Non-fungible tokens (NFTs – digital assets which are not traded on exchanges, but instead are tokens which represent the ownership of a digital file (for example, a photo or digital art)) have exploded onto the digital asset ‘scene’ over the last 18 months or so. They are generally (but not always) built on the Ethereum blockchain. NFTs are bought and sold using cryptocurrency, but not traded on exchanges. Instead, they are purchased through specialist third party auction sites or sold/transferred privately. The terms of the smart contract (which facilitates the purchase or sale of an NFT) will dictate the extent to which any rights are passed on to a user, or not, when an NFT is transferred.
The use cases continue to expand; NFTs are being used to enter private ‘communities,’ as part of blockchain games and in e-sports markets (amongst other things). The speed of mass NFT adoption has created significant opportunity (in the wake of the increase in value of NFTs, and also allowing content creators to monetise their services by tokenising art and music) but also exposed potential for the system to be exploited. For example, the holder of an NFT may be more likely to be targeted by phishing or social engineering campaigns. The purpose would be to ultimately gain access to their wallet (and by extension, achieve the ability to transfer the token out). In addition, a content creator might find that their work is being copied or re-sold and not have an obvious ‘target’ for the enforcement of their intellectual property rights.
In a cryptocurrency theft (of a fungible token – for example Bitcoin or Ethereum), a fraudster may want to extract value out of the stolen cryptocurrency at some stage. This would likely be done via an over the counter or private trade, or via an exchange. The challenge that a fraudster may be posed with in that scenario is that they may need to provide some form of KYC or identity information to interact with that entity. A victim can look to those entities in the hope that the collated information (if available) will identify the wrongdoer or uncover further evidence which can help track down the misappropriated asset. In addition a custody exchange (i.e. an exchange which has control over a user’s private keys) will likely have the ability to return cryptocurrency to its rightful owner (assuming the relevant Court orders are obtained, and the cryptocurrency is located within a wallet which it controls and has not been transferred out). This is a powerful tool.
In an NFT context, most tokens are held in private wallets rather than in exchanges. It would usually only be the creator and operator of that wallet that knows what the private keys are and, therefore, can control how any tokens are moved out of the wallet. This creates a practical problem – a victim may know exactly where the misappropriated asset is but not be able (at least at that point) to compel a third party to restrain and return the asset to it. Whilst there might be better ‘transparency’ around where an NFT is held, there may be a reduced number of natural ‘touch points’ that might give a victim the ability to look to an entity and get either: (1) information or (2) the repatriation of a token.
Remedies are available (for example, in the form of injunctive relief to prevent a sale) and specialist investigations can be undertaken to identify the location of misappropriated assets. A careful strategy (and fast action) is required to maximise the prospect of securing the return of misappropriated cryptocurrency and/or NFTs.
Ultimately, NFTs are an exciting development in the digital asset world. It is only a matter of time before for Courts and Regulators around the world clarify how they are treated and what rights might be available to victims in a variety of scenarios. This is very much a developing area and one which will be watched closely by interested parties.