Blockchain/ Distributed Ledger

2022-09-18 Threat Modelling NFT (Non-Fungible Tokens)

  • 1.  2022-09-18 Threat Modelling NFT (Non-Fungible Tokens)

    Posted Oct 21, 2022 09:29:00 PM

    2022-09-18 Threat Modelling NFT (Non-Fungible Tokens)

    Internal link:

    External link:

    Recording of session: 

    So we did the threat modeling of "NFTs" at a high level. 

    Some key takeaways:

    • It would appear that there are some major differences and challenges between NFTs that you own entirely and those that allow partial ownership
    • There is a major lack of maturity in the space about the intersection of technical capabilities/restrictions and legalities
    • Many NFTs are currently being sold as "not a security" and the potential for them to then be reclassified later as a security by the SEC makes the legality especially murky
    • Exchange data and other sources of data can be obtained by law enforcement, possibly years later

    One of the biggest topics of discussion was the legality and regulatory aspects of NFTs. It was also noted that various regulatory agencies can classify an NFT as a security, resulting in essentially a post-facto situation concerning the law and taxes potentially.

    A related discussion centered around defining what activities and levels of activity are likely to pique regulatory interest. It was noted that an open source literature search (e.g. of SEC enforcement actions) is possible, which correlated with token data, and guessing as to how long enforcement action takes could allow for a rough idea of what is most likely to result in a regulatory action being taken. Alternatively, someone could simply ask regulators and see if they will provide any meaningful answers, perhaps this is something to suggest to the crypto press.

    Additional discussion around the issues surrounding asset management and holding. e.g. custodial vs non-custodial holders took place. It was noted that custodial holders such as exchanges, custodians, and so on are likely to be encouraged or even forced to provide the data, this is already taking place, e.g. Canada's Proceeds of Crime (Money Laundering) and Terrorist Financing Act has already been used to get US-based exchanges to monitor transactions and provide data. 

    Some final discussion centered on theorizing what happens if legal enforcement meets the immovable technical mountain, e.g., "you must delete this data" or "you must return these keys," where this is not technically possible. 

    Concerning the general lack of maturity, both technically and legally of NFTs, and the cross-jurisdictional nature combined with the potential for post-facto illegality (e.g. you are holding NFTs that are suddenly classed as a security, requiring reporting, taxes, and so on), it was generally agreed that this is an interesting legal problem and likely to be an expensive one. 

    If you are interested in these threat modeling exercises please feel free to join us, they occur monthly (e.g. October 18, 2022), you can view the calendar (, and we're on Circle at 

    Kurt Seifried
    Chief Blockchain Officer and Director of Special Projects
    Cloud Security Alliance
    [email protected]