Cyber criminals are stealing millions in cryptocurrency during ICOs

ICOs (Initial Coin Offerings) have become one of the most popular ways to get funding for projects, generally those working with blockchain. It is a type of crowdfunding using cryptocurrency. An ICO itself is frowned upon by many, but for start-ups that need the initial capital, it is particularly important. This is why so many start-ups have chosen to host an ICO event in hopes that they will raise enough money to develop their product. However, lack of proper regulations and lax security make them highly susceptible to hacking.

Nowadays, you can find hundreds of active ICOs, which is why it is not a surprise that hackers are targeting them. Not when there are millions of dollars involved. This has led to many disastrous hacks that resulted in stolen millions. Unfortunately, this tendency is not going to stop, not with the amount of money going into the initial coin offerings.

In this article, you will find the most notable cases of a hacker/hackers taking off with cryptocurrency from an ICO event, ranging from $150,000 worth of cryptocurrency to $7.4 million.

2017 saw an estimated $370 million stolen from ICOs

Accounting firm Ernst & Young (EY) estimate that in 2017, ICOs have raised over $3.7 billion in funds, which is not a surprising amount seeing as how popular ICOs have become. However, what is shocking is that 10% of those proceeds have been stolen by hackers. These worrying numbers are based on the data collected about 372 ICOs that took place between 2015 and 2017. In addition, not only do hackers steal money, they also gain access to investors’ personal information, including addresses, phone numbers and even bank details.

The ever increasing popularity of ICOs attracts many investors, some of which could be relatively new to the world of crypto and are yet to understand how easy it is to get scammed. ICOs are also not regulated and lack proper security measures, which allows hackers to steal their funds much more easily. With so many ICOs going around, being noticed can be a challenge, thus a lot of money goes into promotion. As a result, security takes a backseat. Until that changes, ICOs will continue to suffer from hacks and get their funds stolen.

And here are a few notable cases when hackers were able to steal from ICOs.

EOS ICO investors lose millions of dollars worth of tokens

EOS token sale started in June 2017, and over the span of a year, it raised an astounding amount of $4 billion. Block.one are the ones behind the EOS ICO, and they aim to create a decentralized blockchain-based operating system that would enable vertical and horizontal scaling of decentralized applications. While the ICO did break a record and raised $4 billion, it did not go as smoothly as one would hope. It was revealed that a significant amount of EOS coins have ended up in the hands of hackers.

The scam is quite elaborate, and it managed to scam investors out of tokens worth millions. First, the hackers breached the Block.one system and then sent EOS investors messages, pretending to provide free tokens as part of a giveaway. The message received by investors looked legitimate, containing the logo and EOS-related information. Investors were invited to claim the unsold tokens by pressing a button in the email. Those who did press the button ended up on a website that looks identical to the actual EOS website. The only thing different was the URL. The real website of the project is eos.io, while the fake one was eȯs.com. Seeing as the addresses may look identical at first glance, it’s not surprising that investors did not necessarily notice. While interacting with the website, visitors were asked to put in their private keys, which is essentially the password for a digital cryptocurrency wallet, in order to receive the EOS airdrop. Experienced crypto investors should have immediately realized the scam, as such a request would never come from an ICO. Those new to the cryptoworld, however, may think of the request as suspicious but the promise of free tokens would be too appealing to miss out on. This resulted in millions worth of tokens being stolen from investors’ accounts.

In addition to this, Block.one themselves admitted that a hacker had breached its email support system, sent emails and even responded to previous messages using Block.one’s email domain. Potential victims were lured into a malicious website that could capture the private key, resulting in emptied wallets.

Hackers steal $500 000 from possible Enigma ICO investors

While Enigma’s ICO had not actually started when they got kind of hacked, criminals still managed to get half a million dollars from potential investors. Enigma is a decentralized investment platform, and their ICO was only weeks away, when a hacker compromised the company’s slack, took over their website and Google account, and sent out emails to people, tricking them into sending out cryptocurrency to hacker’s personal accounts.

The whole incident is the result of a surprising lack of security and could have been easily preventable. What happened was the founder’s email and password were exposed in a breach some time ago, and he did not change his password nor enable two-factor authentication. This allowed hackers to gain access to the email account, which resulted in them taking over the company’s slack, website and the Google account. Once they had access, they sent out messages to over 9000 people who had subscribed to receive news on the company’s ICO. They then changed the BTC and ETH wallet addresses on the official website to their own, and the whole thing ended in criminals taking off with 1,492 Ether coins, which were worth around $500 000 at that time.

The ploy was noticed soon after but investors still lost half a million dollars. The company has since implemented the much needed security measures, including stronger passwords and two-factor authentication for all employee email accounts.

$7.4 million worth of Ethereum stolen during CoinDash ICO hack

This incident just goes to show how much a couple of minutes could be worth for an ICO, as hackers were able to take off with as much as $7.4 million worth of coins in a matter of minutes. Cryptocurrency trading platform CoinDash had started their ICO when a hacker interrupted the event, and using a simple technique, tricked investors into sending him/her ether.

When the ICO started, CoinDash posted their wallet address on the website so that investors could send funds to them but the unnamed hacker compromised the website and changed the wallet address to one under his/her control. CoinDash was quick to realize what had happened and shut the token sale down. They informed investors that the website has been hacked and that they should not send ether to any address. However, by then, the damage had been done. But CoinDash did promise that investors who sent their ether before the website was shut down will be given tokens.

Interestingly enough, the tokens stolen during the ICO are just sitting in a wallet and cannot be used. Though it has been noticed that the hacker returned 30,000 ether to CoinDash, which is worth more than $18 million at this time, more than double the amount stolen during the hack.

This incident led many people to question how such a hack could occur in the first place, and whether it could have been easily prevented.

Experty ICO phished, with $150 000 worth of ether stolen

Experty offers a voice and video telecommunications application that also allows secure payments via the blockchain. The company were readying to launch their ICO when hackers sent out scam pre-ICO messages to people who had signed up for Experty announcements. The list of people who signed up is supposed to be kept private, but it appears that one of the company’s reviewers was compromised, and hackers were able to get access to the information.

The emails that were sent to people invited them to invest within 12 hours in order to receive bonus Experty tokens (EXY). The email also contained a wallet address that investors were supposed to send their Ether to. Unfortunately, investors did fall for it, and crooks managed to get away with $150 000 before they were warned about the scam.

Experty have acknowledged their part in this scam, and promised to gift 100 EXY tokens to all affected.

The reality is, most if not all of these ICO hacks could have been prevented had proper security measures been implemented. However, due to the high marketing costs, security often takes second place. This, however, will have to change because there is a lot of money floating into ICOs and that attracts hackers, who will definitely use the security holes to get the money. And we’re not talking about a couple of thousand dollars, hackers get away with tens of millions. As mentioned, in 2017 hackers took off with $370 million. We may see even higher numbers in 2018, as ICOs become more and more popular.

Catching the people responsible for the hacks is really difficult and often, investigations go nowhere. Funds are also generally not recovered, and may just sit in a wallet unused as is the case with the CoinDash hack. Such hacks are not only a loss for ICOs but for investors as well, as they often get scammed. Not to mention the loss of reputation ICO hosting start-ups suffer due to hacks.

If there are two thing that are clear, it is that ICOs need to have much better security, while investors need to be more careful and pay more attention to what they invest in.