This summer was punctuated by scams and hacks of “initial coin offerings,” startup fundraisers that issue coins, tokens, or cryptocurrency to anyone who wants to invest in fledgling blockchain-related companies. In mid-July, a startup called CoinDash lost $7 million dollars during its ICO after a hacker altered the address investors were sending funds to so the money went to a malicious digital wallet instead of CoinDash. Days later, at least three ICOs were affected by a bug in a cryptocurrency wallet called Parity that allowed crooks to nab $30 million. And thieves stole more than $500,000 during a fake, hacker-staged coin pre-sale for the digital financial services developer Enigma. As ICOs proliferate, there is a lot at stake for both the startups that rely on them for funding as well as the investors, many of them everyday internet users, who stand to lose millions of dollars.
Since 2013, ICOs have melded traditional venture capital funding rounds with crowdfunding, and while some startups like the egalitarian attributes of ICOs, many companies are using them simply because they’ve been turned down for funding by more traditional VCs and financial institutions. ICOs have exploded in popularity over the past year—even Paris Hilton is touting them—but like any emerging, unregulated financial mechanism, they are also risky, immature, and uncharted. The startups that hold them aren’t necessarily prepared for the exposure their fundraisers may receive and many backers are new to ICOs and even investing in general. With relatively little information available about how ICOs work and what to expect, participants are particularly susceptible to all sorts of fraud. And the hustles have arrived on cue.
“These ICOs have big targets on their back. It wouldn’t surprise me if attackers have spreadsheets of what ICOs are coming up and how much they’re planning to raise,” says Jackson Palmer, a product manager at Adobe who co-created the Dogecoin cryptocurrency. “ICOs opened funding to a much less experienced group of people who don’t necessarily know how to execute on good infosec practices. And the investors are very inexperienced as well. It’s the perfect storm for people to lose money.”
Not all ICOs get hacked, of course, and many start-ups are able to contain losses or even successfully defend themselves and their investors against scams. But being attacked is quickly becoming the norm for ICOs. Companies are reporting that their fundraising sites are being DDoSed, their Slack channels are being manipulated to promote fake wallet addresses, and the back-end processes that handle cryptocurrency transactions are even being attacked. In a statement to investors last week, Anti Danilevski, the CEO of the cryptocurrency platform Kickico, laid out all the ways attackers tried to undermine the company’s recent ICO. Though the Kickico ICO ultimately didn’t lose anyone’s money, Danilevski noted, “We honestly admit our fault: we did not realize that such a small and inconspicuous company without huge PR actions will attract any attention.” Hopefully Kickico will learn from the experience, because the group plans to facilitate other companies’ ICOs as part of its services. Danilevski told WIRED that the company has expanded its security precautions, and now runs penetration tests and independent audits to improve the security of its systems and website.
There is a lot of money on the line and as ICOs go mainstream, more and more of it is coming from average people who don’t necessarily have prior exposure to cryptocurrency or even investing in general. (When Floyd Mayweather Jr. is telling you to fund something through an ICO, the mechanism starts to feel like a safe, mainstream option.) The blockchain analysis firm Chainalysis reported in August that over the past couple of years ICOs have attracted more than $1.6 billion in investment, and cybercriminals have siphoned off about 10 percent of those funds in the last year. The digital currency market cap overall is now more than $90 billion.
Though some ICOs have been compromised through actual vulnerability exploitation and other hacking, criminals have been carrying off most of the scams around ICOs through social engineering. Fraudsters have used phishing campaigns and social media manipulation to masquerade as legitimate administrators of ICOs so they can disseminate fake information to potential investors and around the web about where to send money and even when an ICO will be taking place.
In the case of the Enigma scams, attackers were able to compromise the company’s official domain, Slack channel, and mailing lists to send out seemingly legitimate information about a special pre-sale that would allow interested investors to get in on the ICO early. In reality, there scammers were just circulating a fraudulent wallet that they controlled and eventually drained. “We’ve been in touch with other high profile ICOs in the space, and the same attacker has apparently hit several others,” Enigma CEO Guy Zyskind told WIRED last month. “Although there are bumps in the road, we all have a mission to build interesting things.”
Zyskind says that after its actual ICO next week, Enigma will restore funds to would-be investors who were scammed. But not all companies take that type of responsibility for fraud occurring around their ICOs. And some ICOs themselves could be bogus—shell companies that pretend they are raising money but are actually just funneling it to criminals with no accountability.
The Securities and Exchange Commission has been probing the issue, particularly in relation to whether unregistered ICOs constitute illegal securities offerings. An SEC investigation into the 2016 ICO of the cryptocurrency platform Decentralized Autonomous Organization determined that DAO Tokens are securities and that DAO should have registered as a securities exchange—guidance that the SEC will be able to enforce in the future. DAO attracted attention, though, not only for being an early ICO when the concept was still novel, but for losing $50 million in investor money because of a vulnerability that hackers were able to exploit.
The SEC guidance, though, is far from an instant solution to the free-for-all that ICOs have become, and the agency seems particularly concerned about the impact ICO scams could have on retail investors, individuals who buy and sell securities as part of managing their own finances. Some countries like Singapore and Hong Kong are similarly tracking ICOs and considering regulations, particularly because of money laundering concerns, while China announced this week that it is banning ICOs altogether. As speculators continue to flock to these online investments, though, new scams have continued to crop up and evolve. Last week, the SEC released a new Investor Alert about the ongoing problem.
“We don’t regulate technology, we regulate conduct and the implementation of technologies that involve securities,” Valerie Szczepanik, head of the SEC’s Distributed Ledger Technology Working Group, told WIRED. “ICOs present novel forms of capital formation and investor interfaces, and along with that you have new risks. There is legitimate activity going on, but anything that is in the news or that is generating hype is fodder for fraudsters. We are focusing on areas where there may be the risk of investor harm.”
For now, both startups and investors should approach ICOs with caution. “People are worried they won’t get in before the whole thing implodes,” Palmer says. “So projects are rushing to get their thing out the door and collect funds before the market has some sort of correction. There isn’t a lot of due diligence being done and there will be a breaking point.” Some argue that the whole craze is a bubble while others think it is possible for ICOs to mature into a stable avenue for raising capital. Startups pursuing ICOs have to focus on defense and would-be investors need to seriously watch their backs.