• Artist Bansky warns of site’s security flaws a week before NFT scam

  • In the past week, a link on graffiti artist Banksy’s website advertised an artwork as the creator’s first NFT (non-fungible token).

    The failure of the NFT auction

    A British collector won the auction for $366,000 for this limited NFT artwork, before realizing it was a fake. A key measure of NFT in the art world is that the piece includes a unique digital certificate of ownership that can be bought and sold “tokenized”.

    The page offering the NFT, Banksy.co.uk/NFT, was removed immediately after the auction took place, and a statement from the Banksy team read, “Any Banksy NFT auctions are not affiliated with the artist in any way.”

    The British collector, who is known online as @Pranksy, won the auction by outbidding his competitors by 90 percent.Pranksy is a Banksy fan and avid NFT collector.

    Pranksy said he was frustrated and “burned” after having more than $300,000 in cryptocurrency taken away from him. They were quickly relieved when the scammers strangely returned most of the amount to them at the end of the day.Pranksy believes that the news coverage could have led the public to identify the scammers, and that’s what drove them to refund the money. At the end of the day, however, Pranksy claims to have still lost $5,000 because the transaction fees were not refunded.

    Despite being scammed, Pranksy expressed gratitude, “I feel very fortunate because many other people in similar situations would not have had the same outcome if they had less influence.”

    Banksy’s team later released a statement saying that “artist Banksy did not create any NFT artwork”. But it still raises questions about how the site was compromised.

    The warning was ignored

    A cybersecurity expert apparently warned Banks’ team that the site was flawed and could be exploited. However, that warning was ignored. According to Sam Curry, a white hat hacker and founder of security consultancy Palisade, he first mentioned finding the vulnerability in Banks’ website on social networking platform Discord last month.

    “I was on a security forum and multiple people had posted links to the site. I clicked on one and immediately saw that it was vulnerable,” Curry explained. He contacted Banks’ team via email – an attempt that was allegedly ignored.

    Curry continued to try to contact Banks’ team on other platforms, including Instagram. however, his efforts came to a dead end and he never received any response. The first report was initially sent out via email on August 25, prior to Curry’s disclosure.

    Curry added that the flaw in the site has since been fixed. The flaw allowed outsiders to create arbitrary files on the site, where they could publish third-party pages and content.

    Another Banksy stunt?

    Some comments have led to speculation that the incident may be just another Banksy stunt.

    Professor Paul Gough, principal and vice-chancellor of Bournemouth University of the Arts, said the timing, artistic style and setting did not fit.

    “I don’t think it was a prank by Banksy. For me, the timing was wrong and the setting didn’t feel right. He’d just finished his ‘Spraycation’ stunt where he blew up 10 places in East Anglia and posted a video about it on social media.”

    Gough also added that the fake artwork itself was a far cry from Banksy’s signature style.

    What's your reaction?