NFT has a blind spot, as the digital art sales seems to boom with it, also thefts are happening. 69 million dollars for a work of art by the artist Beeple, almost 300,000 for a Cristiano card, one million for a piece of land in a video game…
For a few months now we have not stopped seeing striking news about a phenomenon, the NFT (or ‘nonfungible token’) that is revolutionizing the world of blockchain and cryptocurrencies. But there are still many unknowns to be solved with this new world that, for the moment, is already bursting the art market and collecting, at least. There are doubts about commissions, the authorship of the work, the possibilities of scaling these projects, the environmental impact, or copies.
Although there is a much more delicate, practical one, which already has its first victims: What happens if an NFT is stolen?
NFT’s latest blind spot: The great digital art thefts begin
The news broke this week when several users of the Nifty Gateway platform, one of the most important NFT trading sites, reported the theft of their accounts and therefore of their collections worth hundreds of thousands of euros. The company, after investigating what happened, denied a massive ‘hacking’ but assured that it had detected strange movements and that some users, of those who had not activated the two-step authentication, could be affected.
At the same time, the information, published by media such as The Verge, left a somewhat striking comment: Due to the nature of blockchain technology, Nifty does not have to take responsibility for the theft of the works or the recovery of the works or the investment and it was simply that the affected users would never see the works or the money again. But it is not that simple.
The blockchain technology makes those NFTs are registered in decentralized networks, mostly in Ethereum’s although there are already several alternatives, and the idea of many platforms like Nifty is that they are mere intermediaries that offer a reliable, well-designed, and simple market to trade with all these assets, leaving issues such as custody or security in the hands of the users themselves, but experts do not see it so clear. Lawyers specializing in digital law explains that, although indeed, there is still a lack of regulation in this regard, these platforms cannot simply wash their hands of it.
The key point? Where the ‘token’ in question has been stolen. The website in question admits that there has been a ‘hack’, but says it is not responsible for the problem. In the end, if the asset was on their platform, surely the user signed a contract when registering in which this issue is noted. Another thing is that you had it in a personal wallet and for one reason or another they managed to get into it and take the content.
Any market with economic amounts is regulated in one way or another, although it is true that, as we have seen in the past with the bankruptcy of cryptocurrency exchanges (The DAO or Mt. Gox are two of the best known), we must be clear that today there is still a long way to go in this regard.
— Keyboard Monkey (@KeyboardMonkey3) March 15, 2021
This lack of current regulation means that the solution to these problems is still up in the air. According to some of these affected collectors posted on their Twitter accounts, the platform had finally been able to return most of their works, but not all of them, writing off the remaining works and their value as lost.
Let’s see, if the work continued on the platform it is still possible to block its exit and that is what may have happened, that they received the notice, saw that the NFT was still in one of their wallets and could prevent its escape, but if it leaves it is very difficult to recover. There are options if you get several nodes in the chain to agree to block its movement, but obviously, it is much more complex than the decision that a bank, for example, can take, which only depends on them.
It may be that this platform uses a ‘sidechain,’ what is known as chains outside of the main blockchain that makes transactions only happen in its space and doesn’t leave the platform, at least for a while.
NFTs transactions made on your website are recorded only in your database, so it is somewhat safer because you control the movement at least for a while and you avoid commission costs for the movement from ‘wallet’ own to ‘wallet’ own, having only to be paid once the owner wants to take the work. Of course, the downside is that you have to trust that the platform will take care of your works and will respect transactions and movements.
How to pursue if NFTs are stolen?
Once outside the platform, something interesting about NFTs is that they allow absolute traceability of their path, that is, all the movements of the token are recorded with the idea of giving a kind of history and certificate of authorship and digital property, but the anonymity of these accounts makes it almost impossible to trace by the authorities. The records are shown and are public, but not the identity of who owns it at a given moment, how they got it, or how they are moving it.
I caught my account getting hacked right as it was happening. @niftygateway seemed to be able to lockdown the account where all my nfts got transferred to so that they never left the platform.
— Lt.Crandog (@LtCrandog) March 16, 2021
In some countries there are legislations to prosecute cases like Nifty, but it is not easy. For example, the ‘hacking’ of the accounts itself is covered by criminal code in almost all countries now. And even a judge can ask for investigations to be opened at an international level if they see such indications of crime. The doubts come, however, with the digital asset itself.
But there is a debate: Is an NFT a material good, money, crypto-asset, or financial asset? It is still being debated and is key to these issues. And on top of that, you collide with very unequal international regulations.
Following this same debate, if we treat it as movable property, in an acquisitive prescription of the asset; provided that the statute of limitations had expired or, in the case of the sub acquired, since the initial transfer. All this, of course, starting from a debate on these crypto-assets and, above all, knowing the complexity of hunting down criminals.
We must not forget that the victim can see his ‘token’ on the chain, and see the public name of who has stolen it without being able to do anything. It’s like if your car is stolen and you see it driving away without being able to do anything else.
This last point is vital for NFT, because in these cases many of the works disappear from the major platforms to secondary markets, and even if the token can be traced, there would be a point at which it could no longer be considered a stolen object.
The problem is that many of these sales of works occur in secondary markets, they leave the platforms and are sold in P2P transactions, so in those environments, it is not that much is looked at where the ‘token’ comes from. This ‘black’ market of digital art is admitted even by the affected platform itself, which in its analysis detected and confessed that many of the stolen works had been later resold on networks such as Twitter or Discord, to escape any possible control.
We encourage our users to enable 2FA that we provide on the platform and never reuse passwords. We have seen some reports that NFTs involved in these account takeovers were sold in transactions negotiated over Discord or Twitter.
— Nifty Gateway (@niftygateway) March 15, 2021
For all these reasons, many experts call for opting for a physical cryptocurrency wallet or a personal digital wallet outside of the marketplace platforms that allow you to have a little more security.
We saw that with the Mt. Gox case, which is still in court. Many people had cryptocurrencies in their own ‘wallet’ offered by the exchange, but the website suffered a ‘hack’, went bankrupt and most users never saw the money again, or at least a good part of it. Also, many of these sites don’t have escrow funds or anything similar and are independent so you have to tread carefully.
Europe will regulate crypto-asset markets with MiCA
Europe’s regulation, in principle, is very close to being approved and may provide an answer to many of these doubts about theft, liabilities, and guarantees: The European regulation about crypto-asset markets (or MiCA, for its acronym in English). This regulation aims to regulate the entire crypto asset market at a regional level and, although it is not yet known when it will be approved or if it will undergo any kind of modification (everything points to the fact that it will not be approved until the end of 2021 or 2022), it does help to see how the future may look in these environments.
This regulation is going to make ‘exchanges’ or platforms like Nifty very much equal to banks, and anyone who wants to enter this field is going to have to adapt and, above all, be prepared. Until now it was enough to have little more than a website to be able to operate with crypto assets, but that is going to end and it can be a problem for those who enter without knowing it.