The artist Banksy’s team was warned that his website had a security weakness seven days before a hacker scammed a fan out of $336,000 (£242,000).
An artwork was announced on the official Banksy website on Tuesday as the world-renowned graffiti artist’s first NFT (non-fungible token).
A British collector won the auction to buy it, before realizing it was a fake.
A cyber security expert warned Banksy that the website could be hacked, but was ignored.
With NFTs, artwork can be “tokenized” to create a digital certificate of ownership that can be bought and sold.
They typically do not give the buyer the actual artwork or its copyright.
Sam Curry, a professional ethical hacker from the US and founder of security consultancy Palisade, said he first heard that the site might have a weakness on the social networking site Discord last month.
“I was on a security forum and several people were posting links to the site. I clicked on one and immediately saw that it was vulnerable, so I contacted the Banksy team via email because I wasn’t sure if anyone else had.
“They didn’t reply via email, so I tried a few other ways to contact them, including their Instagram, but never got a response.”
Mr. Curry’s disclosure, first reported by rekt.news, was initially made via email on August 25.
The BBC was shown the email thread and has tried to contact Banksy’s team several times, with no response.
Curry says that the website flaw, which has now been fixed, “allowed you to create arbitrary files on the website” and publish your own pages and content.
The new page, called ‘Banksy.co.uk/NFT’, was taken down shortly after the auction, with Banksy’s team saying: “Any Banksy NFT auctions are not affiliated with the artist in any way.”
I felt burned
The Briton who won the auction is a prominent NFT collector and Banksy fan known on Twitter as Pranksy.
He said he felt “burnt out” when he was scammed out of almost $340,000 worth of crypto currencies, but was relieved when the hacker inexplicably returned most of the money to him at the end of the day.
He said earlier this week: “I think the press coverage of the hack and my potentially discovering the hackers’ ID pushed him to get a refund.”
He says he ended up paying around $5,000 out of pocket, as the transaction fee was not refunded.
The bizarre story has led some to speculate that the incident may have been some kind of Banksy stunt.
But Banksy expert Professor Paul Gough, director and vice-chancellor of Bournemouth University of the Arts, says the timing, art style and setting don’t add up.
“I don’t see it as a Banksy joke. The timing doesn’t work for me, the context doesn’t feel right. He just did his ‘Spraycation’ stunt where he bombed 10 sites in East Anglia and blacked out a video on social media by regard.
“That’s a pretty big trick and it requires a lot of organization by a very professional team, so I don’t think the times here will be as soon after that.”
Professor Gough also says that the style of the artwork itself would be a major departure from Banksy’s iconic spray paint stencil style.
Some have compared the stunt to the infamous stunt in which Banksy vandalized a piece of art at a live auction.
Professor Gough says selling NFTs is very different.
“There is an element of theatrics to the auction house. It was a spectacular prank performed in front of thousands of people, millions of people eventually, but I don’t see it the same way.”
Banksy collector John Brandler agrees, but for a different reason: “Banksy’s stunts aren’t malicious and they don’t hurt people,” he said.