“I was in a security forum and multiple people were posting links to the site. I’d clicked one and immediately saw it was vulnerable, so I reached out to Banksy’s team via email as I wasn’t sure if anyone else had. “They didn’t respond over email, so I tried a few other ways to contact them including their Instagram, but never received a response.” Mr Curry’s disclosure, first reported by rekt.news was made initially by email on 25 August. The BBC was shown the email thread and has tried to contact Banksy’s team several times, with no response.
Mr Curry says the website flaw — which has now been fixed — “allowed you to create arbitrary files on the website” and post your own pages and content. The new page, called ‘Banksy.co.uk/NFT,’ was deleted shortly after the auction, with Banksy’s team saying: “Any Banksy NFT auctions are not affiliated with the artist in any shape or form.” The British man who won the auction is a prominent NFT collector and Banksy fan known on Twitter as Pranksy. He said he felt “burned” when he was scammed out of nearly $340,000 in cryptocurrency coins, but was relieved when the hacker inexplicably returned most of the money to him by the end of the day.