- Several Nifty Gateway users reported today that their accounts have been taken over and whole NFT collections stolen.
- According to the NFT marketplace, its platform was not compromised, and the attackers accessed the accounts using valid credentials.
Several Twitter users reported today that their accounts on marketplace Nifty Gateway have been taken over by hackers, with the attackers cleaning up whole non-fungible token (NFT) collections and even using their registered credit cards for new purchases.
“Someone stole my NFTs today on Nifty Gateway and purchased $10K++ worth of today's drop without my knowledge. NFTs were then transferred to another account,” wrote Michael J. Miraflor in a Twitter thread.
Speaking to Decrypt, a spokesperson for Nifty Gateway stated that there had been "no indication of compromise of the Nifty Gateway platform." The NFT marketplace reported that it is communicating with a small number of users who appear to have been impacted by an account takeover.
In other words, the users may have been directly targeted via their phones, rather than the Nifty Gateway platform itself coming under attack.
Where were the NFTs sent?
According to Miraflor, he received an alert about selling something on Nifty Gateway. However, by that point his entire collection had, he claims, already been emptied.
Miraflor also explained that he'd also received multiple fraud alerts from his credit card provider. “Since all transactions including Transfers are recorded, I know the exact 2 accounts my stolen NFTs were sent to, as well as who fraudulently purchased from today's drop,” the user added.
One of those accounts reportedly held hundreds of NFTs while the other one was stealing and immediately selling them on secondary markets.
Additionally, Miraflor claimed that Nifty Gateway not only confirmed the theft but even knew how the NFTs have been sold—the hackers ostensibly searched for buyers on Discord channels.
In the Twitter thread, other users also reported that their account had been emptied over the weekend by attackers using the same MO.
“Someone hacked my Nifty Gateway account tonight and used my credit card attached to the account to buy like $20k worth of art... cool,” wrote keyboard Monkey.
In an email to Decrypt, Nifty Gateway stated that its analysis of the event is ongoing. "Our initial assessment indicates that the impact was limited, none of the impacted accounts had 2FA enabled, and access was obtained via valid account credentials," a spokesperson for Nifty Gateway said. "We have seen some reports that NFTs involved in these account takeovers were sold in transactions negotiated over Discord or Twitter. We strongly encourage all Nifty Gateway customers to purchase their NFTs on the official Nifty Gateway marketplace."
Nifty Gateway added that users should follow security precautions including enabling 2FA and never reusing passwords.
As Decrypt reported, hackers stole $3.8 billion worth of cryptocurrency in 2020.
It's perhaps unsurprising that cybercriminals are now turning their attention to the NFT space. The market for non-fungible tokens—unique and non-interchangeable tokens that can be embedded with digital artwork and music—has boomed in recent months.