A collection of CryptoPunks in OpenSea displayed on a phone screen. Photo: Jakub Porzycki/NurPhoto via Getty Images.

Over $100 million worth of NFTs have been stolen over the course of the past year, according to a new study, and thieves made off with an average of $300,000 each time.

The 110-page report, published this week by the London-based blockchain analysis company Elliptic, suggests that thefts have not decreased with the recent cryptocurrency crash. In fact, the rate of the cybercrimes may be going up: In May, just under $24 million in NFTs were swiped from owners’ wallets—the highest amount recorded in a single month. In July, a whopping 4,600 NFTs were stolen, another record number.

The most valuable NFT ever stolen, according to the report, is CryptoPunk #4324, which was pinched in November before being sold for $490,000. The biggest single heist occurred a little more than a month later, when 16 blue-chip NFTs worth $2.1 million were stolen from a collector. 

At the center of many of these cases are elaborate scams that trick NFT owners into voluntarily sharing access to their NFTs or wallet. Phishing attacks are the most common form, used to lure NFT owners with fake websites, pop-ups, and transaction opportunities. Often this involves criminals imitating well-known crypto-art platforms or even counterfeiting NFTs. 

Social media has left NFT players particularly vulnerable as scammers hack the accounts of popular NFT projects to post phishing links. Close to 5,000 NFTs have been filched this way, Elliptic reports, noting that social-media compromises accounted for nearly a quarter of all crypto-art thefts over the last year.

What’s more, the cost of these crimes has skyrocketed in recent months. Between the first and second quarters of 2022, the value of NFTs stolen through social-media scams went from $3.2 million to $15.4 million—a 386 percent jump.

“The growing availability of tailored malware that can bypass multi-factor authentication is likely to be partially responsible,” Elliptic’s report explains.

It was through Instagram that an attacker was able to steal $3 million worth of NFTs from Yuga Labs, the collective behind the Bored Ape Yacht Club, in April. After hacking the company’s account, the con sent users a “smart contract” that ultimately yielded access to their crypto wallets. 

Elliptic also found that some services have been especially instrumental in enabling blockchain crime. Roughly 52 percent of NFT scammers used the virtual currency mixer Tornado Cash to launder money after thefts. The U.S. Treasury Office placed the service on sanctions earlier this year, saying it “indiscriminately facilitates anonymous transactions by obfuscating their origin, destination, and counterparties.”

Still, for NFT lovers growing weary of their wallets’ exposure, the outlook may not be as bleak as it looks. “As with many crimes,” the report says, “the perceived chances of NFT-based crime occurring is higher than it actually is. Elliptic’s data-driven analysis has found that the true instances of these crimes account for a small proportion of NFT-related trade.” 

The “responsibility” for combating such crime, Elliptic argues, “lies on everyone engaging in the NFT space—regulators, marketplaces, project developers, NFT traders and influencers—to motivate safe and secure development of this technology.”