An attacker was apparently able to breach the site for famed street artist Banksy and sell a fake non-fungible token (NFT) of the artist’s work for more than $336,000.
The fraudster has since returned the ill-gotten cash, less a “transaction fee.” But the incident has delivered an invaluable lesson on a whole new emerging cybersecurity threat: NFTs.
In this instance the attacker hosted an auction on the real Banksy site, banksy.co.uk, for what was billed as the first-ever Bansky NFT, according to BBC.
When a collector purchases an NFT, it doesn’t give them ownership or copyright over the image itself. Rather, it lets the purchaser own a piece of the item in the form of a “token” that’s recorded forever on its blockchain.
An anonymous British collector the BBC identifies as “prominent” and who goes by the name “Pranksy” was willing to offer 90 percent more than the next-highest bidder to score the Banksy NFT certificate. After handing over more than $336,000 in Ethereum, the bidder realized he had been conned.
“It does seem to be some hack of the site. I confirmed the URL on PC and mobile before bidding,” Pransky told BBC. “I only made the bid because it was hosted on his site. When the bid was accepted, I immediately thought it was probably fake.”
He added that he suspects he was alerted to the sale by the attacker.
Pransky Gets Refund for Fake Banksy (Mostly)
After doing some work tracking down the attacker, the attacker returned all of the money on Monday evening, minus a £5,000 ($6,918) “transaction fee.”
“The refund was totally unexpected,” he told the BBC. “I think the press coverage of the hack plus the fact that I had found the hacker and followed him on Twitter may have pushed him into a refund.”
Pranksy also acknowledged that others in the same situation might not be as lucky.
The real Banksy had his team respond to the incident with a simple statement: “The artist Banksy has not created any NFT artworks,” according to the BBC.
Young-Sae Song from Bolster said it would have been hard for anyone to see signs this was a fake Banksy NFT auction.
“The fake Banksy NFT scam is one that would be difficult to detect for any cybersecurity technology, and it highlights the risk of purchasing NFTs, which do not have a centralized authentication method that is foolproof, as we saw in this scam,” Song told Threatpost by email.
But he added that this is unlikely to become a widespread issue because these transactions are so easy to track.
“The hacker returning stolen funds is an interesting twist, but it is unlikely to become a trend,” Sing said. “I think it’s a sign that fraudulent cryptocurrency transactions are not as easy to hide, the days of rampant, illicit monetary systems may be behind us. This could actually help legitimize cryptocurrencies further and increase adoption.”
Bolster offers a free tool called CheckPhish to check whether an NFT site is legitimate.
Common NFT Scams
The Bolster research team also tracks emerging NFT scams and found the most popular cybercriminal tactics include setting up fake stores, the sale of fake art (Banksy is a popular lure), Airdrop scams offering free crypto and brand impersonation on social media.
” These scams will get more complex and sophisticated,” Bloster researcher Abhilash Garimella predicted at the end of March. “Scammers will keep innovating to make sure users fall for these. Not just NFTs, when buying anything online, a buyer needs to be aware of where and to whom they are giving away their credit card or banking information.”
Hardly technical, most NFT scams rely on tricking the user into thinking they’re buying the real deal.
“Third-party marketplaces are an easy target for hackers and ‘IP impostors,'” Christian Ferri from NFT PRO’s GREER told Threatpost. “The level of security tends to be fairly minimal and anyone can pretend to be Nike. The same happened back in the ’90s with e-commerce platforms.”
The NFT market has surged recently, with more than $2.5 billion so far just this year. And as the market attracts money, it will draw in cybercriminals looking for a piece of the action. Consumers will have to increase their awareness around potential NFT fraud, experts predict.
“As consumers, we must apply the same scrutiny and security measures to the web sites we visit – especially if we’re potentially going to be making large financial transactions on those sites,” Bert Rankin from Zentry Security told Threatpost. “Unfortunately, in both our personal and professional lives, we need to apply a ‘zero trust’ mindset before accessing anything. There’s too much at stake not to.”
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST.