US Treasury releases first illicit finance risk assessment centered on NFTs

On Wednesday, the US Department of the Treasury released a 2024 Non-fungible Token (NFT) Illicit Finance Risk Assessment. This assessment delves into the vulnerabilities linked to NFTs and NFT platforms, highlighting how illicit actors could leverage them for money laundering, terrorist financing, and proliferation financing.

The assessment finds that NFTs are highly susceptible to use in fraud and scams, since illicit actors can use NFTs to launder proceeds from predicate crimes, often in combination with other methods to obfuscate the illicit source of proceeds of crime.

It is mainly fraudsters using them in these ways, as there was little evidence of the misuse of NFTs by terrorists or proliferators, Treasury said in the report.

“This risk assessment demonstrates Treasury’s commitment to analyze illicit finance risks of newer technologies and communicating them to industry and law enforcement,” said Brian E Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence. “I encourage the private sector to use the findings of this assessment to inform their own risk mitigation strategies to prevent illicit actors from abusing NFTs and NFT platforms.”

Cyber weaknesses

The assessment finds that these frauds and the theft of NFTs themselves often arise due to:

inadequate cybersecurity protections at NFT firms and on their platforms;
challenges related to copyright and trademark protections, and
the hype and fluctuating pricing of NFTs can enable criminals to perpetrate fraud and theft related to NFTs and NFT platforms.

Moreover, some NFT firms and platforms lack appropriate controls to mitigate risks to market integrity and to combat money laundering and terrorist financing, and sanctions evasion. Treasury said.

According to one report, in May 2022, just under $24m worth of NFTs were stolen through scams.

The assessment notes that mitigation measures, such as industry tools, law enforcement authorities, and analysis of public blockchain data, can partially mitigate such risks.

For its part, the government plans to do the following to address outstanding risks in this area:

raising awareness within industry of existing obligations;
continuing to enforce existing laws and regulations related to NFTs and NFT platforms; and
considering further application of regulations to NFTs and NFT platforms.

Types of frauds

To highlight how the NFT market is particularly vulnerable to fraud and scams, the report cites a blockchain analytics firm, noting that over $100m worth of NFTs were stolen through scams between July 2021 and July 2022.

According to the same report, in May 2022, just under $24m worth of NFTs were stolen through scams.

These numbers likely understate the total because victims of theft and scams often do not publicly report their losses. Criminals employ a range of techniques, such as engaging in the following frauds (to name just a few):

Rug Pulls: In a rug pull, a scammer raises investment funds in a seemingly legitimate project, such as an NFT collection, before ending the project and stealing invested funds. Criminals use the proceeds of one fraudulent NFT project to fund a second NFT project or collection while remaining in contact and continuing to make promises to the victims of the original project.
Market Manipulation: Criminals may engage in price manipulation by engaging in intentional or willful conduct designed to deceive or defraud investors, such as wash trading. This is a form of market manipulation in which an entity simultaneously sells and buys the same financial instruments, creating a false impression of market activity.
Conflicts of interest: Persons with access to confidential information related to NFT platforms may use advanced knowledge of promotions or other market activity for their own financial gain, such as insider trading.

Conflict of interest fraud

As an example of the conflict of interest fraud type noted above, a case from August of last year stands out. In that case, Nathaniel Chastain, a former product manager at the NFT platform OpenSea, was criminally sentenced in connection with a scheme to commit insider trading in NFTs, by using confidential information about which NFTs were going to be featured on OpenSea’s homepage for his personal financial gain.

According to the US Justice Department, to conceal the fraud, Chastain used anonymous OpenSea accounts to make purchases and sales and transferred funds through multiple, anonymous Ethereum accounts to conceal his involvement in purchasing and selling NFTs. He was convicted of related wire fraud and money laundering offenses.

Also last August, the SEC brought its first enforcement action against a company for an NFT project. The company at the center of the SEC’s cease-and-desist order was a Los Angeles-based media and entertainment company called Impact Theory, which the federal securities regulator says sold NFTs that were actually unregistered securities.

Through events and public statements, Impact Theory invited potential investors to view the purchase of these NFTs as an investment into the business, stating that the business’s expansion would deliver “tremendous value” to the NFT purchasers, and that the future value of the project would be significantly greater than their purchase price.

As a whole, Impact Theory raised around $30m from hundreds of investors, including those in the US; which would have been fine if the company had treated its sale of digital assets in the form of investment contracts as a securities offering and filed a registration statement with all of the attendant disclosures to investors required in such an offering.