Non-fungible tokens (NFTs) have grown in popularity in recent years with one NFT, The Merge, recently selling for a whopping $91.8 million in December 2021. While nearly 30,000 collectors collaborated to buy The Merge, one NFT by famous artist Beeple (Mike Winkelmann), Everydays: the First 5000 Days, was bought by a sole collector for a massive $69.3 million.

This goes to show the eye-watering amounts involved in NFTs. But how safe is your money in NFTs? And how much has been lost to hacks on NFTs and their platforms?

Our researchers have been keeping track of NFT thefts since they were first introduced, with the earliest heist being recorded in early 2020. Since then, over $86 million has been stolen with a vast increase in the number of hacks in 2022. This is similar to the uptick in crypto attacks we’ve monitored in our daily tracker (here).

Check out our live data below to find out when the most NFT hacks have taken place, how much has been stolen, and the 10 biggest NFT hacks of all time.

The biggest NFT heists of all time

Below are the biggest NFT heists (based on the USD amount stolen at the time of the attack) to date:

  1. Lympo — $18.7 million stolen: The sports-based NFT and subsidiary of Animoca Brands, Lympo, lost 165.2 million LMT tokens in a hot wallet hack. At the time of the attack (January 2022), this was equivalent to $18.7m and affected ten wallets.
  2. Farmers World — $15.7 million stolen: WAX chain’s crypto game, Farmers World, suffered a theft in November 2021 resulting in more than 100 million yuan in losses ($15.7m). However, some suggest that the figure could have reached as much as 300m yuan.
  3. Bored Ape Yacht Club — $13.7 million stolen: In April 2022, Bored Ape Yacht Club’s Instagram account was hacked and 10s of NFTs were stolen from tricked users who connected their Ethereum wallet. The floor price of these NFTs equated to nearly $14 million.
  4. DragonSB Finance — $10 million stolen: DragonSB Finance, an NFT gaming project, lost $10 million when its vesting smart contract was hit by hackers in April 2022.
  5. OpenSea — $3.4 million stolen: In a phishing incident in February 2022, attackers exploited OpenSea users and stole NFTs worth over 1,200 ETH (around $3.4 million at the time). In a lucky twist of fate for some victims, the hacker did return some of the unsold NFTs.
  6. TopGoal — $2.23 million stolen: In February 2022, TopGoal was attacked and over 4.8 million TMT was transferred from the platform’s hot wallet to the hacker’s address. At the time, these tokens were worth just over $2.2 million.
  7. The Shifters – $2 million stolen: Duped via fake websites and Discord messages, over $2 million was stolen from users during the eagerly anticipated release of The Shifters NFTs in March 2022.
  8. Alethea AI — $1.8 million stolen: In a Discord compromise, Alethea AI fans were exploited for 840 ETH, which was worth around $1.8 million at the time (March 2022).
  9. Moonbirds — $1.5 million stolen: In May 2022, 29 Moonbirds’ NFTs were stolen via a malicious link set up by hackers. These were worth an estimated 750 ETH ($1.5m).
  10. Omni — $1.43 million stolen: NFT finance platform, Omni, suffered a flash loan reentrancy attack in July 2022 in which hackers stole 1,300 ETH ($1.43 million). Omni enables users to stake NFTs across various platforms so they can receive tokens (e.g. ETH).

Methodology

To collate this list of worldwide NFT heists, we’ve searched through security analysts’ reports, NFT Twitter pages, and industry news from across the globe. We’ve tracked attacks on third-party platforms and individual NFTs.

We have only focused on clear exploits by hackers, meaning rug pulls, employee thefts, phishing scams (e.g. by creating fake websites), and company errors haven’t been included. Nor have thefts from individuals.

Where possible, we have only included an NFT attack where the NFT or a security tracker (e.g. PeckShield or CertiK) has confirmed that funds have been stolen. For example, a large number of NFTs have been subject to discord hacks but these have only been included if the platform has confirmed funds have been stolen.

For a full list of sources, please request access here.