Open to theft, hacking or hijacking, how are NFTs safeguarded?

They can be stolen, forged and even eliminated from the file systems where they are stored. Such are NFTs, those certificates of authenticity for digital assets for which enormous amounts are being paid in some cases. Ensuring their security is both a nightmare and a marvellous opportunity.

That is the NFT. An acronym that stands for Non-fungible Token. Money is fungible because it has an exchange value that allows it to be the subject matter of transactions and conversions.

The NFT traceability system also has an advantage. In cases like those of OpenSea and Nifty Gateway, the destination of stolen assets cannot be concealed. Everyone can check where they have ended up and the account used by their (anonymous) thieves. After its theft from the Louvre on 22 August 1911, the whereabouts of the Mona Lisa remained unknown for over two years. Anyone that were to steal the NFT tied to Everydays: the First 5000 days would be unable to hide it. As soon as the crypto-asset market is properly and universally regulated, theoretically at least, its legitimate owners would be able to take legal action to recover the stolen asset.

NFTs face a long and intriguing series of potential threats. They can be stolen, hacked or hijacked. The rules governing their ownership can be changed. In the last analysis, the buyer may only be left with the identification or certificate of an image in their wallet; in other words, a sort of receipt for a virtual item stored elsewhere.

Ravenscraft rounds off his argument by giving quite a striking practical example. Jimmy Fallon, the American television host, wanted to show off how ‘with it’ he was in NFT matters by revealing his latest purchase live on screen, namely, a Bored Ape; a very popular type of illustration in the USA for which he had paid a few thousand euros.

All it took was just a few seconds exposure for a considerable number of television audience members to identify Fallon’s digital asset wallet address. In a matter of minutes, Twitter abounded in screen captures detailing all the presenter’s cryptocurrency transactions. His purchases proved to be few and modest. However, if he had been a buyer of one Beeple's multi-million dollar designs or the fake Banksy, it would have become public knowledge all over the internet.

Because, another feature of this parallel financial system is that traces of past transactions cannot be erased. A slight indiscretion like that of Fallon’s is all that is needed for an entire purchasing, sales and ownership record of assets that are by definition complete, undeletable and not private to also lose their theoretical anonymity.

According to the gallery owner and art curator Llucià Homs, “from a strictly aesthetic perspective, in general, they are rather trivial contemporary works of graphic art”, but in market terms, “they are bringing about a radical transformation in the art sales business, which has essentially changed very little over the last century and a half.” They have given rise to “a new and extremely lucrative sales channel, quite often completely outside the mainstream of galleries, fairs and auction houses”.

Buyers are usually very young investors, generally connected to cryptocurrencies or disruptive technology. If they are prepared to pay genuine fortunes for these unique works it is because they consider that their uniqueness in an environment, the digital one, marked by instantaneous, serial reproducibility, makes them a sound investment.

It goes without saying that an NFT can be used not only to certify a work of art, but any digital asset. As explained by the technology market expert, Eric Ravenscraft, in an article published in Wired, NFTs are both “a nightmare” and an extraordinary opportunity from the privacy and security perspective.

Non-fungible tokens, by their very nature, form part of a financial system designed “to preserve anonymity, but not privacy”. Unlike what happens when you open a current account at a “conventional” financial institution, a user can create an asset wallet on systems like Bitcoin and Ethereum without providing their real name or physical address. However, once the account is opened, blockchain system use involves a high level of traceability, given that all transactions conducted in this encrypted environment are registered and can be consulted by anyone whatsoever. It is true of course, that it is not possible to know to whom any particular account belongs, but as Ravenscraft explains, “imagine what we would think of a bank privacy policy that allows its users access to detailed information on the transactions conducted by the rest of its clients”.

NFTs pose a colossal challenge for private security. They are digital assets – in some cases extremely valuable ones – that can be stolen or used in scams. Technologically based, the rationale behind them is to ensure their singularity, authenticity and integrity. Notwithstanding, they are prey to a wide range of potential threats.

Indeed, only last year a series of high-profile crimes were committed involving these types of encrypted digital assets, the use of which is becoming increasingly more widespread. In August 2021, Banksy, one of the most celebrated street artists in the world, was victim to a computer pirate creating a false URL on his official website. The hacker used it to auction the NFT of the artist's (alleged) latest creation. An anonymous collector made an initial bid of $350,000, and in the matter of only a few minutes was awarded the work, which in itself seemed suspicious.

The collector quickly ascertained it to be a fake. Indeed it was publicly announced as such by Banksy as soon as he recovered control of his website. A happy ending to a potential scam, this time round! Nonetheless, these types of purchases do not provide for any type of automatic refund system. The swindler returned the money, thereby revealing that the intention behind the scam may not have been to make a killing, but rather to highlight the inconsistencies and vulnerabilities of that speculative bubble in digital “art” into which this NFT market is quickly turning.


Jimmy Fallon's bored Ape


Millionaire thefts in theoretically impregnable spaces


Non-fungible tokens, however, cannot serve in the place of something else, they are unrepeatable, in other words, unique. NFTs are generated using blockchain technology, the same as used for cryptocurrencies. The holder of an NFT tied to a work of art is accredited as the legitimate owner of the original, which is the asset with true market value, no matter how often the work may be copied or reproduced.

The existence of these certificates of authenticity and the value attributed to them by collectors (or speculators, given we are dealing with an emerging market that is expected to maintain its upward trend) explains phenomena such as the fairly basic PNG file format drawings of rocks that ended up being sold for €260,000 in August 2021. Not to mention the mind-boggling $69 million paid at a Christie's auction for Everydays: the First 5000 days by the American artist Mike Winkelmann, better known as Beeple.

But, let's start at the beginning. Contrary to what is often thought, an NFT is not a digital artwork. Rather, it is a certificate of authenticity. When a digital artist sells a work over platforms like Mintable or the aforementioned OpenSea, a smart contract is generated that is linked to the work. This certifies that the item sold is unique, indivisible, transferable and scarce.

That is the NFT. An acronym that stands for Non-fungible Token. Money is fungible because it has an exchange value that allows it to be the subject matter of transactions and conversions: a €100 note can be changed for two €50 or five €20 notes. Tokens are also fungible. They can be used for example as an exchange currency in digital environments like video games.


Aesthetic value and market value


It’s not a work of art, it is an encrypted receipt

Though the story of the theft and return of the fake Banksy may be regarded as slightly bizarre, the vulnerability of NFT purchase and sale markets is regrettably becoming all too familiar. Indeed, March 2021 saw the theft of several thousand dollars from the theoretically secure Nifty Gateway digital art gallery, which at the time permitted the acquisition of NFTs not only with cryptocurrencies but also with conventional fiat currencies through bank accounts.

Several months later, in February this year, OpenSea, the world's largest NFT marketplace, provided the scenario for a massive theft: hundreds of tokens were taken, valued at $1.7 million according to sources at the online transaction space. This time around, the technique used consisted of accessing the account of 17 users by phishing. In other words, the most commonplace and trivial of criminal digital practices sufficed to infiltrate a business environment designed to be one hundred per cent impregnable.

Both cases revealed a high degree of defencelessness for victims in the face of the crimes: neither Nifty Gateway nor OpenSea bore any liability for the theft of the files. They put it down to a lack of user technological proficiency and diligence. The message they conveyed is that the NFT world, a growing international market accounting for in excess of €3.5 billion in transactions (involving artworks alone) in 2021, continues to be, to a large extent, a lawless space.


This last point is particularly peculiar. The InterPlanetary File System (IPFS) serves as the main host to store NFT tied digital artworks. It is a decentralised, neutral system. But it should be borne in mind that each particular file is managed by the company that sold it. Were the company to fold up, the file it has stored on the IPFS could close and NFT owners would have nothing more in their wallets than a certified and exclusive link to an inexistent image. Given the nature of the system, anyone could upload it again; though this is a complex process for which most users would require technical assistance.

Once again we come up against the ambivalence associated with NFTs. Files of potentially great value, secured courtesy of a robust technology, but ones with very particular vulnerabilities that require a high degree of technical knowledge. In the near future, increasingly more NFT owners will be resorting to the services of companies to efficiently safeguard these assets and ensure their complete protection.


You can run but you can’t hide

NFTs face a long and intriguing series of potential threats. They can be stolen, hacked or hijacked.