Computing Applications

NFT Thefts and What to Do About Them

"An NFT owner will have legal claims against the NFT thief, but those claims may not be worth much if the thief can't be found," says Eric Goldman, a professor at Santa Clara University School of Law who studies Internet and IP law.

Actor Seth Green recently found himself the victim of a brand new type of theft: he was robbed of several non-fungible tokens (NFTs).

Green fell for a phishing scam when he clicked on a fraudulent link that allowed a thief to steal several of the actor's NFTs. The NFTs were promptly resold to other buyers online, turning a tidy profit for the thief.

Here's where things get complicated.

One of the NFTs in question was a popular Bored Ape Yacht Club NFT, one of 10,000 illustrated portraits of monkeys that routinely sell for six and seven figures.

Bored Apes, and some other popular NFTs, offer intellectual property (IP) rights as part of the smart contract that transfers ownership of the NFT. These rights give you the ability to use the likeness of the NFT for commercial purposes. Several Bored Apes owners have cashed in by turning their unique digital simians into merchandise or media brands.

Green was doing just that. He developed an animated show around his Bored Ape NFT that featured his ape as the main character. However, once the NFT was stolen and resold, Green no longer owned the NFT and its IP rights. Not only was the NFT itself valued at tens of thousands of dollars, but the related IP had significant value as well—leading Green to plead online with the person who bought the NFT to work with him to resolve the issue.

Pleading is sometimes the only recourse for victims of NFT theft, which is becoming increasingly common. Another high-profile theft occurred in early June 2022, when a thief hacked the Bored Apes Discord channel and phished the community to steal more than $350,000 in NFTs. This came just two months after someone hacked the Bored Apes Instagram account to steal more than $2 million in NFTs.

Resolving NFT thefts is not easy, say experts. You need to determine first whether you have a legal claim around IP related to your stolen NFT, says Mark McKenna, a professor of law at the University of California, Los Angeles (UCLA) with a focus on intellectual property and privacy law.

"An NFT is just a bit of code that uniquely points to something, and that something might, or might not, be the subject of IP rights," says McKenna.

Yet if someone has IP rights to the NFT, they have legitimate legal claims under existing IP law, says Eric Goldman, a professor at Santa Clara University School of Law who studies Internet and IP law. Enforcing those claims, however, can be difficult due to the nature of the crime.

"An NFT owner will have legal claims against the NFT thief, but those claims may not be worth much if the thief can't be found," says Goldman. While you can see the cryptocurrency wallets that bought and sold an NFT, linking that wallet to the person who bought a resold stolen NFT can range from difficult to impossible.

Instead, says Goldman, the NFT theft victim may be able to sue the NFT platform where the theft occurred, depending on the facts. Several pending lawsuits may offer more legal clarity around the issue, once they are resolved.

In Green's case, his only recourse was to pay up: he spent nearly $300,000 to buy the NFT back from the person it was resold to (who claimed they did not know it was stolen).

Because of the lack of consistent, enforceable legal recourse for stolen NFTs, the best way to resolve an NFT theft is to prevent it from happening in the first place.

"We take steps to protect the physical assets we own, like storing them in locked homes and offices or, with higher-value assets, putting them into a safe deposit box," says Goldman. "NFT owners must take appropriate steps to protect their NFTs, such as following good cybersecurity practices and being vigilant against phishing attacks."

If NFTs become a large-enough asset class, Goldman also hopes to see NFT theft insurance similar to the insurance that exists for physical assets, and more secure infrastructure in wallets and platforms.

Yet the very existence of NFT thefts has implications for blockchain technology as a whole, says McKenna. Blockchain is supposed to be more secure and transparent than other technologies, but humans like Green can still be fooled, and it's possible some blockchain tools aren't as technologically secure as promised. If the wallets where tokens are stored are hackable, McKenna says, this is a cybersecurity problem that calls into question the integrity of blockchain technology.

"We'll have to see whether all the security promises of blockchain are proven out."


Logan Kugler is a freelance technology writer based in Tampa, FL, USA. He has written for over 60 major publications.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More