Serbian artist Milos Rajkovic was floored last month when his social-media fans started touting an online sale of his animated, digital portraits as NFTs, or non-fungible tokens. Rajkovic, who goes by Sholim, had watched NFTs take over the art world, but he had never toyed with them. Horrified, he pulled up the platform OpenSea and found an impostor trying to sell off 122 of his works as NFTs for as much as $50,000 combined.
“People are getting robbed,” Rajkovic said. The phoney page disappeared at one point, but another version has since popped up. “I feel responsible, because they love my work and someone is using me to steal from them. It’s so frustrating.”
NFTs are supercharging the art market, but users warn they have a dark side. Scammers and hackers are increasingly exploiting security gaps in the rapidly expanding marketplace — and artists and collectors who aren’t crypto-literate are proving easy marks, cyber-defence experts say.
Around $2.4bn worth of NFTs traded in the second quarter, slightly up from the $2.3bn sold during the initial NFT art frenzy of the first quarter, according to digital analytics firm DappRadar. Major auction houses and galleries now sell NFT art — Beeple’s $69m NFT still holds the record — and dozens of online art-selling platforms are sprouting up seeking artists and collectors to join the NFT art craze. NFTs are digital vouchers of authenticity that can be attached to images on screens, allowing JPEGs be traded and tracked indefinitely on the blockchain.
Common frauds include creating phoney NFT artworks and fake platforms that purportedly sell art but actually steal credit-card information. There are also phishing schemes and viruses that can drain users’ digital wallets, or online accounts that can store people’s financial details and cryptocurrency wealth.
The scale and breadth of these attacks are hard to pin down because decentralisation — a defining aspect of this cryptocurrency-fuelled marketplace — makes it more difficult to tally or track frauds. Ironically, part of the appeal of NFTs is that these tokens are designed to make it easy to log and track their ownership details and sales on the digital ledger known as the blockchain.
“Hackers are jumping in because a lot of people who aren’t tech-savvy are suddenly minting and trading NFTs now,” says Max Heinemeyer, director of threat hunting at Darktrace, a cyber-defence firm based in Cambridge, England. “Collectors see great art, but the guys in black hats see safeguarding gaps — and unlike at a museum, there are no guards standing around your laptop.”
Earlier this year, an impostor posing as the street artist Banksy sold $900,000 worth of NFT artworks on the OpenSea platform before the real Banksy learned about the ruse. The artist stepped forward to say he wasn’t involved in the sale at all. (The platform blocked the seller from its site, but the scammer kept the money.)
Nate Chastain, head of product for OpenSea, declined to discuss the situation with Banksy and Rajkovic but said in an email that the platform is taking measures to curb fraud. “We take fraud very seriously at OpenSea and mobilise around removing this content from the platform as soon as we become aware of it,” he said. Chastain said the platform is planning to implement a duplicate image detection system, which could identify when scammers try to sell copies of works already online elsewhere.
In June, a major NFT artist who goes by Fvckrender said he lost the equivalent of $4m in cryptocurrency after he opened a file sent to him over social media that contained a virus. Within minutes, it nearly emptied his online wallet as he scrambled to move his remaining funds to another, safe account. “I’m an idiot,” he tweeted afterward.
Even Mike Winkelmann, the artist better known as Beeple, has been targeted. After his “Everydays: The First 5000 Days” NFT sold at Christie’s for $69m in March, a digital artist known as Monsieur Personne said he created matching copies of Beeple’s record-setting NFT and tricked several NFT platforms into thinking the pieces came from Beeple. Some sites put these copycat pieces up for sale before the ruse became known and offers to buy the fakes were blocked by the sites. Monsieur Personne later blogged that his exploit was intended to warn art lovers about security flaws within the NFT system. “There’s massive fraud happening,” he added in an email Tuesday. Calls left with Winkelmann weren’t returned.
Problems extend beyond the typical growing pains and glitches of a new art arena, in part because victims say they find so little recourse. Collectors who inadvertently buy fake or stolen art in the real world can often seek refunds or a legal remedy – but legal odds can be slimmer in the opaque realm of cryptocurrency. (If a scam involves fraudulent purchases made with a stolen credit card, the card owner can still report the fraud to their credit-card company and the money can usually be refunded.)
Benny Taveras, a 39-year-old Canadian investor, said he spent around $700 in the cryptocurrency known as ether buying seven looping video NFTs he thought were being sold by Rajkovic. Taveras later reached out to the artist over social media and was told the sale was a scam. “I was devastated,” he said in an interview. “Not only did I lose out on a sale, but it was discouraging. I second-guess myself whenever I want to buy new artists now.”
Taveras, who said he has spent more than $120,000 amassing tokenised art in the past three months, said he now emails artists to vet their NFT offerings before he makes any purchases. And he no longer opens any links that get sent to him over social media. “All it takes is one click, “ he said.
Experts like Heinemeyer at Darktrace suggest users memorise their passwords, called seed phrases, and store their cryptocurrency wealth in digital wallets that can be stored on customised thumb drives or offer two-factor authentication, which can text users fleeting codes that must be confirmed to gain access.
DeviantArt, a well-known site where digital artists have long shared examples of their work (often free), said so many scammers are illegally reselling its artists’ works as NFTs that it has decided to go on the offensive — and patrol the internet to find potential thieves. Last week, it started employing artificial-intelligence software to continually scour public blockchains and NFT platforms for identical examples of its artists’ works so that it can alert artists whenever it spots a suspicious match. A DeviantArt spokesman said that during its two-month beta phase, 86% of the matches uncovered by the patrolling AI technology pointed to potential infringements on various NFT platforms.
Some major artists are taking additional steps to secure and authenticate their works being offered for sale online. Hannes Koch, co-founder of the artist studio Random International, said he and his collaborators recently hired a blockchain certification provider, Verisart, to issue a certificate of authenticity to their inaugural NFT in April. They have also started attaching retroactive certificates to all their physical works.
Koch said they learned about fraudsters years ago after unveiling their massive installation Rain Room, the group’s rain-drenching pad that people traverse while remaining dry, thanks to motion-detecting sensors overhead. “We know about 11 Rain Rooms in China and only one is ours,” Koch said. With their NFT that shows a preparatory video of the Rain Room, Koch decided to troubleshoot in advance.
Robert Norton, chief executive of Verisart, said artists are discovering that only a few of the couple dozen NFT platforms even vet the identities of their sellers beforehand — making it temptingly easy for criminals to copy-paste-and-trade art they didn’t create. Verisart’s certificates come with additional signatures and details a scammer can’t easily forge, though. “In the old days, guys would actually have to fake the art, but now they just have to be able to hack the image file,” Norton said.
Other artists, including Daniel Arsham and Jen Stark, are adding in authenticity and security markers at the moment they mint their works as NFTs. Both artists use CXIP, a new kind of minting software pronounced “chip” that is the brainchild of copyright lawyer Jeff Gluck. CXIP anchors its pieces to the original artist and enhances its smart-contract details to ensure future resale royalties are irrevocable no matter where the work is later resold. Rajkovic said he recently reached out to Gluck for help as well.
Taveras, who bought the bogus Sholim works, said he never got his money back from his scammer, though blockchain technology makes it easier to follow his hacker’s spending after the fact. “If I wanted, I could watch him spend my money,” he said, “but I can’t hack him and get it back.”
This article is being published by Dow Jones Newswires.