The ICO hackers are at it again. Enigma, a de-centralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam.
Enigma, which was started by a group of MIT graduates, did not lose any money from the attack. Whoever orchestrated it grabbed money from the Enigma community, people who joined the company’s mailing list or Slack group of over 9,000 users to learn more about its ICO in September.
The hacker posted Slack messages, altered the website and spoofed emails to a community list which were made to look official and urged money to be sent to their crypto wallet. That’s netted the hacker 1,492 in Ether coin (worth $494,170.68) at the time of writing, according to Etherscan. That’s despite the Enigma team having warned its community that it would not collect money in this way prior to the ICO next month.
In response to the incident, the company has taken its websites and Slack group down and it is posting updates via its Telegram group and Twitter account.
Users on Reddit found that Engima CEO Guy Zyskind’s email was accessed by the hacker. His email had been part of a hacking of a different services in the past and had been dumped on the internet, but seemingly Zyskind had not taken the time to change the password. Experts found an alert for the email address on haveibeenpwned.com. Likewise, there was no two-factor authentication or last line of security to keep anyone with the password out.
A spokesperson told us that “certain team passwords were compromised for the enigma.co landing page and Slack.” They said the dedicated website for the Enigma token sale was not affected. “It resides on a separate, more secure server which was never compromised,” the spokesperson said.
Previous ICOs have been impacted when attackers took control of ICO sites and added third-party wallet addresses to syphon money into their account. That was the case with CoinDash, which lost $7 million in July, and Veritaseum, which had $8.4 million stolen in a ‘victim-less’ hack the same month.
Enigma said it has implemented new security measures, including strong passwords and two-factor authentication for all employee email accounts, as well as “proper access control management and compartmentalization.”
It’s pretty inexcusable that these measures weren’t in place from the beginning. The breach will be particularly embarrassing given how basic it was to gain access, and since one co-founder — not Zyskind — shared his “simple solution” for preventing ICO hacks with Business Insider just last month.
The episode is also a lesson in caution for those who clamor to take part in the booming ICO market. ICOs, also known as token sales, raised more than $1.2 billion in the first half of 2017, that’s more than the total amount invested in early-stage startup funding and the trend is set to become more prominent.
Getting in on an ICO before it goes public can net investors lucrative sums of money, but with many companies — such as FileCoin, Omise, and Kyber — opting for closed community sales over open public affairs, getting in early has never been more critical. That may leave some would-be investors more open to being scammed than usual, as appears to have been the case with Enigma.
Here’s the full statement from Enigma: