Fake bitcoin trades and NFT theft on the rise

Robert O'Sullivan, Cora Quigley, Rodney Brazil | September 9, 2022

9 min read

Over half of the daily bitcoin trading volume is not real, according to a recent Forbes report looking at 157 crypto exchanges. This report supplements a 2019 whitepaper from Bitwise that found 95% of the bitcoin trading volume on CoinMarketCap to be either false or non-economic.

Bitcoin is still the top dog in the crypto world, making up 40% of the $1 trillion in outstanding crypto assets, and the cryptocurrency itself is not implicated in this news. Instead, this report suggests that as bitcoin continues to attract more investment, more people are finding ways to engage in fraudulent trades, and with 51% of its trades amounting to nothing, investors may need to think twice.

So what is the meaning of fake trading and what purpose could it possibly serve?

Fake trading volume may be the result of wash trading or insufficient surveillance in crypto exchanges. Wash trading is when traders give the impression that transactions have taken place when, in reality, they haven’t. This means the trader’s market position remains the same and they haven’t incurred any market risk.

The motivation behind such trading is clear: traders can increase the volume of a particular asset which may attract more interest in a crypto asset. Wash trading is also good news for crypto exchanges because it creates the impression they have higher trading volume, which in turn encourages more investment.

Unlike other forms of finance, cryptocurrency remains largely unregulated, and as such, it is difficult to know the bitcoin trading volume at any given time. There is no central resource for bitcoin trading, and the figures that leading crypto authorities like CoinMarketCap or CoinGecko usually provide are very different.

In what are known as “pump-and-dump schemes,” transactions are managed by bots while the company uses various marketing schemes and influencers to draw attention to a unique opportunity.

Crypto skeptics frequently draw attention to the hype and dishonesty often associated with the industry. And for all its claims of security, crypto is not without scams and cybercrime that can be extremely costly.

According to data gathered by The Guardian, Non-Fungible Tokens (NFTs) with a total value of more than $100m were stolen in the year beginning July 2021. NFTs are blockchain records linked to unique digital items, such as videos, photos, audio, or other types of digital files. As they are fungible, they cannot be exchanged, and in this way, they are different from cryptocurrencies.

The largest sum that has been paid for an NFT to date is $91.8 million for The Merge by the digital artist Pak. This was purchased by a total of 28,983 buyers at a starting price of $575, increasing by $25 every six hours. The image features three white orbs against a black background, and their size grows with every token purchase.

With such huge sums of money paid for NFTs, the prospect of theft is all the more alarming. But attacks on NFTs in the last year have averaged a cost of $300,000.

Cryptopunks is a collection of NFTs on the Ethereum blockchain. CryptoPunk #4324 was stolen in November 2021 and immediately sold for $490,000, making it the highest value theft of a single NFT. Although when a collection of 16 blue-chip NFTs was stolen from an individual owner in the following month, the losses came to $2.1 million.

Cybercriminals targeting NFTs have been working in various ways. Their methods have included phishing for personal details or hacking social media accounts. Hackers have even paid to advertise on search engines so their victims could see fake NFT platforms in their search results.

Trojan horses NFTs make use of a blockchain smart contract with a malicious adjustment that means when a user accepts a token all funds are automatically removed from their accounts.

Where NFT swaps are carried out, scammers have been known to counterfeit well-known NFTs to leave their victims with a worthless digital image, at the expense of a valuable NFT.

For an industry that has attracted much interest in the last few years and, as a result, extremely high prices, NFT theft is something to be concerned about.

Cybercrime is continually increasing and evolving so whatever it is you do online it is always a good idea to be kept up to date on the dangers. Take a look at our security blog to get the latest on security threats and best practices.

In other news

TikTok denies claims that it was hacked. A hacking group called “AgainstTheWest” claimed they stole source code and user data from TikTok, posting screenshots to a hacking forum as proof. The hacker alleged they found a database on the Alibaba cloud belonging to both TikTok and the Chinese messaging app WeChat. TikTok told BleopingComputer that the claims are false and that the source code shared on the forum is unrelated to TikTok’s backend source code. Troy Hunt, the creator of HaveIBeenPwned, investigated the breach and found that much of the data featured in the forum post was publicly already available. AgainstTheWest has since been banned by the forum for making false claims.

Underwater data centers could reduce power consumption. Data center provider Subsea Cloud aims to have a commercial underwater data center operational by the end of the year. According to Silicon Republic, the data center will be situated 30 feet below sea level on the west coast of the US near Washington state. Referred to as ‘Jules Verne,’ the center will be a shipping container-sized pod holding up to 800 servers. Subsea cloud claims the benefits of such a setup include cheaper construction — reducing emissions and power consumption by up to 40% — and latency reductions of up to 98%. This is welcome news, considering the notoriously high energy usage of typical data centers.

Politicians tricked by fake news website. Australian government officials, journalists, and others have been targeted by a malicious website seeking to harvest their data. BBC reports that US security company Proofpoint made the discovery. The targets received emails from hackers claiming to be Australian news officials. The hackers asked them to review their site and consider writing for it. The website was filled with articles stolen from BBC News and a malicious code that would infect the target’s device if they clicked the link. Proofpoint is confident that the hackers are threat actors connected to the Chinese government.

The US Air Force committed the ultimate email faux pas. Have you ever accidentally hit “reply all” to an email chain that embarrassed, annoyed and/or amused everyone involved? Well, you’re in powerful company. A whistleblower recently told Gizmodo that the whole Air Force received a complaint email from a disgruntled clerical employee in Germany who could not stand the sight of an ugly and outdated logo appearing on her computer screen and wanted it to stop. She sent it to an “AF-All” email address, which allowed it to be sent to everyone in USAF. Most people, understandably, replied in confusion, wondering why she had cc’d them into a message concerning a computer query. Amusingly, many used the reply-all function to request that others stop responding with the reply-all function.

AI-generated art wins fine arts competition. With the recent surge in popularity of AI-art generators like DALL-E, many artists have expressed concern over the possibility of computers replacing them. In one recent incident, the Colorado State Fair awarded first prize to ‘Théâtre D’Opéra Spatial’, a computer-generated artwork in its fine arts competition. According to Vice, Jason Allen, the president of tabletop gaming company Incarnate Games, created the work using AI software called Midjourney before printing it on a canvas. Critics have accused Allen of hastening the death of creative jobs. But Allen has argued that the image could not have been created without his specific creative input and the various prompts he spent weeks fine-tuning. Allen believes that AI art will be its own art category one day.

Tip of the week: avoiding NFT scams

NFTs are a hot topic, and as we’ve seen countless times before, when a new sector of the tech industry gains steam, there will be an increase in scam attempts to go with it. In a digital world, it’s nearly impossible to spot every scammer, but there are a few easy-to-spot signs. Here are three things to watch for to avoid becoming an NFT scam victim.

1. Social media imposters. Active social media users are likely familiar with fake follow requests from strange accounts with dodgy profile photos. It’s mindboggling to think about the number of phony social media accounts out there. NFT scammers are known to copy the most popular NFT social accounts, creating profiles that are nearly identical to the originals. To avoid these:

Look for the verification checkmark next to the username.
Do a web search of the NFT creator’s username, and try to find duplicate pages.
If you can’t tell which is the real account, try shopping for NFTs elsewhere.

2. Prices too good to be true. NFT pricing is established on supply and demand. If an NFT pricing deal seems too good to be true, it probably is. There’s a strong chance it’s a fake if an NFT is significantly cheaper or more costly than comparable NFTs from the same collection or classification. Again, do a web search, this time using Google or Bing image search, and see what a particular NFT is going for on other sites. Look on more established marketplaces like OpenSea and Magic Eden, and compare prices, just as you would when buying a physical product.

3. Suspicious direct messages. Hacker-generated direct messages (DMs) are a common feature of NFT scams. They’re used to spread misinformation about NFT websites and trick recipients into clicking on links to fake marketplaces. It’s more obvious when your grandmother sends you a DM saying, “have you heard about the awesome NFT deals on this dope new marketplace?” But hackers may also breach the accounts of legitimate NFT influencers, so look for signals like sudden messages out of nowhere, bad grammar, and shortened links that could redirect you to malicious sites.