Nifty Gateway — an NFT marketplace that was bought out by the Winklevoss twins back in 2019 — announced on Monday morning some of its users were swept up in a small-scale hack that saw their accounts and credit cards compromised.
“Our analysis is ongoing, but our initial assessment indicates that the impact was limited,” the company tweeted Monday morning. “None of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials.” Aside from mentioning that some NFT’s “involved in these account takeovers” were sold over Discord or Twitter, Nifty’s thread is pretty light on the details.
That disclosure is likely a response to some of the anecdotal accounts coming from Nifty users reporting thousands of dollars worth of artwork being bought under their Nifty accounts. “Someone stole my NFTs today on @niftygateway and purchased $US10K++ worth of today’s drop without my knowledge,” tweeted Michael Miraflor, an ad consultant based out of Los Angeles. Another collector tweeted on Monday morning claiming that his account was robbed of about $US150,000 ($194,085) worth of artwork.
In both cases, the alleged MO seemed to be the same:
- A person’s account gets hacked.
- The hacker transfers the victim’s personal collection of NFT art into an account that’s owned by the hacker.
- That hacker also uses the victim’s credit card to buy items that are up for auction and then transfers those purchased items into another account owned by the hacker.
- Hacker then sells their ill-gotten gains on a third-party platform for profit.
Miraflor, for his part, alleges that four separate “drops” (the moniker for original art pieces that were up for auction that day) were bought with that $US10 ($13),000 sum before being popped onto Nifty’s onsite marketplace to be auctioned off to other collectors. When a sale goes through these second-hand auctions, the seller — Miraflor in this case — gets notified that their transaction went through. When he went to investigate these alerts, he says that he not only found his card being charged for thousands of dollars worth of NFTs but that his entire art collection on the site had been swiped, too. Because NFTs are by definition digital tokens stored on a given blockchain, the thief left behind a digital ledger that Miraflor says he followed to find the attacker in question.
Per Miraflor, Nifty promised him that it would reverse the ten grand spending spree that was charged to the card that it had on file for him. As for the artwork that was allegedly stolen from his collection and sold through these third parties, Miraflor said on Twitter that the company told him it would be unfair to take the pieces back from their new owners.
Update: looks like I can’t get my NFTs back. Even though fraud has been confirmed and I know exactly where my NFTs are sitting at this very moment.
Hacker wins. Secondary market purchaser wins. I lose.
Going to explore other options if I can. Doesn’t sit right with me.
— Michael J. Miraflor (@michaelmiraflor) March 14, 2021
And the fact is, Nifty’s ToS leaves users with little to argue about. If you scroll down towards the lower half of Nifty’s ToS, it reads (emphasis ours):
TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT WILL NIFTY GATEWAY BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOST PROFIT OR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES ARISING FROM THIS AGREEMENT, THE SITE, PRODUCTS OR THIRD PARTY SITES AND PRODUCTS, OR FOR ANY DAMAGES RELATED TO LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, OR LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT, OR OTHERWISE, EVEN IF FORESEEABLE AND EVEN IF NIFTY GATEWAY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
In other words: it’s not their problem.
Gizmodo reached out to Nifty Gateway for additional comment and will update this post if we hear back.