The art world is known for being ahead of the curve, adopting new and interesting technologies to push the boundaries of what we define art to be. Currently, the hottest pieces to land in the art scene are non-fungible tokens, otherwise known as NFTs, which have grown so much in popularity that people are willing to spend incredible amounts on these intangible assets.

However, given the world we live in, it was only a matter of time before malicious actors sought to capitalise on this newfound interest in NFTs. In this blog post we will dissect what NFTs are, the astonishing amounts they sell for and the social engineering that carried out the successful theft of almost a quarter of a million pounds.

What is a deserialisation attack?

Before we dive into deserialisation attacks, it first helps to understand what data serialisation is, and the below explanation from Acunetix is the perfect place to start:

What is an NFT?

The best way to define an NFT would be to start with the NF (or non-fungible) part. To say something is non-fungible is to say that the asset cannot simply be replaced with something else of a similar value. For example, you cannot replace something non-fungible in the same way you can replace one £10 note with two £5 notes and still have the same value. When something is non-fungible is not interchangeable. Put simply, the value of a non-fungible token is only limited by how much the buyer is willing to pay.

Similar to common assets, non-fungible assets can be tangible and intangible. For example, a tangible non-fungible asset would be a deed to a house or a piece of physical art. However, an intangible non-fungible asset would be copyright or digital art. NFTs sit in the intangible category and are unique files that live on a blockchain as a means to verify the ownership of the work of digital art.

How much do NFTs sell for?

The reason why NFTs have been making headlines is down to the sky-high prices some people have been willing to pay for an intangible piece of digital art. For example, on the 11th March 2021, popular artist Mike Winkelmann, who goes under the name of ‘Beeple,’ sold a piece of digital art for $69 million (approximately £50 million). Despite this astronomical price, the new owner does not get sole access to the piece of digital art. In fact, anyone can view the art online for free at any time. What the buyer does get is verification of ownership over the asset, which is essentially bragging rights.

There are many forums and marketplaces which allow you to purchase an NFT, like OpenSea. Or you can also check out traditional auction houses such as Christie’s and Sotheby’s, which have also jumped on the NFT bandwagon.

The rising cyber risk

Whilst the sale of something as intangible as an NFT may seem a little farfetched to your average Joe, the potential for exploitation has not gone unmissed by opportunistic scammers. Just last month, a Banksy art collector named Pranksy was scammed into buying a fake Banksy NFT that had been linked to the street artist’s official website. The collector bid a whopping quarter of a million pounds in Ethereum on what they thought was Banksy's first-ever NFT piece.

How did the scammer get away with it? First, they created an NFT named Great Redistribution of the Climate Change Disaster, which they hosted on Banksy’s official website after finding a vulnerability to exploit on the site. This was a good enough social engineering attack to convince the buyer that the NFT was genuinely created by Banksy. However, shortly after the bid of almost a quarter of a million pounds was placed, accepted and transferred to the scammer’s account, the link disappeared. Following the incident, it’s safe to assume that the hacker exploited a vulnerability to plant the link on the official Banksy website.

In an unexpected turn of events, the funds were later transferred back to the victim collector, minus the $5,000 transfer fee. Whether the scammer was an ethical hacker attempting to point out vulnerabilities on Banksy’s official website, or they got spooked by the growing publicity remains to be seen, but what’s for certain is that the threat remains a problem.

How can you avoid falling victim?

Whilst this incident did result in the victim being refunded, it was a real display of malicious social engineering. The victim lost out on hard-earned money because of their passion for collecting. They got caught up in the moment and acted hastily instead of methodically, which is something that can happen to us all. We at CSA believe that these types of scamming attempts will only continue to grow as intangible digital assets become more valuable. Our recommendation is to take as much care as possible when it comes to purchasing NFTs, and if it seems too good to be true, then it probably is.

To find out more about our security solutions and E-learning courses to help you stay safe online, get in touch!