Banksy Was Warned About Website Flaw Before NFT Hack Scam

Artist Banksy’s team was warned his website had a security weakness seven days before a hacker scammed a fan out of $336,000. The BBC reports: On Tuesday a piece of art was advertised on Banksy’s official website as the world-renowned graffiti artist’s first NFT (non-fungible token). A British collector won the auction to buy it, before realizing it was a fake. A cyber-security expert warned Banksy that the website could be hacked, but was ignored. Sam Curry, a professional ethical hacker from the US and founder of security consultancy Palisade, said he first heard that the site could have a weakness on the social network Discord, last month.

“I was in a security forum and multiple people were posting links to the site. I’d clicked one and immediately saw it was vulnerable, so I reached out to Banksy’s team via email as I wasn’t sure if anyone else had. “They didn’t respond over email, so I tried a few other ways to contact them including their Instagram, but never received a response.” Mr Curry’s disclosure, first reported by rekt.news was made initially by email on 25 August. The BBC was shown the email thread and has tried to contact Banksy’s team several times, with no response.

Mr Curry says the website flaw — which has now been fixed — “allowed you to create arbitrary files on the website” and post your own pages and content. The new page, called ‘Banksy.co.uk/NFT,’ was deleted shortly after the auction, with Banksy’s team saying: “Any Banksy NFT auctions are not affiliated with the artist in any shape or form.” The British man who won the auction is a prominent NFT collector and Banksy fan known on Twitter as Pranksy. He said he felt “burned” when he was scammed out of nearly $340,000 in cryptocurrency coins, but was relieved when the hacker inexplicably returned most of the money to him by the end of the day.