The blockchain has frequently been hailed as the future of art commerce, offering a way to ensure a work’s authenticity while creating an unalterable digital record of provenance on a public ledger. But recent reports of hacking on Nifty Gateway, a popular marketplace for non-fungible token (NFT) art, have raised questions about potential security flaws in the system. Several users have taken to social media in the last few days to claim they had NFTs stolen on the platform, with little recourse to get them back.
One of them is media strategist Michael Miraflor, who tweeted this weekend that his Nifty Gateway account had been compromised and his entire NFT collection cleared out in a matter of minutes. The hacker transferred Miraflor’s NFTs to another account and used his credit card on file to purchase more than $10,000 worth of Nifty’s daily “drop,” which they also transferred; then, they sold the stolen NFTs via the messaging app Discord.
Among the NFT works taken from his collection was an open edition piece by Major League Baseball player-turned-artist Micah Johnson, who made headlines when a group of NFTs representing one of his painted sculptures sold for $1 million in just one minute on Nifty.
Miraflor reported the fraudulent charges to his credit card company and was able to get his money back. (Nifty Gateway allows users to make purchases using their credit card instead of the Ether cryptocurrency that other platforms like Foundation, SuperRare, and MakersPlace require.) But when he reached out to Nifty’s support team regarding the stolen NFTs, he was told they could not transfer the digital tokens back to him. Transactions cannot be reversed on the blockchain, and per Nifty’s Terms of Service, Miraflor’s NFTs now legally belong to the users who purchased them fair and square — even if they were bought from a hacker.
Works by other high-profile crypto artists, like Trevor Jones, have also been stolen and resold in the same way, according to an ongoing list of the thefts created by Twitter user @KeyboardMonkey3, who estimates over $150,000 worth of NFTs have been stolen.
NFTs are unique digital files that can represent works of art and other collectible assets and are inscribed on the Ethereum blockchain. A growing number of artists have embraced the technology, which allows creators to sell their work without the help of a gallery as well as track and often earn a percentage on resales.
Miraflor says he started collecting crypto-art because he liked the idea of supporting artists, many of whom had difficulties monetizing their work within the traditional art market.
“The sad thing for me is that I dove into exploring NFTs because 1) I love the idea of artists being compensated for resales in perpetuity and 2) it ostensibly solves provenance issues in the art space,” Miraflor told Hyperallergic. “I’ve lost a COA [Certificate of Authenticity] before, so know the headache that comes along with that.”
“I’m still optimistic on the long-term potential of NFTs to support artists and collectors, but I’m going to be a lot more mindful of security and platform terms of service moving forward,” he added.
A Nifty Gateway spokesperson told Hyperallergic that the company has seen “no indication of compromise” on its platform.
“The Nifty Gateway team is communicating with a small number of users who appear to have been impacted by an account takeover. Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials,” they said.
2FA is short for “two-factor authentication,” a common form of online security that requires users to provide a second login credential, in addition to their username and password, in order to access their account. Nifty encourages users to enable the 2FA options provided on the platform and never reuse passwords.
In addition, the spokesperson said, users should purchase NFTs on the official Nifty Gateway marketplace. In many of the recent account takeovers, the stolen NFTs were sold in transactions negotiated outside of the platform, on Discord channels or Twitter.
One victim of a theft on the platform, Cranford Stoudemire, said he was able to get all of his stolen NFTs back except for one, a piece by artist Kode Abdo. Stoudemire caught the account being hacked as it was happening, in time for Nifty Gateway to lock down the secondary account where his NFTs were being kept. The company was able to transfer the works back to Stoudemire before they were resold in an unofficial marketplace.
Nifty Gateway has not responded to Hyperallergic’s inquiries regarding the exact number of incidents or the total value of NFTs stolen. But for some, the hackings have exposed holes in a technology often touted as a foolproof record of ownership.
“If art can be stolen with zero verification and the solution is ‘just don’t buy stolen art’ then you’ve kinda ripped away the curtain and exposed the scam,” wrote Twitter user @bach_tigh. “There’s no ownership, just made-up paperwork.”