Artist Banksy’s team was warned his website had a security weakness seven days before a hacker scammed a fan out of $336,000 (£242,000).
On Tuesday a piece of art was advertised on Banksy’s official website as the world-renowned graffiti artist’s first NFT (non-fungible token).
A British collector won the auction to buy it, before realising it was a fake.
A cyber-security expert warned Banksy that the website could be hacked, but was ignored.
With NFTs, artwork can be “tokenised” to create a digital certificate of ownership that can be bought and sold.
They do not generally give the buyer the actual artwork or its copyright.
Sam Curry, a professional ethical hacker from the US and founder of security consultancy Palisade, said he first heard that the site could have a weakness on the social network Discord, last month.
“I was in a security forum and multiple people were posting links to the site. I’d clicked one and immediately saw it was vulnerable, so I reached out to Banksy’s team via email as I wasn’t sure if anyone else had.
“They didn’t respond over email, so I tried a few other ways to contact them including their Instagram, but never received a response.”
Mr Curry’s disclosure, first reported by rekt.news was made initially by email on 25 August.
The BBC was shown the email thread and has tried to contact Banksy’s team several times, with no response.
Banksy adds £200k to old shop’s asking price
Fake Banksy NFT sold through artist’s website
A guide to Banksy’s ‘Great British Spraycation’
Mr Curry says the website flaw – which has now been fixed – “allowed you to create arbitrary files on the website” and post your own pages and content.
The new page, called ‘Banksy.co.uk/NFT’, was deleted shortly after the auction, with Banksy’s team saying: “Any Banksy NFT auctions are not affiliated with the artist in any shape or form”.
I felt burned
The British man who won the auction is a prominent NFT collector and Banksy fan known on Twitter as Pranksy.
He said he felt “burned” when he was scammed out of nearly $340,000 in cryptocurrency coins, but was relieved when the hacker inexplicably returned most of the money to him by the end of the day.
He said earlier this week: “I think the press coverage of the hack and me potentially discovering the hackers’ ID pushed him into a refund.”
He says he has ended up around $5,000 out of pocket, as the transaction fee was not refunded.
The bizarre story has led some to speculate that the incident may have been some sort of Banksy stunt.
But Banksy expert Prof Paul Gough, principal and vice-chancellor of Arts University Bournemouth, says the timing, art style and set-up doesn’t add up.
“I don’t see it as a Banksy prank. The timing for me doesn’t work right, the context doesn’t feel appropriate. He’s just done his ‘Spraycation’ stunt where he bombed 10 sites in East Anglia, and put out a video on social media about it.
“That is a pretty major stunt and takes a lot of organising by a very professional crew, so I just don’t think the timings right here so soon after that.”
Prof Gough also says the artwork style itself would be a major departure from Banksy’s iconic spray-paint stencil style.
Some have compared the hack to the infamous stunt where Banksy shredded a piece of art in a live auction.
Prof Gough says the NFT sale is very different.
“There’s an element of theatre in the auction house. It was a spectacular prank carried out in front of thousands of people, millions of people eventually, but I don’t see this in the same way.”
Banksy collector John Brandler agrees, but for a different reason: “Banksy’s stunts are not malicious and they don’t hurt people,” he said.