The automation of fraud demands better defences, beginning with digital identity.
I bought a non-fungible token (NFT) the other day. I bought it on OpenSea, one of the major NFT marketplaces. In case you are interested in art, it is a cartoon from the talented artist Helen Holmes. In case you are interested in speculation, this is the one that I bought. It is from her “originals” collection and is now proudly on display in my crypto.com wallet for all to see.
I commissioned Helen to draw the cartoons that I use to illustrate my articles here, so I know for a fact that she is real, that the cartoons are originals created by her and that I have the right to use them due to our own agreement. And, I am happy to say, that if anyone buys one of her NFTs, the money goes to her, the deserving artist. As it turns out, this makes “my” NFT one of the small number of legitimate examples of same, because last month OpenSea said that over 80% of the NFTs created for free on the platform are “plagiarized works, fake collections, and spam“.
(I say “my” NFT, although owning an NFT doesn’t give me any rights in the underlying intellectual property, which still belongs to Helen, or unique access to the image itself which anyone can download just be right-clicking on the picture above.)
Even the NFTs that are not fakes and frauds are often dodgy, to say the least. I include in this category the NFT of an X-ray of one of the survivors of the Bataclan massacre in Paris, which was offered for sale by the surgeon who treated her! And this isn’t something to do with OpenSea, it’s something to do with the entire market.
Actually, “market” is probably the wrong word, because a recent study found that “the top 10% of traders alone perform 85% of all transactions and trade at least once 97% of all assets”. Looking at the numbers, the top 10 percent of “buyer-seller pairs” are as active as everyone else combined. It is playground almost completely captured by whales.
When the platform that sold the NFT of Jack Dorsey’s first ever tweet for three million American dollars halts most transactions because counterfeit creators were selling tokens of content that did not belong to them, then I think we can all agree that there is a fundamental problem with the trading of digital assets.
It looks as if NFTs are providing a platform for innovation in fraud as well as innovation in creative works. One of the most common kinds is what is known as “wash trading”, where groups of fraudsters trade an NFT between themselves, for an ever-higher price, until someone who is not part of the group and who thinks that the price is real (in colloquial English investment banking parlance, such individuals are known as “mug punters”) steps in to buy the “art”. At which point, the group split the proceeds between themselves, rinse and repeat.
(This fraud, where the sellers are both sides of the sale, is rampant. And it’s not just about some cryptobros looting from the public by falsely inflating the value of NFTs. The U.S. Treasury has already expressed concern that the activity could be used for money laundering.)
OpenSea was recently overtaken in volume by LooksRare. LooksRare financially rewards users for their trading volume, which predictably means rogues gaming the system. Crypto analytics firm CryptoSlam estimated that approximately 87 percent of the total trading volume since launching is in fact wash trading.
(Wash trading of NFTs, according to a detailed Chainalysis study of the issue, has an interesting asymmetry: Most traders have been unprofitable, but the successful ones have profited so much that, as a whole, the groups has profited immensely.)
Having said NFTs are a platform for innovation in fraud, I am forced to admit that I sometimes admire the ingenuity of some of the crypto hackers/exploiters who have been getting work in this new world. Take, for example, the OpenSea “loophole” that was exploited because some NFT owners were unaware that their old sale listings were still active. These old listings were found, and the NFTs were purchased. This led to the loss of multiple expensive NFTs at rock bottom prices.
(The problem was that the NFTs were getting sold at old offer prices made when the NFTs were much less valuable. To give a specific example, one attacker paid a total of $133,000 for seven NFTs before quickly selling them on for $934,000 in ETH. Five hours later the ill-gotten gains were sent through Tornado Cash, a “mixing” service that is used to prevent blockchain tracing of funds.)
As Tom Robinson of blockchain analysis company Elliptic explained, this ingenious (although I have to say, not that complex) fraud then led on to even more fraud because OpenSea sent an email to users who still had old NFT listings, and were therefore susceptible to this fraud. However, cancelling the old listing required an ETH transaction so the enterprising freelance alternative finance enthusiasts behind the original fraud then created bots to look out for these particular transactions and front-run them to purchase the NFTs before the listing was cancelled.
(In other words, by trying to be helpful and tell users to cancel the vulnerable listings, the marketplace gave away precisely the information need by the perpetrators to automate their attacks.)
Scale and Scope
Not all frauds are particularly complex. An awful lot of money has been lost to very basic frauds such as the “rug pull”, whereby innovative cryptocurrency engineers announce the release of a fabulous new digital asset that will do amazing things in the future, increase 100x in value in next to no time and cure cancer on the way. The public respond with enthusiasm and deluge the issuers with cash, at which point the issuers vanish, deleting their web site, Telegram chat and phoney LinkedIn profiles on the way. The public let the virtual cats out of the virtual bags and discover that they are left with nothing.
(MonkeyJizz was a scam! Who knew!)
There are frauds, though, that take more advantage of the nature of the new infrastructure. The “honeypot” is one such example. In a honeypot, the programmer of the smart contracts that control a new token inserts backdoor code to ensure that only their own wallet can actually sell! Everyone else who buys tokens finds that their money is stuck in the honeypot while the scammer who created the smart contract can cash out at any time.
Mention of honeypots takes us into new areas. Many of the most notable frauds that abound involve decentralised finance, or DeFi, projects with more than $10 billion lost to DeFi theft and fraud, as a November Elliptic report shows. And this is only the beginning in my opinion, because the ability to automate fraud in the DeFi space is a fascinating and terrifying development.
(Automated fraud is not limited to the web3 world, of course. PayPal recently closed 4.5 million accounts and lowered its forecast for new customers after discovering that bot farms were exploiting its incentives. They had had offered $10 as an incentive to open new accounts, at which point bots stated tilling the PayPal fields instead of people. As as I have consistently maintained, one day the IS-A-PERSON credential will be the most valuable credential of all.)
When it comes to web3, the intersection of smart contracts full of programming errors, cryptocurrencies and anonymity is a whole new playing field for fraudsters, terrorists and pranksters. The combination of automation and complexity is toxic and needs to be tackled up front. I hate to say it yet again, but the way forward is through a working, fit-for-purpose 21st century digital identity infrastructure. Perhaps DeFi (drawing on verifiable credentials and zero-knowledge proofs), rather than CeFi (drawing on federated identities and shared attributes, might kick-start the an identity infrastructure that will in turn will become its lasting legacy.