Hackers took over multiple accounts on the digital art marketplace Nifty Gateway this weekend, stealing hundreds of thousands of dollars worth of NFTs, or non-fungible tokens. The company says that users not enabling two-factor authentication is to blame.
On Sunday, several Nifty users on Twitter posted that they'd been targets of fraud on the platform. One claimed that someone accessed his account, first sold all of their NFTs and then bought more than $10,000 worth of NFTs, and then transferred them to another account. Another said their account was hacked to buy $20,000 worth of NFTs and steal another $150,000 worth from their collection. These users said the charges went to their credit cards; Nifty Gateway has long advertised the ability to simply purchase NFTs with a credit card rather than using cryptocurrency
A spokesperson for Nifty confirmed the spate of fraudulent activity, saying that the users who were affected didn't have two-factor authentication turned on. The company said in a statement to Motherboard:
"We have seen no indication of compromise of the Nifty Gateway platform. The Nifty Gateway team is communicating with a small number of users who appear to have been impacted by an account takeover. Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA [two-factor authentication] enabled, and access was obtained via valid account credentials. We encourage our users to enable 2FA that we provide on the platform and never reuse passwords.
We have seen some reports that NFTs involved in these account takeovers were sold in transactions negotiated over Discord or Twitter. We strongly encourage all Nifty Gateway customers to purchase their NFTs on the official Nifty Gateway marketplace."
In these instances, the users themselves were compromised, not the entire platform, they claim; at least one user separately confirmed on Twitter that they hadn't enabled two-factor authentication on their Nifty account, which would have prevented someone from stealing their passwords and logging in as them.
NFTs have received a surge of popularity lately, as more people flock to buy and sell art on marketplaces for cryptocurrency. Last week, the rights to an audio sex tape of rapper Azealia Banks and boyfriend Ryder Ripps sold for $17,000, and the artist Beeple sold an NFT at auction for $69 million. NFT owners buy them as a show of solidarity within their art community, or in the hopes that these collectors items will grow more valuable in time.
One user said on Twitter that they're filing a police report and calling their credit card company to dispute the charges—when your credit card is compromised, banks often offer help through their fraud protection departments, to recoup any lost funds. I asked Nifty whether the company has policies in place for when this type of fraud happens—as well as whether it plans to make 2FA mandatory in the future—and will update if I hear back.