Turns out that NFTs are just as susceptible to being swiped from under your very nose as anything else.
Anyone that has decided to diversify their investment portfolio into the frankly rather unhinged world of NFTs has had a couple of nasty warning shots fired across their blockchain bows in recent days, as first the taxman and then a criminal gang made high-profile swoops to seize non-fungible assets.
The ever-vigilant UK tax authority, HM Revenue and Customs (HMRC), reckons it is the first UK authority to impound NFTs. Three, that have yet to be valued, have been seized alongside £5K’s worth of crypto as part of a probe into a suspected VAT fraud involving 250 alleged fake companies and a cool £1.4m.
Nick Sharp, deputy director economic crime, stated that the first seizure of an NFT "serves as a warning to anyone who thinks they can use crypto assets to hide money from HMRC.
"We constantly adapt to new technology to ensure we keep pace with how criminals and evaders look to conceal their assets,” he continued.
Speaking to the The Guardian, Jake Moore, an adviser at the cybersecurity firm ESET, implied that a mistake had been made by the fraudsters somewhere along the line that had enabled the authorities to impound the (technically non-existent) assets. It also turns out that the authorities might have some skin in the game too.
“Confiscation also comes with a very tempting reward due to the Proceeds of Crime Act where the investigating police force can request to keep half of the forfeited goods and the other half will go to the Home Office,” he continued. “So with digital currencies, this can be extremely appealing indeed.”
Meanwhile, $1.7m in NFTs has been stolen in what looks to be a phishing attack on OpenSea users. This is a wee bit different as it shows that not everything associated with NFTs is as securely tied into the blockchain as some adherents would have you think. Indeed, OpenSea’s success comes because it is a comparatively simple system that allows users to list, browse, and buy NFTs without interacting directly with the blockchain. This keeps it simple and easily accessible, but also vulnerable.
Twitter user @Nesotual posted a thread about what happened that OpenSea has publicly agreed with. It’s fairly complex but basically the attacker/attackers exploited a vulnerability in the Wyvern protocol that underpins most NFT smart contracts and duped their targets into effectively signing half an empty contract. The attacker then filled in the other half and voila! The NFTs ownership was transferred without any payment.
And that’s only the most recent example of chicanery with OpenSea. In January, a loophole in the OpenSea platform allowed what the Blockworks website refers to as ‘tech savvy opportunists’ to snatch NFTs from their owners at previously listed prices. Often these were well below the current market value, so all it required was a quick resale and Boom! Handsome profits were made.
OpenSea refunded the users that were affected in that case, but elsewhere people have not been so lucky. And as the NFT momentum shows no sign of abating, more will likely lose their virtual shirts in the months to come, and that’s even before the taxman gets hold of them.