Over the weekend, some users of NFT marketplace Nifty Gateway said hackers stole digital artwork worth thousands of dollars from their accounts. Some people who were hacked also said their credit cards on file were used to purchase additional NFTs, also costing thousands of dollars, which were then transferred away to a hacker’s account.
Nifty Gateway confirmed in a statement to The Verge that some accounts without two-factor authentication had been hacked and that it has been in touch with those affected, but it said it has not seen evidence that its platform was breached. Nifty Giveaway suggests the hackers may have successfully reused login credentials that leaked from other services.
“We have seen no indication of compromise of the Nifty Gateway platform,” the statement reads. “The Nifty Gateway team is communicating with a small number of users who appear to have been impacted by an account takeover. Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials.”
Over the past few weeks, many NFTs have suddenly become high-value assets; Grimes sold a series of 10 digital artworks for around $6 million, for example, and digital artist Beeple sold an NFT for $69 million at Christie’s. So it’s unfortunately not altogether surprising that NFT platforms have become targets for hackers looking to steal the digital artworks or take credit card information to buy more.
To help prevent future hacks, Nifty Gateway recommends enabling two-factor authentication. “We encourage our users to enable 2FA that we provide on the platform and never reuse passwords,” the statement continued. “We have seen some reports that NFTs involved in these account takeovers were sold in transactions negotiated over Discord or Twitter. We strongly encourage all Nifty Gateway customers to purchase their NFTs on the official Nifty Gateway marketplace.”
Given the blockchain-based nature of NFTs, Nifty Giveaway doesn’t have control of an NFT once it is stolen, so it seems unlikely that the affected users will be able to recover their lost collections.