market grows, and there’s a pressing need for proper security frameworks and regulations to be created in this space.
- Should OpenSea be held responsible for trading and minting activities on its platform?
What are marketplaces responsible for really?
- What other steps can OpenSea and other NFT marketplaces take to protect users?
Marketplaces can provide education on safe practices in the NFT market, have proper channels for customer support, and be transparent about any issues or potential for exploits on their platform.
- What steps is the team at Mintable taking to protect NFT users?
At Mintable, we understand the importance of education.
We have extensive resources on our blog, and we host educational spaces on Web3 security alongside certified security experts for our community on Twitter.
We also offer better customer support than most marketplaces, and ensure there’s always a channel of communication open between us and our users.
- Are there any secrets from Mintable you want to tell us?
That’s not how secrets work 😉