About an hour before midnight on December 21, Hong Kong finance professional Jackson Leung turned on his personal computer and clicked on a link to obtain a non-fungible token (NFT) from the popular local project Monkey Kingdom . It did not take long, however, for Leung to realise that something was amiss. Instead of getting a newly minted NFT, the link sent money from his cryptocurrency wallet to an unfamiliar account bearing a name that starts with “HuiY”. “I was in an absolute hurry to try to click the link, which was posted by an administrator at Monkey Kingdom’s group chat on [instant messaging service] Discord at the time,” Leung said. “I had every reason to believe that it was legit. But soon after I clicked it, I knew that I was scammed.” It turned out to be a phishing link that defrauded Leung and many others who wanted to take part in the Monkey Kingdom project, founded by Hong Kong entrepreneurs and promoted by celebrities such as Singaporean singer JJ Lin and American disc jockey Steve Aoki . By the time the NFT project’s administrators detected the security breach and shut down all activities, buyers had lost more than 7,000 solana, a popular cryptocurrency, to the scam. That amounted to nearly US$1.3 million based on the latest transacted prices. Phishing is a common form of online fraud to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into revealing sensitive information using fraudulent links or messages. It is now being employed to breach access to users’ cryptocurrency wallets. The Monkey Kingdom case marked the latest in a series of scams to hit the NFT space in recent months, as demand for these digital assets continues to expand. NFTs refer to units of data stored on a blockchain , which guarantees each digital asset to be unique and immutable. As such, NFTs can be owned and traded much like physical items in the real world. The past year saw a boom in the NFT market, the value of which exceeded US$40 billion, according to blockchain data platform Chainalysis. A number of high-profile Hong Kong NFT projects have grabbed headlines, attracting new investors into this sector. The latest one involves the NFTs of popular cartoon piglet McDull and his cousin McMug, created by illustrator Alice Mak Ka-bik and writer Brian Tse Lap-man, which will be auctioned by Sotheby’s later this month . In December, the “GOLD4HK” collection of 5,424 NFTs of Olympic gold medallist fencing hero Cheung Ka-long and his men’s foil team was announced for release. The South China Morning Post in November joined Dapper Labs, the creator of popular NFT series NBA Top Shot, to release a number of NFT trading cards commemorating the history of Hong Kong . In October, Sotheby’s auctioned an NFT of a never-before-seen, behind-the-scenes footage from the first day of shooting In the Mood for Love , the critically acclaimed 2000 film by director Wong Kar-wai . That NFT sold for HK$4.28 million. In September, an online auction by Christie’s of 14 NFT artworks and other assets owned by Hong Kong actor Shawn Yue Man-lok fetched HK$121.6 million. Last March, the NFT of a digital artwork created by Italian artist Andrea Bonaceto in collaboration with Sophia – the humanoid robot built by Hong Kong-based Horizon Robotics – sold at an auction for US$688,888 . But it was American artist Mike Winkelmann, known as Beeple, who got the ball rolling for the boom in NFTs that same month when his digital artwork Everydays – The First 5,000 Days sold for US$69.3 million at Christie’s . The NFT investment frenzy, however, has also supercharged criminal activity in the market. The total value of cryptocurrencies scammed by illicit online addresses, according to Chainalysis, reached US$14 billion last year. For all of the security and transparency features touted by proponents of blockchain, the technology behind digital currencies like bitcoin, NFT projects are not immune to phishing links and outright fraud. While interest around NFTs has sparked a new start-up boom in Hong Kong, there is currently no regulatory oversight to protect investors in this field. Baby Wukong, a Hong Kong NFT project based on the solana blockchain platform, consists of hundreds of digital portraits of the famous Monkey King from Journey to the West , a classic tale of Chinese literature. This project suddenly deleted its entire social media presence on December 29, just days after it rented a marquee advertising space at Lan Kwai Fong, the city’s bar and nightlife hub, to promote the project. Buyers who acquired the Baby Wukong NFTs were left holding the bag, as the value of these digital assets plunged. The value of each Baby Wukong NFT fell to 0.07 solana, about US$9.50, on average as of Tuesday from 2.5 Solana, according to online marketplace Magic Eden. The developer behind Baby Wukong could not be reached for comment. This form of scam is called a “rug pull” by the crypto community. About US$2.8 billion was lost to rug-pull scams across NFT and decentralised finance projects around the world last year, according to Chainalysis. Can cartoon apes land these NFT owners a fortune? The solana blockchain has become a popular platform on which entrepreneurs have launched new NFT projects. Compared with the rival Ethereum blockchain, a solana-based NFT project can be started much faster and at lower cost. This low barrier of entry, however, has enabled some fraudsters to set up scams with ease. “Like any start-up boom, [the NFT sector] is going to attract ‘scammy’ opportunists,” said Will Duckworth, Asia-Pacific digital leader at professional services giant EY. “It’s also going to attract people who are genuinely innovative and create new ideas.” While NFTs represent a disruptive force in the marketplace, Duckworth said he believes there is excessive hype and risks in terms of how people are speculating on these digital assets based purely on perceived value. “When you’re buying an NFT that links to a digital image, that’s a roller coaster of perceived value,” he said. “And when you come to sell it, it might be absolutely worthless because it’s not cool any more.” The attack on Monkey Kingdom, which has 2,222 digital portraits of the Monkey King dressed in different styles, shocked the local NFT community because of how easy a hacker compromised the project’s third-party community management software. That allowed the hacker to assume the disguise of an administrator and dupe buyers to use a phishing link. The hack was part of a larger attack that affected NFT start-up Fractal, a project started by live-streaming service Twitch co-founder Justin Kan in the United States. On Twitter, Monkey Kingdom said it has earmarked 7,056 solana for a compensation fund to help reimburse duped NFT buyers. Monkey Kingdom has reimbursed a total of 6,398 solana to scam victims as of last Friday. In spite of that prompt response, victims like Leung said the process to get reimbursed has been challenging. His request for compensation was initially rejected. After days of complaining and arguing with Monkey Kingdom, Leung managed to receive compensation about two weeks after the hacking incident. “The whole process has been very frustrating,” Leung said. “Unfortunately, this is the reality in the NFT market because it is unregulated.” Leung said he only lost “less than 1 solana”, worth about US$140, from the hack, but the incident still angered him. Following the hack, the average value of Monkey Kingdom NFTs declined to 35 solana, about US$5,000, compared with nearly 70 solana before the attack. A spokesman for Monkey Kingdom earlier said the project has been able to reimburse most of the victims. “As long as we can track it on the blockchain, we refund. Obviously, hundreds of people will submit false [claims] or claims that we can’t track,” the spokesman said. “If we can’t track it, then there’s nothing we can do, because we can’t just give money out to everyone. There are like thousands of claims.” A Twitter user named Commenstar said Monkey Kingdom refunded the full amount of 650 solana, worth about US$89,000, hours after the hack. Holders of Baby Wukong NFTs, meanwhile, are reportedly banding together to revive the project under the name Reborn Baby Wukong. Insiders are the biggest winners in NFTs, Chainalysis study shows The co-founder of Hong Kong NFT project Lucky Kittens, who asked to be referred to by his online pseudonym LuckyKaptain , said his project was also attacked by hackers with phishing links. “Though in our case, only a few hundred dollars were lost,” he said. “Regardless, this is a common problem for many NFT projects.” Outside Hong Kong, New York art gallery owner Todd Kramer said in a tweet last month that he had lost 615 ether, worth about US$2.3 million, to an NFT phishing scam. The tweet has since been deleted. Some NFT projects, according to LuckyKaptain, are designed to pull the rug out from under buyers because their founders underestimated the amount of work that comes after an NFT is issued. NFTs often come with many perks, which can range from guaranteed access to offline events to merchandise. “Some people realise they couldn’t deliver the promises they made to buyers,” LuckyKaptain said. “So they just take the money and run.” There are similarities between the current NFT boom and the initial coin offering (ICO) activities a few years ago, according to EY’s Duckworth. “We saw how ICOs became popular because people were just trying to fund their start-up businesses by launching [digital] tokens,” he said. “There were a lot of scams in the ICO space. I think the NFT space is possibly a more mature take on that.” On potential government oversight of NFTs, Duckworth said he believes that regulations will be slow to catch up in the short term. “I expect [the NFT space] will still be the Wild West for the next couple of years,” he said.