This past week, a link on the website of the infamous graffiti artist Banksy, advertised a piece of art as the creator’s first NFT (non-fungible token).
NFT auction debacle
A British collector won the auction for $366,000 to purchase the limited NFT art, before realizing that it was a fake. One crucial measure of an NFT in the realm of art is that the piece includes a “tokenized” unique digital certificate of ownership that can be bought and sold.
The page offering the NFT, Banksy.co.uk/NFT, was deleted right after the auction took place with a statement from Banksy’s team that read, “Any Banksy NFT auctions are not affiliated with the artist in any shape or form.”
The British collector, who goes by the online handle @Pranksy, won the auction after making an offer 90% more than rival bidders. Pranksy is is a Banksy fan and an avid NFT collector.
Pranksy expressed feeling frustrated and ‘burned’ after being taken for more than $300,000 in crypto. They were soon relieved that the scammer strangely returned most of the amount back to them by the end of the day. Pranksy believed that the press coverage could lead the public to determine the identity of the scammer, and that’s what pushed them to refund. However, at the end of the day, Pransky claims to still be down $5,000, as the transaction fee was not refunded.
Despite being scammed, Pranksy expressed his gratitude, “I feel very lucky when a lot of others in a similar situation with less reach would not have had the same outcome.”
Banksy’s team later made a statement saying that “The artist Banksy has not created any NFT artworks.” But this still left questions on how the site had been compromised.
Warnings go ignored
A cyber-security expert had apparently warned Banksy’s team that the website had shortcomings and that it could be exploited. However, the warning was ignored. According to Sam Curry, founder of security consultancy Palisade and a whitehat hacker, mentioned first discovering the vulnerabilities on Banksy’s site on the social network platform Discord last month.
“I was in a security forum and multiple people were posting links to the site. I’d clicked one and immediately saw it was vulnerable,” explained Curry. He reached out to Banksy’s Team via email — an attempt that allegedly went ignored.
Curry continued trying to reach Banksy’s Team on alternative platforms including Instagram. However, his effort came to a dead-end and he never received any response. Prior to Curry’s disclosure, the first report was made initially by email on Aug 25.
Curry added that the website’s flaws have since been fixed. The vulnerability allowed for an outsider to create arbitrary files on the website where they could post third-party pages and content.
Another Banksy stunt?
Some opinions resulted in speculation that the incident might just be another Banksy stunt.
Prof. Paul Gough, principal and vice-chancellor of Arts University Bournemouth, says the timing, art style, and setup don’t add up,
“I don’t see it as a Banksy prank. The timing for me doesn’t work right, the context doesn’t feel appropriate. He’s just done his ‘Spraycation’ stunt where he bombed 10 sites in East Anglia and put out a video on social media about it.”
Gough also added that the fake artwork itself drifted off of Banksy’s iconic style.
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.