Over the weekend, some users on the NFT Nifty Gateway marketplace said hackers stole thousands of dollars worth of digital artwork from their accounts. Some people who were hacked also said that their credit cards on file were used to purchase additional NFTs, which also cost thousands of dollars, which were then transferred to a hacker’s account.
Nifty Gateway confirmed in a statement to The Verge that some accounts without two-factor authentication had been hacked and that it has been in contact with those affected, but said it has seen no evidence that its platform has been breached. Nifty Giveaway suggests that hackers may have successfully reused login credentials that were leaked from other services.
“We have seen no indication of compromise of the Nifty Gateway platform,” the statement read. “The Nifty Gateway team is reaching out to a small number of users who appear to have been affected by an account takeover. Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the affected accounts had 2FA enabled, and access was obtained through valid account credentials.”
In recent weeks, many NFTs have suddenly become high-value assets; Grimes sold a series of 10 digital artworks for around $6 million, for example, and digital artist Beeple sold an NFT for $69 million at Christie’s. Unfortunately, it’s not entirely surprising that NFT platforms have become targets for hackers looking to steal digital artwork or take credit card information to purchase more.
To help prevent future attacks, Nifty Gateway recommends enabling two-factor authentication. “We encourage our users to enable 2FA that we provide on the platform and never reuse passwords,” the statement continued. “We have seen some reports that the NFTs involved in these account takeovers were sold in transactions negotiated through Discord or Twitter. We strongly recommend all Nifty Gateway customers to purchase their NFTs on the official Nifty Gateway marketplace.”
Given the blockchain-based nature of NFTs, Nifty Giveaway has no control of an NFT once it is stolen, so it seems unlikely that affected users will be able to get their money back.