How have ICOs been hacked

ICOs have been booming ever since their introduction to the market. The more initial coin offerings are launched, the more people get engaged – the larger is potential profit for hackers. Despite the decentralized and trustless natures of cryptocurrencies and crypto tokens, most of the trades happening on centralized exchanges are vulnerable to hacking. This is an ongoing concern and a number of hacking incidents has been reported at various exchanges affecting thousands of users and loss of hundreds of millions of dollars.

Types of attacks

All network systems are vulnerable to various kinds of attacks. They can roughly be divided into two group: attacks based on the vulnerability of technical tools and nature of ICO and those exploiting human flaws.Everyone who writes a smart contract knows that if it can move a large amount of cash it will be subject to attack due to overlooked bug. Of course, all token smart contracts are duly tested before launch, but ingenious hackers can still find a flaw and use it to their advantage. Vulnerability in the smart contracts of the tools used by an ICO can also be abused, which sometimes lead to unpleasant consequences, such as in the incident of Parity wallets, when ICOs like Polkadot and Cappasity suffered from the attacks losing part of the raised funds.

As for the manipulations of human nature, there are lots of ways that work with ICO clients as well as they did with traditional finance market players and general users: phishing (in social media, fake accounts and pages, chats, links, etc.), and other fraudulent means like stealing passwords for mailboxes/moderators’ accounts/founders’ pages in social media and so on.

Most resounding cases

There have been several major attacks that caused an uproar in the crypto community and made investors apprehensive. For example, The DAO project, launched in May 2016, was meant to operate like a VC fund for the crypto and decentralized space. It was built as a smart contract on the Ethereum blockchain, which should have allowed companies to make proposals for funding. In order to allow investors to leave the organization, in case a proposal that they saw as damaging or of poor quality was accepted, the DAO was created with an "exit door" known as the "split function". On June 18, 2016, members of the Ethereum community noticed that funds were being drained from DAO and the overall ETH balance of the smart contract was going down. A total of 3.6 m ETH (worth around $70 m at the time) was drained by the hacker in the first few hours. The attack happened due to an exploit found in the split function. It's important to understand that this bug did not come from Ethereum itself, but from this one application that was built on Ethereum. The hacker stopped draining The DAO for unknown reasons, and the Ethereum community and team quickly took control of the situation and presented multiple proposals to deal with the exploit: first a soft fork to blacklist all the transactions made from the DAO and a hard fork returning all ETH taken from the DAO to a refund smart contract.

CoinDash, an Israeli startup, planned to raise capital by selling its own digital tokens in exchange for ETH, washacked in July 2017, 13 minute after the token sale started. An “unknown perpetrator” hacked CoinDash’s website and changed the address for sending of dollars in contributions to the attacker. However, CoinDash promised to compensate the losses in full.

InsureX ICO was also affected by a hack, which caused people to send around 1,100 ETH to a fake Ethereum address. An unknown attacker somehow took control of the InsureX Twitter account, the website and the Slack channel. The attacker then went on to “host” a special early token sale combined with some fake bonuses. Sadly, a lot of people fell for this opportunity and lost a lot of money in the process. Many were outraged by this turn of events. It was impossible to explain how someone gained access to the InsureX website and was capable of successfully modifying it in such a manner the early token sale seemed completely legitimate. For a company with “Insure” in the name, they certainly failed when it comes to having a secure website.

Tether, the startup company that allows users to trade and use digital tokens backed by fiat currencies like the dollar, euro, and yen, says that close to $31 million was stolen from it after a malicious attack in November. In a post on its website, Tether says $30,950,000 USDT was taken from its treasury wallet on November 19th and sent to a unauthorized digital wallet. USDT is a cryptocurrency token pegged to the US dollar, which is fully backed by assets in the company’s reserve account. Tether says it will not redeem any of the stolen tokens and that it is in the process of attempting to recover the tokens to prevent them from entering the broader ecosystem.

Not only ICOs are under threatened, but cryptocurrency-related wallets, mining services and exchanges as well. The second largest hack, in terms of ETH stolen, in the history of the Ethereum network, happened in July 2017. The attacker’s account had drained 153,037 ETH from three high-profile Parity Multisig Wallet used to store funds from past token sales. A vulnerability was found on the Parity Multisig Wallet version 1.5+. The attacker sent two transactions to each of the affected contracts: the first to obtain exclusive ownership of the Multisig, and the second to move all of its funds. Surprisingly, after a hard fork following the first attack, a security vulnerability in Ethereum’s second most popular client, Parity, has been exploited again, in November. All Parity multisig wallets have been frozen. That includes the Polkadot ICO and may include many others totaling around 500,000 ETH, worth $162 m, according to some data. It was possible to turn the Parity Wallet library contract into a regular multi-sig wallet and become an owner of it. The only solution was to make a hard fork to withdraw money from the frozen accounts.

NiceHash, a Slovenian-based crypto-mining marketplace, have been hacked for around $60 m The hack has divided the cryptocurrency community, with some believing it’s an inside job and blaming company incompetence. A computer of one of the employees was hacked, and thus a thief got access to NiceHash systems – and took hold of funds. CEO of NiceHash said that his company is “working on a solution to ensure that all users are reimbursed.

Popular cryptocurrency exchange EtherDelta got hacked in December 2017, with many users unknowingly sending their tokens to the hacker instead of the exchange. At least 308 ETH ($266,789) were stolen. Apparently, EtherDelta’s smart contracts weren't compromised in the attack. Instead, the attacker managed to take over EtherDelta's DNS server and serve a fake version of the site to visitors. Users who visited the actual EtherDelta site were served a partially functional but still quite convincing version of the site. The attack appears to have been mitigated within a few hours, and the proper EtherDelta site restored, but anyone who interacted with the fake site may have sent ether or other tokens to the hacker. EtherDelta confirmed the attack and advised all users not to use the site. This case demonstrated that even decentralized exchanges have no proper security systems yet, and remind investors about being extremely careful when dealing with cryptocurrencies.

How to secure investments and ICO?

It has been argued that “one doesn’t invest in bitcoin, one gambles on bitcoin”, while those working in the area advise anyone planning on buying the currency to only invest as much as they are prepared to lose. Another general sentiment is that prospective investors should ask for help from those who have traded in cryptocurrency, as typical protections surrounding investment are not present with bitcoin. Concerns about the security of the cryptocurrency have continued to shadow it. Last year, we have seen some scandalous attacks on ICOs and exchanges, which resulted in a drop in the value of the currency at the time.

The lack of regulatory oversight, governance or standardization of blockchain processes in the ICO market have created an optimal attack surface for crypto-criminals. In fact, the latest intelligence from Chainalysis pegs the total amount of ETH looted from ICOs at over $225 m as of August 2017. That’s roughly 10% of all ICO ETH holdings. According to a cybercrime report by Russian information security firm Group-IB, the biggest threats to the ICO ecosystem are source-code bugs like the one exploited by DAO heist, targeted attacks, domain hijacking (which redirects users to compromised servers) and phishing schemes.

It is generally believed however, that the currency itself is secure, but the problem surrounds businesses in the industry and the wallets where the bitcoin are stored. Unfortunately, IT security is a real-world issue, not just for cryptocurrency but within any industry that uses technology. There are several advices we can suggest to ensure the security of investments:
  • take care with you cryptocurrency account credential; the safest way to go is to keep security credentials offline;
  • search the market, ask experienced investors and choose Bitcoin wallets that were built with security in mind;
  • keep digital coins should only in wallets that you control;
  • be especially careful if you are using direct, peer-to-peer platforms to sell and buy cryptocurrencies.
In terms of launching a secure ICO, we are not going to focus on protection of code or infrastructure here. That’s the part where everybody should either know what they’re doing or at least hire a specialist to do it (this might also be the most difficult part to secure). There are some obvious general guidelines though, so we will name a few:
  • keep your systems up to date with the most recent security patches;
  • split access and zones (DMZ, frontend, backend, etc.);
  • use firewalls and VPNs;
  • allow only required services;
  • encrypt communication;
  • limit access for admins only where needed;
  • use authorization keys instead of passwords;
  • use continuous integration and automation to avoid mistakes;
  • create and keep backups   in separate locations;
  • manage access to your hosting provider account;
  • conduct code audits;
  • perform tests.
Above all, it is important to educate users, constantly remind about possible security measures, use password managers, use different passwords for different accounts. One can organize periodic workshops to talk about latest observations; different types of hacking (like social engineering). We realize, that it is hardly possible to be fully secure, but we do your best when providing consulting services and support for ICO startups. We are cautious and meticulous about smart ensuring their security and reliability. We conduct regular security audits and update the systems according to the newest data. Our bots that protect social media and messengers. For instance, in the recent project our bots showed their best: they deleted lots of fake accounts accounts and links in the beginning of the project, protecting our customers and investors against phishing.

Security is a constant process which has to be taken under consideration with every new implementation, with every new system or every new medium your company plans to use. Don’t forget it!


Popular posts from this blog

Crowdfunding vs ICO: major differences

Marketing ICO case

ICO regulation: Global trends