Banksy warned about website vulnerability before US$336,000 NFT scam

The issue with the website was discussed in an online security forum last month.
The issue with the website was discussed in an online security forum last month. Photo credit: Supplied

Street artist Banksy was warned his website had a security weakness just days before a non-fungible token (NFT) collector was conned into buying a US$336,000 digital artwork through it.

Last week Pransky, an anonymous investor, won the auction for an image of a pixelated smoking man thinking it was the first ever NFT from the street artist, famous for their social issue artworks.

But the page linking to the auction on Banksy's website was later deleted with the artist's team telling the BBC that "any Banksy NFT auctions are not affiliated with the artist in any shape or form".

Pranksy was refunded the amount he paid for the NFT, entitled Great Redistribution of the Climate Change Disaster, but was left around US$7000 out of pocket because of transaction fees.

US-based 'ethical hacker' Sam Curry says he heard about the website's weakness in August which allowed anyone to create pages and content on the website.

"I was in a security forum and multiple people were posting links to the site," he told the BBC.

"I'd clicked one and immediately saw it was vulnerable, so I reached out to Banksy's team via email as I wasn't sure if anyone else had.

"They didn't respond over email, so I tried a few other ways to contact them including their Instagram, but never received a response."

Pransky later took to Twitter to deny they had orchestrated a stunt, as some seemed to believe.

"I would never risk a future relationship with Banksy or any fine artist by hiring someone to hack their website and then buying an #NFT from myself, what an unusual day," they wrote.

And if it was a stunt then it wasn't organised by Banksy either, according to expert Professor Paul Gough.

The principal and vice-chancellor of Arts University Bournemouth in the UK told the BBC he just doesn't see it as a Banksy prank.

"The timing for me doesn't work right, the context doesn't feel appropriate. He's just done his 'Spraycation' stunt where he bombed 10 sites in East Anglia, and put out a video on social media about it," Prof Gough said.

"That is a pretty major stunt and takes a lot of organising by a very professional crew, so I just don't think the timing's right here so soon after that."