How Money Is Stolen During ICOs

In 2017, cybercriminals managed to steal 10% of all funds invested in ICOs via Ethereum. The total losses reached nearly $225 million, with 30,000 investors losing an average of $7,500 each. Let’s break down exactly how money is stolen during ICOs. Hackers may use their full arsenal of tools, or sometimes just the simplest tricks.

“Even before our ICO started, we faced a dozen phishing sites, DDoS attacks, and threats—from ‘ISIS’ and the ‘Italian mafia’: ‘Send 10 bitcoins to this wallet or we’ll destroy you!’” recalls Ilya Remizov, CTO of Blackmoon, about their September ICO. Their team turned to Group-IB for protection, who took down phishing sites and neutralized extortionists.

In less than 20 hours, Blackmoon raised over $30 million. But not every ICO goes so smoothly. Cryptocurrencies have long attracted not only speculators and crypto enthusiasts, but also hackers who use their skills for theft and cyberattacks.

Since 2011, cryptocurrencies have been a target for cybercriminals: hackers began actively hacking online wallets, crypto exchanges, and exchangers, stealing private keys from individuals. Some banking trojans—TrickBot, Vawtrak, Qadars, Triba, Marcher—were repurposed to target crypto wallet users.

With the lure of big money, not only traditional cybercriminals but also state-sponsored hackers began attacking crypto exchanges. For example, North Korean group Lazarus is suspected in recent attacks on South Korean crypto services.

In the early days of Bitcoin, hackers needed solid preparation and a wide range of techniques. The rise of ICOs changed the game. Now, even attackers with little knowledge of blockchain or information security can score big.

The ICO Process: Where Hackers Strike

When a team decides to launch an ICO, the first step is to develop a White Paper (WP)—a document describing the project’s technology and business model. Based on the WP, a landing page is created, and organizers attract a community, keeping interest high with news and team interactions. At some point, the ICO date is announced, followed by a series of activities leading up to launch: ad campaigns, email newsletters, and more. At the scheduled time, the ICO opens, investors can buy tokens, and the project receives cryptocurrency in its wallets.

At which stage do hackers appear? At every stage! Hackers, like other investors, want to profit from ICOs. As soon as the first version of the White Paper is published, attackers have a starting point for their operations.

White Paper Theft

One feature of blockchain projects is their openness and transparency. Most developments and source codes are published openly. Naturally, the team first publishes the WP.

Recently, there was a case where attackers profited by copying someone else’s project. The scheme is simple: take a legitimate, well-developed White Paper in Russian, fully translate it via Google Translate, create a landing page with a new (fake) team and brand. The project is promoted online: contextual ads, huge threads on Bitcointalk.org, and so on.

For example, Crypto Detectives found that the Wi-Fi Global project owners copied and translated the WP from worldwifi.io. Wi-Fi Global is just a slightly modified version of World Wi-Fi. Their Telegram community had over 2,000 members, and according to the team, they raised $500,000 in their pre-ICO.

Account Compromise

Project sites usually list detailed info about all team members, making reconnaissance easy for attackers. There are countless leaked password dumps online. If a compromised password is reused elsewhere, it can have dire consequences—not just for the account owner, but for the project and its investors.

This happened to the Enigma project. Hackers made half a million dollars before the ICO date was even announced. They compromised the Enigma website and several social media accounts.

The founders, from MIT, apparently didn’t use strong, unique passwords. Hackers accessed the CEO’s email (which lacked two-factor authentication), then easily got into other linked services and accounts. Other team members’ credentials were also compromised. Attackers gained access to enigma.co (the token sale site itself was not compromised) and the Slack messenger.

With access to enigma.co, hackers posted a token sale announcement, shared it in the Slack community chat, and sent emails to a stolen list—all to spread their own wallet address for token transfers. They collected 1,492 ETH—about $1.5 million.

Website Defacement

The worst often happens on ICO day: a flood of DDoS attacks, a surge of users, a barrage of messages in Telegram and Slack, and spam emails.

The most frustrating scenario is a website defacement during the ICO. The hackers’ goal is simple: put their own wallet on the official project site and collect funds.

This happened to CoinDash. During their ICO, the site was hacked and a fraudulent wallet was posted on the homepage. Investors sent funds to the hacker’s wallet instead of CoinDash’s. Over 2,000 investors lost a total of about 37,000 ETH. The CoinDash team later reimbursed the affected investors.

Phishing

Phishing is almost always present when a well-known project launches an ICO. Scam emails are usually accompanied by a strong DDoS attack on the project’s site. The idea is simple: hackers copy the site, register a similar domain, and put it online. For ICOs, there are two main phishing types: one aims to steal the user’s private key, the other simply asks to send cryptocurrency to a wallet or smart contract address.

How could someone enter their private key on a scam site? It may seem suspicious, but when greed is involved, people do strange things. According to Etherscan, some people even make repeat transfers and get nothing in return.

Chainalysis reports that about 56% of all funds stolen from ICOs were taken via phishing attacks, with estimated losses of $115 million. Group-IB says major phishing groups earn from $3,000 to $1 million per month. Phishing is now the most popular way to steal from investors. During the “crypto gold rush,” everyone rushes to buy tokens (often at a big discount) and ignores details like odd-looking domains.

A typical scheme: attackers buy contextual ads in search engines, flood messengers with messages, and drive traffic to phishing sites by any means. You could even measure a project’s investment appeal by counting the number of phishing sites made for it.

For example, a Google search for “ICO STORM Token” once showed the first three links as phishing sites via paid ads. Phishing MyEtherWallet sites are also common. Stay vigilant!

The project etherscamdb.info aggregates ICO phishing scams. Their database lists 2,533 entries—a lot for such a young industry. For MyEtherWallet alone, there are 2,206 phishing domains.

Losing Funds After the ICO

The worst-case scenario for any ICO team is losing funds after a successful raise. This happens due to careless handling of cryptocurrency, vulnerabilities in smart contracts, and zero-day bugs in popular wallets. Even if you avoid vulnerabilities in your own software, it’s hard to eliminate risks elsewhere.

For example, The DAO project lost at least $53 million to attackers. Another case: aeternity lost $30 million due to a zero-day vulnerability in the Parity wallet.

Smart contract vulnerabilities are actively studied by the community. For example, researchers at the University of Cagliari have described various exploitation techniques. There are also tools to improve security—like Oyente, which automatically scans smart contracts for vulnerabilities.

“Criminal” smart contracts will likely find more uses in high-tech crime. For example, in the paper “Ring of Gyges: Investigating the Future of Criminal Smart Contracts,” researcher Ari Juels and colleagues explore how smart contracts can be used for malicious purposes.

How to Protect Your ICO Team: A Typical Scenario

The most vulnerable part of any project is its team. Poor protection of personal accounts and lack of basic cybersecurity hygiene often leads to compromised messenger and social media accounts, allowing attackers to spread phishing links, discredit the team, change website data, and more. The only thing worse is compromising the private keys to crypto wallets.

Here’s what you should do to keep your ICO safe from crime:

• DDoS Protection: Almost every popular project faces DDoS attacks. Invest in quality DDoS protection in advance. Site downtime often scares off potential investors.
• Team Account Security: All team members should secure their social media accounts, enable two-factor authentication, and use strong password policies.
• Application Security: Check everything for vulnerabilities and properly configure access to critical server services.
• Smart Contract Audits: At a minimum, scan your smart contracts with automated tools to check for known vulnerabilities.
• Educate Your Community About Phishing: This is a simple and inexpensive step that can greatly reduce the risk of investors losing funds.