On Wednesday, May 29, the U.S Treasury Department released the “Illicit Finance Risk Assessment of Non-Fungible Tokens.” The Risk Assessment, required under Treasury’s 2022 “Action Plan to Address Illicit Finance Risks of Digital Assets,” provides a comprehensive overview of the Non-Fungible Token (NFT) market structure, delving into the specific illicit finance threats and vulnerabilities associated with NFTs. It outlines mitigation actions to combat criminal activities and concludes with recommended actions. Treasury risk assessments do not carry any legal weight and are not official executive regulation but can serve to guide the regulatory and policy discussions and debates of the future. Their primary goal is to analyze potential harm posed to consumers, industry participants, and the general public from the threats outlined. These assessments are crucial for maintaining the stability and integrity of our financial systems. 

Analogous to Treasury’s Illicit Finance Risk Assessment for Decentralized Finance (DeFi), the report explicitly statesthat illicit finance activities utilizing NFT products and markets, including terrorist financing, money laundering, and proliferation financing, are uncommon in the space and that these activities primarily take place in traditional finance. 

NFT Illicit Finance Concerns 

However, the Risk Assessment did highlight prevalent issues of fraud, scams, and theft in the NFT space. It noted that between July 2021 and July 2022, $100 million worth of NFTs were stolen through scams, with $24 million stolen in May 2022 alone. Key types of scams include: 

  • Rug Pulls: Creating fake projects to attract investment, then shutting down the project and stealing funds. “Slow rug pulls” involve using funds from an initial project to fund a second scam. 
  • Market Manipulation: Deceptive behavior to mislead investors about an asset’s value. 
  • Fake and Counterfeit Sales: Misrepresenting an NFT’s value, brand association, or access rights. This includes “sleepminting,” where hackers mint an NFT to appear as if created by a legitimate source, then sell it as authentic. 
  • Fraudulent NFT Platforms: Scammers may fail to honor NFT exchange agreements or create fake platforms to steal NFTs. 
  • Theft: Criminals can spread malware through social media links, fake advertising, or airdropped NFTs, draining victims’ digital asset wallets, and often use fake NFT creator accounts with phishing links to ask victims to connect their wallets. Vulnerabilities and bugs in smart contracts allow criminals to steal NFTs or buy them at reduced prices, and due to the immutability of many smart contracts, developers often cannot fix or recover funds from these exploits. 

NFT Vulnerabilities 

NFTs have vulnerabilities due to their nature, referenced assets, and regulatory gaps. Criminals exploit cyber vulnerabilities, trademark and copyright challenges, and market hype. Non-compliance with U.S. regulations and foreign regulatory gaps also present risks. 

  • Copyright and Trademark Protection: Criminals misrepresent NFT rights, violating copyright and trademarks, inflating prices, and selling counterfeit NFTs. Identifying infringers is challenging due to anonymity and jurisdictional issues. 
  • Hype and Fluctuating Pricing: Scammers use time-sensitive offers to pressure victims, and fluctuating prices can mask price manipulation and money laundering. 

Mitigation Measures 

The report outlines several mitigation efforts considered effective against these threats, including: 

  • Industry Tools: Tools include scam databases, transaction controls, and blockchain analytics. These can identify scams, prevent wash trading, and flag risky users. Enhanced software reviews and cybersecurity measures are also recommended. 
  • Applicability of Law Enforcement Authorities, Public Announcements: NFTs are considered property for asset recovery. Victims can report fraud to the FBI or IC3.gov. Public announcements raise awareness and guide users on preventing fraud. 
  • Public Blockchain Transparency: Public blockchains allow tracking of pseudonymous transactions, aiding investigations. However, anonymity-enhancing technologies and off-chain activities limit this transparency. 
  • Involvement of Covered Financial Institutions and Other Sources of Government Information: NFT buyers, sellers, and traders often rely on traditional financial institutions to purchase NFTs. Compliance with AML/CFT and sanctions obligations by these institutions can mitigate risks. Non-compliance, especially by foreign VASPs, poses additional risks. 

Recommendations 

  • Regulation and Enforcement: Authorities should consider specific regulations and guidance for NFTs, clarify existing obligations, and raise awareness among NFT platforms. Regulatory agencies should continue to enforce current laws and take action against non-compliant entities in the NFT sector. 
  • Engagement and Education: The U.S. government should continue engaging with the private sector to monitor NFT developments, promote innovation to mitigate scams and fraud, and educate consumers on NFT rights. Additionally, collaborating with foreign partners to assess and address illicit finance risks in the NFT ecosystem is crucial. 

For media inquiries, please contact press@digitalchamber.org