It was the digital art heist everyone in the cybersecurity world saw coming.
Over the last couple days, multiple users of Nifty Gateway, a marketplace for buying and selling non-fungible tokens (NFTs), reported on Twitter that their accounts had been hacked and then drained of thousands of dollars worth of digital art.
The theft marks one of the first known incidents of digital art theft, but the rapid adoption of NFTs suggests it will not be the last. According to NFT Report 2020, the NFT market grew almost 300% last year and is now valued at roughly $250 million, making it an attractive target for hackers.
NFTs have been hailed as a way to help artists profit from their work, but the fast-growing market has left many onlookers incredulous, seeing as the images or objects can be easily copied or redistributed online.
The burglars compromised valid user accounts, negotiated undisclosed sales through a Discord server, and then transferred NFTs to buyers for free on Nifty Gateway, according to multiple victim accounts posted on Twitter.
In some cases, the hackers also used victim’s credit cards, which were linked to their account, to purchase and then sell NFTs not previously in the victim’s wallet.
Publicly available records of online auctions on Nifty Gateway suggest that the buyers then moved swiftly to re-sell the purloined NFTs, sometimes dropping the initial offering price of artwork several times and by several thousands of dollars in the span of a few hours to entice new sales.
While it is common for digital artwork to change hands rapidly in the volatile NFT marketplace, the whipsaw of post-compromise transactions suggests that the criminals and their intermediaries hoped to quickly launder the tainted goods through a chain of semi-legitimate transactions that would be difficult for Nifty Gateway to unravel.
Nifty Gateway acknowledged the compromise on Monday afternoon on Twitter.
“We have seen no indication of compromise of the Nifty Gateway platform. The Nifty Gateway team is communicating with a small number of users who appear to have been impacted by an account takeover.”
Nifty Gateway, which is owned by the cryptocurrency exchange and custodian Gemini, also urged users to execute transactions exclusively through the company’s marketplace and to implement two-factor authentication, which is optional on the platform.
“Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials.”
Nifty Gateway’s Twitter statement did not mention whether the company would be able to help users restore their stolen artwork.
The decentralized digital ledger that marketplaces like Nifty Gateway use to authenticate and record transactions theoretically provides a transparent record of where the stolen art went.
But that same distributed ledger that ensures transparency makes digital transactions difficult to unwind without forking the blockchain or somehow forcing users to reverse completed sales, which could create a welter of new problems.
Worse, a few of the stolen pieces were eventually withdrawn by their new buyers, suggesting those profiting off the theft might just try to abscond with the artwork.
The Record reached out to multiple victims to ask whether Nifty Gateway was working with them to help return their stolen art. None would go on the record while they process appeals with the company.
However, their public Twitter profiles suggest that the Nifty Gateway has thus far been unwilling or unable to return their stolen art.