Report: Hackers Divert up to 10% of ICO Funds

ICO campaigns often invite scammers, underlining the need for better governance and using proper smart contract security.

Statistics until August 2017 show that the "golden age" of ICOs led to losses of around $225 million. We could easily assume the losses were much higher, given the appreciation of digital assets. In the past days, several ICOs lost between $150,000 and $1 million in Ethereum.

Participating in ICOs still offers unprecedented opportunities to buy into the technology of tomorrow, yet understanding safety is important. But according to Hartej Sawhney of, up to 10% of funds from the entire ICO sector ended up stolen. Naturally, some projects are affected much worse than others. With a global ICO sector reaching $4 billion in 2017, the total sum is quite significant.

The Latest Phishing Scams

Phishing scams rely on human perception and human emotion - the fear of being late, and the appeal of a special promotion.

The most prominent loss remains that of the DAO, sinking 3.6 million ETH. But smaller phishing attempts add up.

The Experty ICO lost $150,000, or around 150 ETH, in a phishing attempt over one weekend. The source of the phishing links was email, due to a hacked and exposed list of ICO registrations.

The Bee Token ICO lost $1 million of funds, or around 1,000 ETH in a much broader phishing attempt right at the beginning of the ICO.

A few months ago, the Enigma ICO lost nearly 1,500 ETH, as thousands of backers were exposed.

CoinDash was an especially poignant case, in which a hacker diverted 10,000 Ethereum, and then returned them from his well-known Ethereum wallet address. According to Mr. Sawhney, the CoinDash site was inherently vulnerable and it was irresponsible that a significant ICO would build its website in WordPress. The Hosho project even contacted CoinDash with a warning, but only hours later, a hacker went ahead and changed the wallet address.

More recently, Eristica ICO and Bridge Protocol released warnings of fake wallet addresses being disseminated in social channels.

Apex Network saw its website recently hacked, and the wallet address replaced. Origin protocol has had its mailing list exposed. So far, no losses have been reported.

How to Protect Yourself from Phishing Attacks

  • Know your ICOs, and only follow the official data. ICOs rarely make last-minute change of plans. If in doubt, go through all social media channels. Be very wary and skeptical of messages from admins, founders, or alleged community leaders.
  • Compare bonuses and special deals with the numbers from the website or the white paper. Don’t send funds, if a bonus looks too good to be true.
  • Never hand over your private keys, or the UTC file to MyEtherWallet. Never visit MyEtherWallet through social media or email links, or even through Google.
  • If you send funds to an Ethereum address, check it through Etherscan for flags, or revealing comments.
  • If in doubt, contact the community, whether other admins, community leaders, or knowledgeable users.
  • As a final precaution, make sure you are not over-investing in one project if it looks dubious in any way. Losing 0.5 ETH may be painful, losing 50 may be much worse. Much better to skip an opportunity and wait for another, then to overbuy a scam.

Toxic Wallet Addresses

Creating and using an Ethereum address is extremely easy. So there are hundreds of wallets or addresses flagged as belonging to phishing scams.

What is curious, is that a lot of Ethereum is simply sitting in the phishing addresses, and not moving anywhere.

At this point, it is impossible to centrally freeze wallets or addresses, but users can only flag them.

The Parity Wallet Freeze

The Parity Wallet tampering case was one case of an unaudited smart contract, where a newbie testing commands randomly locked $300 million’s worth of Ethereum last fall.

The Parity lockdown is still unresolved, and has locked in the funds of the Polkadot ICO just days after the end of the token sale.

Smart Contracts and Security

Several token sales link their official Ethereum address to a smart contract, so that the ICO is only open on predetermined dates.

At the same time, users need to get educated. ICO wallet addresses, in the first wild days of this type of fundraising, were disseminated as a plain text message, without further protections. Now, users should expect to see smart contracts protecting every token sale.

Smart contract security is a whole different issue, and the bitter experience of the DAO needs to be taken into account, for a proper audit of the smart contract. The adage is that a smart contract is only as smart as the creator, so leaks in logic need to be carefully addressed for the safety of token sales and distribution.

ICO backers should look out for ICO projects that have completed penetration testing of their site, and audited their smart contracts, said Mr. Sawhney. The least step should be a bug bounty, showing that the project is serious about security.

Good projects should get two or three audits of their smart contracts, to assure they are working right, Mr. Sawhney believes, as mistakes in smart contracts often hide in plain sight.