From Minted to Gone: Safeguarding Against NFT Theft

In February 2022, OpenSea, the largest NFT marketplace in the U.S., fell victim to an attack that led to the theft of 254 tokens worth $1.7 million. These attackers exploited each NFT’s smart contract by first signing a partial contract, leaving the general authorization portions blank. Once signed, attackers completed the contract with a call to their own contract, which subsequently transferred them ownership of the NFTs without any payment. As crypto enthusiasts continue to purchase and hold NFTs, their digital assets grow susceptible to attacks on their smart contracts. 

What are NFTs? 

Non-Fungible Tokens (NFTs) are unique digital assets stored on a blockchain, typically representing ownership of a one-of-a-kind item, such as artwork, music or collectibles. Unlike cryptocurrencies like Bitcoin and Dogecoin, which are fungible and thus interchangeable, NFTs are distinct and cannot be replaced with something identical. Today, NFTs can be purchased with Web3 wallets, which house each user's collection for seamless viewing and trading. Sites such as OpenSea, Rarible, and SuperRare are popular marketplaces for NFT transactions, providing users with a variety of digital assets to purchase. Upon the purchase, the NFT’s smart contract is executed, which describes the digital asset’s ownership. 

Smart contracts are self-executing digital contracts that live within the blockchain, programmed to automatically enforce terms when predefined conditions are met. Upon purchase, smart contracts reflect the NFT’s minting process, reassigning the asset’s ownership to the new purchaser. Because smart contracts are essentially computer programs written in code, they are prone to flaws, which are further susceptible to manipulation. Because smart contracts auto-execute, the blockchain automatically updates to reflect the new changes and blocks any new edits. Thus, smart contracts operate without a central authority, and as a result, are susceptible to technical vulnerabilities such as reentrancy attacks, unchecked external calls, or poorly defined access controls. Such errors are irreversible once the contract is published, and are common in hastily deployed or unaudited contracts.

Risks and Vulnerabilities Associated with Smart Contracts

Vulnerabilities within smart contracts are especially pressing in the NFT space, where the novelty of the technology often outpaces secure development practices. In the last few years, the total value of NFTs on the marketplace has grown from a few million dollars in 2019, to over 8.8 billion dollars in 2024. With such a rapidly growing market, many NFT projects copy code from other contracts without understanding the risks behind developing secure code.  As NFTs have grown in popularity and value, hackers have increasingly targeted these contracts, specifically exploiting loopholes to transfer NFTs without the owner’s consent or payment. Once a hacker is able to transfer an NFT and its ownership, there is limited recourse for victims, as the decentralization of the NFT technology provides no method of reversing the transfer.

Additionally, attackers use paid advertisements to promote their spoof websites, and recreations of popular NFT marketplaces, to lure victims and gain direct access to their crypto wallets. Once users log into the site, their login credentials and access to their crypto wallets are sent to the attackers, who proceed to compromise their account and wallet. Other common attacks involve rug-pulling schemes, where attackers pose themselves as NFT creators to hungry investors and solicit them for funds. These “creators” then abruptly abandon their projects while fraudulently retaining the investors’ funds. One recent incident in Los Angeles involved attackers who misrepresented themselves as creators of NFTs for several years. Their targeted investors lost an excess of $22 million, and the attackers have been charged with conspiracy to commit wire fraud, wire fraud, and stalking. States have responded by deploying Cybercrime Teams to monitor the ongoing threats to NFTs. 

To mitigate the risk of smart contract exploitation, companies and NFT creators are turning to smart contract audits. These audits are formal security reviews conducted by blockchain audit firms, such as Cyberscope, Certik, and Openzeplin. These firms meticulously analyze each contract’s code to detect bugs and vulnerabilities, while suggesting improvements to optimize the code for better security and performance. As a result, audited NFTs have a lower risk quotient of getting hacked, and even act as a security certificate for future investors. 

Although smart contract audits are valuable tools for identifying vulnerabilities before deployment, they are not foolproof. Audits rely heavily on human review and automated processes, both of which can miss nuanced and complex flaws in the code. Although audits are conducted before a smart contract is launched, once the contract is published, evolving blockchain systems can introduce new risks- making once previously “safe” contracts vulnerable over time. Consequently, audits alone do not ensure complete immunity from attacks, and many hackers continue to exploit vulnerabilities, leaving NFT owners vulnerable to victimization.

A major legal nuance surrounding NFTs is the gap between what buyers think they’re acquiring and what they actually receive. Most NFT transactions merely transfer the token itself– the blockchain that points to a digital asset– but not the underlying intellectual property rights such as copyright or trademark. As a result, buyers may “own” the token without any legal rights to the work. When an NFT is stolen, the original purchaser may not have any right to the work, and is barred from seeking restitution. Even if creators can obtain a license or transfer IP rights through embedded metadata or external agreements, smart contracts cannot enforce those terms. 

While they are called “contracts,” smart contracts do not function as legally binding agreements. Smart contracts consist of code that executes automatically when predefined conditions are met, without considering off-chain, traditional contract law principles like intent, mutual assent, or jurisdiction. Moreover, users interacting with smart contracts do not read or affirmatively agree to any terms, making them unenforceable under contract law. Since IP licensing is governed by contract law, there is no current method of providing recourse to victims under this framework. As a result, attackers have the ability to execute a smart contract as a “blank check”, gain full ownership of an NFT, and are left freely with the rights to transfer and sell without a centralized authority auditing their purchase. These heists continue to impact NFT enthusiasts; just last year, over 2.2 billion dollars was stolen in crypto-related hacks and exploits. 

Legal Recourse for Victims of NFT Theft

Victims of NFT heists are left with limited recourse, as traditional legal remedies like contract law and criminal prosecution are limited in the decentralized world of blockchain. Since NFTs are decentralized, and managed directly by users on a blockchain, reversing a fraudulent transfer is nearly impossible. In that legal vacuum, several victims look to reclaim their stolen NFTs through intellectual property (IP) and criminal law. Yet, victims continue to face the harsh reality of the lack of digital protection within the crypto world. 

One potential avenue for victims is to explore remedies under IP law protections, such as copyright and trademark. If a stolen or duplicated NFT includes protected creative content, such as art, and an attacker is either reselling or re-minting it, such use may constitute copyright or trademark infringement. However, the law surrounding IP ownership in the world of NFTs remains unclear. While courts have recognized IP rights under the Lanham Act and Copyright Act for original NFT creators, there is limited guidance on how these rights apply when NFTs are stolen, re-minted, or resold across platforms. Furthermore, as explained above, IP rights only seem to acknowledge the creator of the NFT, not any subsequent purchasers.

Another promising route for victim restitution may be pursued under 18 U.S.C. §§ 2314 and 2315, known as the National Stolen Property Act (the NSPA). The NSPA makes it a federal crime to (1) knowingly transport or receive stolen goods, securities, or money (2) that is valued over $5,000; and (3) through interstate or foreign commerce. While traditionally applied to tangible goods, courts have interpreted the statute broadly enough to cover intangible assets– such as software or trade secrets– when they hold clear economic value. 

Thus, under the principles of criminal law, an attack that results in the unauthorized transfer of an NFT may be construed as property theft under the NSPA. Blockchain transactions commonly cross jurisdictional boundaries, and where attackers routinely steal NFTs worth millions of dollars, two of the three requirements of the NSPA are met. Recent case law further suggests that the NSPA may be applied to digital assets like NFTs. In United States v. Fiander, the defendant was charged under the NSPA for trafficking pirated software. Although Fiander argued that software is an intangible intellectual property, and thus does not qualify for protection under the NSPA, the Court held that intangible property embodied in a tangible medium could be treated as “goods” for the purpose of the NSPA. In a similar argument, if NFTs were to be construed as “digital art” they may be eligible for the NSPA protection. This would in turn open the door to federal criminal charges, and the possibility for law enforcement to trace, seize, or recover the asset. 

NFT theft victims still face several hurdles under this approach. Not only have courts been reluctant to navigate the complexities of the “digital art” sector, but the NFTs’ decentralized system makes identifying perpetrators and returning property a significant challenge. Transactions are pseudonymous, irreversible, and often cross international borders, complicating both jurisdiction and enforcement. Even if law enforcement invokes the NSPA, successful prosecution remains dependent on cooperation from exchanges and other intermediaries. 

As NFTs continue to be purchased, sold, transferred, and stolen, it remains uncertain whether the legal system will adequately support victims with effective remedies for their losses. While this question lingers, it is crucial to emphasize that auditing firms have started reshaping the structure of smart contracts by improving the blockchain, offering support to victims, and enhancing security for future NFT holders. If the law evolves to solidify protection of intangible assets, it will significantly strengthen the NFT market by assuring current and future users that they are safeguarded against threats.

*The views expressed in this article do not represent the views of Santa Clara University.