NFT ownership is managed via a private key that serves as a sentinel to all the assets in a specific digital wallet. Anyone holding the private key can get access, as well as move the NFTs out of the digital wallet and resell them.
To access developer privileges, scammers need their private keys. In most cases, these are obtained through social engineering efforts that culminate in developers inadvertently revealing them to exploiters. Many of these social engineering tactics may be similar to those used by phishing or impersonation scammers (see section 1). Across 2020 and 2021, private key compromises resulted in the theft of $260 million – across both fungible and non-fungible DeFi protocols.