Nifty Gateway, the popular non-fungible token marketplace, issued a statement Monday that a small group of its users experienced “account takeovers.” Victims claimed they either had their NFT art stolen or NFTs purchased and then stolen, using their credit card information. The NFTs were then sold again.
Today, however, a victim was tweeting that Nifty was able to return the stolen NFTs.
Nifty Gateway has not responded to a request for comment on how it was able to return the NFTs, but it appears the thief did not move them from the centralized marketplace.
The news of the NFT art heist marked what appears to have been the first digital NFT theft of this new era for art. But with the artist Beeple selling an NFT for a cool $69.3 million on Friday, perhaps it shouldn’t be surprising. The art heist highlights not just the security steps and understanding of decentralization that users new to the scene might be lacking. It also raises interesting questions about the realities and future of NFT custody as the market continues to grow.
In the case of the Nifty theft, the perpetrator, it seems, also lacked an understanding of decentralization vs. centralization.
The Nifty Gateway hack
Over the weekend, a number of Twitter accounts started tweeting about the loss of NFTs in their Nifty Gateway accounts. One Twitter user claimed to have lost more than $150,000 worth of the collectible tokens. Another claimed his credit card on file with Nifty was used to purchase more than $10,000 in NFTs, which were, in turn, allegedly stolen along with the rest of the collection.
In a statement posted to Twitter, Nifty said, “Our analysis is ongoing, but our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials.”
Two-factor authentication (2FA) is not currently mandatory on Nifty Gateway, but that may be changing as a result of this compromise. 2FA is an extra layer of security that forces someone to provide two pieces of evidence proving his or her identity when trying to access an online account. Usually it comes in the form of a password and a unique code for one-time use.
“A few users were targeted and got their passwords compromised,” said Nifty Gateway co-founder Griffin Cock Foster on Twitter. “In the meantime, make sure you have Authy 2fa turned on, it would have prevented this!! We are strongly exploring making Authy 2fa mandatory for anyone who has made a purchase, but no commitments there yet.”
Originally, at least one victim planned to file a police report and contact his or her insurance company, but “there's nothing I can do per the Nifty [terms of service].”
Security in crypto
The NFT art heist draws clear lines around some of the risks of the NFT boom for users who may not be as familiar with the wider world of cryptocurrency, decentralization, and the inherent risks in such models.
“From what we know so far, fraudsters hacked into the Nifty Gateway user accounts (held in Nifty Gateway servers) by mostly stealing users passwords,” said Chakradhar Kommera (KC), chief technology officer at RubiX, a Blockchain-as-a-Service (BaaS) and crypto security solutions company. Because "all keys to the NFT ownership are stored in a centralized repository, identity compromise will result in loss of keys and the digital assets tied to them.”
2FA is common on exchanges and was present on Nifty Gateway but, per Nifty’s statement, the victims did not have it turned on.
Cryptocurrency and the areas adjacent to it have long been the subject of hacks, scams and thefts due to the pseudonymous nature of crypto and the decentralized models that lack a central body to, say, reverse a fraudulent transaction or return stolen NFTs.
Still, 2FA doesn’t solve everything. If something is online, it’s likely vulnerable in some way.
“Nifty Gateway is talking of implementing 2FA as a solution,” said KC. “We observed, though, given our years of cybersecurity experience, regular password-based 2FA/MFA is, itself, vulnerable, as seen in the recent SolarWinds and other mega cyber breaches. Centralized market places need to adopt passwordless multi-factor authentication or decentralized ID to better protect users.”
The security issue in crypto has led to extreme measures of security such as hardware wallets, multiple layers of authentication and the establishment of numerous blockchain analytics firms to track stolen funds. These firms have since developed into an industry of their own, with extensive government and industry contracts.
The risks of decentralization
These measures are all put in place, and various people use them, because once coins (or NFTs) are stolen and moved off centralized platforms, it's incredibly challenging to get them back. Even if law enforcement in the hacker’s jurisdiction gets involved, there’s no guarantee the issue will be resolved.
When Mt. Gox was hacked in 2014, it was the largest cryptocurrency exchange at the time. Years later, its trustees are still working through a legal settlement to at least partially compensate victims after hackers made off with millions of dollars in cryptocurrency.
Like any other cryptographic coin or token, an NFT is controlled by a private key. This private key is quite literally a key to the assets in a specific wallet. Whoever holds the private key (which is a long string of alphanumerics, sometimes represented as a 12- or 24-word phrase) can access and move the tokens or NFTs in the associated wallet.
Unlike a centralized service like PayPal or a bank-to-bank transfer, there is no Ethereum help desk you can consult to reverse an aberrant or otherwise unapproved transaction.
When you use a platform like Nifty Gateway, the platform holds your private keys for you. But in the event of a compromise, it does not have the ability to help you recover the stolen keys to your NFTs.
Once the transfer of an NFT, even a stolen NFT, is initiated by the holder or executed by a smart contract with a winning bid, it cannot be reversed by a third party or even by the sender. This immutability is an inherent part of the design of NFTs.
So once the hackers seized the accounts for some of the NFTs on Nifty Gateway, and had they moved them out of Nifty Gateway’s wallets and into wallets whose keys they controlled, those NFT keys would have been unretrievable.
It seems in this case, however, the hackers failed to do so; Nifty still held control over those keys.
Whoever holds the keys, owns the keys
For people (and let's be honest, that’s most of us) who are raised in a world of centralized bodies and authorities, it’s hard to envision a situation where someone can make off with your digital art from an online museum, and then display it or sell it as if they themselves legitimately own it.
In crypto, however, possession is 10/10ths of the law.
“There's not really a concept of a fenced article, a fenced item in our world, where you go to the police, and you say, ‘Here's my VIN number of my car, it was sold to this used car dealer who sold it to some other guy,’” said William Quigley, co-founder of WAX (Worldwide Asset Exchange). “That apparatus doesn't really exist, because we mostly are in this decentralized world where there aren't those coordination capabilities.”
Going back to the previous example, one victim of the Nifty NFT art heist was able to halt the attacker from using credit card details associated with the Nifty Gateway account to reverse more than $10,000 in purchases for new NFTs. The thing is, it seems that person was only able to do so through the credit card company – a centralized entity.
Part of Nifty Gateway’s appeal is that users can buy NFTs with their credit cards rather than crypto. But for those who might be less familiar with the downsides of actual decentralization, skipping the steps of learning about it and going straight to an NFT market with fiat may overshadow the very real risks of a security breach.
“Let us face it, given the spate of recent cyberattacks, mostly caused by identity compromise, the problem is not just limited to decentralized platforms,” said KC. “Nifty Gateway is a classic case of a centralized platform that did not secure access and keys well. Decentralization results in strong security, but blockchains like Ethereum force use of layer 2/central intermediaries, causing problems. Overall, users need to understand decentralization security better before jumping in.”
The ability to reverse or abort a smart contract transaction could, potentially, be introduced into NFT contacts. But that comes with a whole new set of questions and considerations.
“You could build this into the NFT contracts, such that when something is stolen you have the ability to put a ‘claim’ on the blockchain that can then encumber the token,” said CoinDesk podcast editor Adam Levine, who is a vetern of the cryptocurrency industry. “Then the question becomes ‘how do you verify the claim,’ which gets into another rabbit hole of third parties. But it is possible, whereas in traditional cryptocurrencies it is flatly not possible.”
That uniqueness means that marketplaces could potentially create a blacklist of NFTs that have been stolen and moved off them, thereby decreasing their value as well as the incentive for stealing them.
An NFT heist blacklist in a truly decentralized model
The creation of a blacklist, like an option to reverse a smart contract, introduces a host of other issues, according to the heads of other token marketplaces.
Marguerite deCourcelle, CEO of blockchain-based video game Neon District, said something similar already exists within another blockchain-based game, Axie Infinity.
Blacklists are being used but they're not being used around stolen property. Instead, they're being used around some NFTs that are created in games. Specifically, Axie Infinity has taken a strong stance against botting or gold farming, which essentially messes with the economy of AXIE tokens (NFTs) within the game.
“This is also very important because they have an ERC 20 token associated with their economy,” said deCourcelle. “So if you start to bot and abuse, maliciously, their game-to-game economy and game design, then they will flag the account that is doing that behavior. And the NFTs associated with that account are at risk to be blacklisted from further participating in their ecosystem and their marketplaces.”
Zooming back from a gaming economy to the larger market of NFTs raises more questions than it answers, however.
“I think that currently these centralized entities and marketplaces need some sort of registry around different assets – when they are created, who the original creator is and some sort of way to verify in a decentralized fashion that that's true,” said deCourcelle.
deCourcelle said there could be a function added like a kill switch that’s put into an NFT, but then you would need all the minting process done by these marketplaces to include that and incorporate it into the data itself. Whether they would do so is an open question, but it would require a lot of human work. Even if that work is done, though, it’s hard to imagine it being a fully decentralized environment.
“You could have something that triggers an effect when an NFT is no longer transferable and locked into an account, essentially,” said deCourcelle. “And I just don't see how that can become completely decentralized.”
In other words, someone still has to be calling the shots as to when the stolen NFT is no longer transferable, according to deCourcelle. Any registration is being managed by somebody.
Quigley points out that any method of NFT theft remediation quickly gets into a hard-to-ascertain area where a centralized platform (like Nifty) would have to make value judgments as to whether an account was actually hacked, whether someone may have just regretted a purchase and then what level of responsibility the person may have to take. Very quickly that moves from the ethos of decentralization to a centralized body playing judge and jury.
“I do think you open up a Pandora's box when you try to, as an NFT marketplace, figure out who actually had something happen,” said Quigley, “and whether it's real and who has just made it up. And that's why you just push all of the responsibility back down to the account owner.”