The Art of the Prank: How a Hacker Tried to Fake the World's Most Expensive NFT
Someone is trying to prove that despite all the media frenzy about NFTs, they’re not as unique or secure as people think.
A pseudonymous hacker by the name of “Monsieur Personne” is making fake copies of the most expensive non-fungible token (NFT) in the world.
The intent, according to a blog post the hacker wrote on April 4, is to “show you just how ludicrous the situation with the NFT hype is.”
The pseudonymous individual has created a counterfeit NFT of Beeple’s “Everydays: The First 5000 Days,” which famously sold in a Christie’s auction for $69 million on March 11.
Personne is trying to prove that despite all the media frenzy about NFTs, they’re not as unique or secure as people think.
After attempting to contact those with a large reach, such as media companies or security firms, to tell anyone who would listen, the hacker decided to take matters into his own hands.
"I started this whole project by sharing the details in closed circles. I was met with disbelief, criticism and ridicule," Personne told CoinDesk via Twitter DM. "Way too much gatekeeping in the crypto sphere. That’s when I realized that I need to prove the concept in order to be taken seriously."
To be clear, this isn’t a matter of the content of an NFT being duplicated. Anyone can download an exact replica image of Beeple’s art work by googling the title of the piece, much like anyone can photocopy a poster. It’s not difficult to see or own a copy of a digital image, especially one that has already been shared widely on the internet.
What is comparatively more difficult to do is fool people into thinking you own the original art creation and provide cryptographic proof – namely, in the form of an NFT, first minted by the artist. This is because an NFT is supposed to be unique. By nature of it being stored on a blockchain, its entire transaction history is also supposed to be permanently preserved.
"The blockchain is my public ledger/proof, and my website is the record of the facts. I honestly love the concept of NFTs and seriously believe that they are the future of assets, just like crypto is the future of finance," said Personne.
What Personne has done is create his own unique NFT on the Ethereum blockchain, the same public ledger on which the original Beeple NFT is stored. He engineered components of his NFT creation such as its token ID and transaction history to resemble components of the original one minted by Beeple. To be clear, Personne does not own the original NFT, but to the casual observer it might appear that he does.
Also, importantly, the duplicate NFTs created by Personne do not put the authenticity of the original masterpiece at risk.
The challenge to users is to try to tell which is an authentic Beeple art piece and which isn’t. Here’s how we deduced the difference.
What makes an NFT unique
First, we tracked down all the identifiers that make the Beeple NFT unique.
Beeple’s artwork has a token ID that no one person can replicate from the same smart contract. Here is the verified smart contract address that Beeple used to create his “Everydays: The First 5000 Days” NFT:
When Beeple minted the infamous NFT, it was given token ID #40913. Following the movement of this token is a matter of following this identifier from account to account on the Ethereum blockchain.
First you can see it minted into the verified account of Beeple himself. Then it is transferred to an unidentified account, shortly before settling into the account of MetaKovan, the known buyer of Beeple’s $69 million artwork.
Trick #1: Create an unverified smart contract
In his attempts to fool users, Personne has issued his own Beeple NFT with the exact same token ID: #40913. How is this possible? The key here is that Personne’s NFT was minted by a different smart contract.
"I wrote my own smart contract that follows the ERC-721 specification," said Personne. "What I did is add a bit of additional logic into the contract. This allowed me to create my own functions and steps that are not interfering with the standard but provide me with the abilities to execute actions in a way that I want them to."
In other words, it was minted by a different Ethereum-based application that Personne created and coded. This means he has complete control over the token IDs this application spews out and the kind of NFTs it mints.
Users can check and review the smart contract issuing an NFT on any public Ethereum blockchain explorer. Even though an NFT might boast the same token ID as another, this doesn’t mean it's the same asset. It’s important to make sure the same smart contract used to mint a particular collectible token is also the same contract being called upon to trade the token.
Most reliable ones will be labeled as open-sourced and verified code on block explorers. Others, like the one Personne has created, will be illegible without a manual translation of its code.
All of this work to double-check the authenticity of an NFT does require knowledge of how to use a tool such as Etherscan as well as a basic ability to navigate through these sites. Luckily, there are helpful online guides for first-time users, but the lesson for potential buyers should be to verify what they are looking at prior to making a purchase.
Trick #2: Use a verified artist’s account to sell your NFT
Personne did go one step further in trying to obfuscate the inauthenticity of his NFT creations. He made it appear on public blockchain explorers such as Etherscan and third-party websites such as Rarible that the NFTs he had minted were created by Beeple himself.
Nifty News reported on April 19 that Personne was able to do this by building his smart contract with a “seizure” feature. The feature automatically drops the fake NFT into the verified account of Beeple and immediately transfers it back out again. In other words, it makes it appear that for a brief moment the NFT was held by Beeple and sold by Beeple.
According to Fabiano Soriani, the former lead blockchain engineer for Dapper Labs who also helped create the ERC-721 standard for NFTs on Ethereum, this is not a new functionality but a known smart-contract exploit that other hackers have used in the past.
“On Ethereum, any contract can emit any event, so a contract may claim to be an ERC-721 and emit events that can express essentially anything,” said Soriani in an email. “Just the same way anyone could write a tweet online, or post in a message board stating incorrect information.”
Rarible did not respond to multiple requests for comment, but took blocked access to the duplicate NFT on Tuesday. Beeple did not return a request for comment.
Action is required
There are hints, however, to suggest that even when an NFT appears to have been created by a famous artist, it’s actually a fake. The most telling one is the information around the asset for sale.
On NFT marketplace Rarible, the verified account of Beeple appears to have made a second copy of his original “Everydays: The First 5000 Days” piece as part of the “NFTheft” collection. This is, of course, false. Monsieur Personne is the one who generated this copy, not Beeple, for the sake of sending the message that users shouldn’t trust everything they read on the internet.
Clicking on the name of the collection, Rarible redirects users to a page with a single smart-contract address, which belongs to Personne’s own unverified NFT application.
While Personne’s trickery doesn’t appear to have spread far – the highest bid for his fake Beeple NFT on Rarible was $232.54 – his actions highlight important characteristics about how NFTs work and from where their authenticity comes.
“Bad [smart] contracts emitting incorrect events is only one more characteristic of the blockchain that has to be known,” Soriani said.
Speaking to the need for better infrastructure in NFT marketplaces to identify these behaviors and weed out illegitimate assets from their platform, he added:
“I do expect marketplaces to quickly wise up to the fact that this kind of activity can happen and be more careful to only legitimize authentic sources.”
Personne agrees: "The ironic thing is that this would never be possible if strict regulations and policies were enforced and practiced by all the corporations minting NFTs these days."
The mischievous culprit points to corporate greed as being the primary reason causing a decline in both the security and value of NFTs, as companies put commissions and brand reputation ahead of all else.
"We have stopped innovating and improving one of the greatest technologies of this century. All in the name of corporate greed," said Personne.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.