Users of the digital art marketplace Nifty Gateway reported hackers had taken over their accounts and stolen artwork worth thousands of dollars over the weekend.
Some users reported their entire accounts of digital certificates of authenticity for digital assets — known as non-fungible tokens (NFTs or “nifities”) — were drained over the weekend. But even after changing their passwords, some users said the hackers weren’t kicked out of their accounts. Some reported that the digital assets stolen from their accounts were then sold on the chat application Discord or on Twitter.
Others users reported the intruders also stole their credit card information and began using it to make purchases of other art to the tune of $20,000.
Nifty Gateway, a marketplace where users can buy, sell and display digital items, said in a statement that it encourages users to use two-factor authentication (2FA) to prevent account takeovers and hacking, noting that none of the accounts that were affected had 2FA enabled. The company, said it has seen “no indication of compromise of the Nifty Gateway platform.”
The flurry of apparent hacking activity comes a week after digital art backed by an NFT sold for nearly $70 million at Christie’s. It was the most expensive digital asset to ever sell with an NFT, according to The Wall Street Journal. Musician Grimes also recently sold 10 pieces of digital art for approximately $6 million.
Questions remain as to whether the value of NFT-backed digital art will dissipate over time and whether the value is rooted in its novelty. But for now, hackers are jumping on the valuable assets.
While hackers, such as those working for the North Korean government, have gone after bitcoin and other cryptocurrencies in the past to make a buck, NFTs are unique in that they can’t be exchanged for other NFTs in the same way bitcoin can, as the items they represent are unique.
The information security community has dabbled with NFTs in other ways in recent weeks. One user of the NFT marketplace OpenSea posted an exploit backed by an NFT earlier this month, for instance, raising ethical questions about what should be bought and sold using NFTs and whether malicious hackers may seek to buy, sell and trade exploits or other hacking tools in the future using NFTs.
“As an exploit engineer I see some vulnerabilities as works of art, it’s an interesting and intriguing computer security bug that results in denial-of-service of a widely used network game engine,” the user who posted the exploit, the co-founder and director of security firm Hacker House, Matthew Hickey, said in a tweet. “Asset/IP will be transferred in full, winner can do with it as they please.”
The flaw was a post-authentication memory corruption vulnerability in the ioquake3 engine, a software first person shooter engine, which would have allowed whoever bought it to cause a denial-of service condition — but OpenSea took down the listing, according to CoinDesk. Hickey said he has been trying to contest the takedown.
Hickey told CyberScoop he has not heard back from OpenSea yet, adding that although he thinks there shouldn’t be restrictions on the kinds of digital assets someone should be able to sell with NFTs, he does think it is still early days and that NFTs need to be better understood in the information security community.
“We are still investigating NFTs but for the use case we highlighted it appears the technology is still too much in it’s infancy, we do however see a future for them as a disruptive technology but how that will relate to our field has yet to be fully understood,” Hickey said. “I don’t think there should be any restrictions on the type of digital asset someone should be able to sell, I believe that the current centralized exchange model of NFT should become decentralized to allow direct peer2peer transfer of such assets if the technology is intended to really change the concepts of IP, copyright, [digital rights management] and other digital rights as it has the potential to disrupt.”
NFTs could potentially be abused if they fall into the wrong hands, Hickey warned.
“As with any technology it can enable new kinds of criminality and misuse, just like how the Internet has enabled new kinds of commerce, it also bought with it new kinds of crime,” Hickey said.
Update, 3/15/2021: This story has been updated to include Hickey’s comments.