It seems as if another ICO has fallen victim to a “Pre-ICO sale” phishing attack. In this case, the ICO in question was Experty where the hackers were able to make away with about $150,000 in investor funds.
These type of ICO phishing attacks involve the hacker taking advantage of the FOMO (Fear Of Missing Out) that is inherent with most investors. In this case, the hacker sent pre-ICO sale announcements to those who had signed up to receive them from the company.
These are generally the most rudimentary type of crypto thefts as they mostly rely on an overly keen investor who is too quick to jump on a supposed opportunity. These are generally quite easy to spot and are only marginally effective.
However, in this case, the hacker was able to gain access to the list to many of those who had signed up to the ICO. This is the reason that the hacker was able to make the email scam that much more effective.
So how did this happen exactly? Let’s take a closer look.
What is Experty?
Image via experty.io
Experty aims to develop a blockchain based Voice Over Internet Protocol (VOIP) calling system. They want to take on the likes of the current centralised players in the form of Whatsapp and Skype with a decentralised solution.
The platform wants to give professionals the opportunity to exchange their knowledge for money through the application. It would allow these knowledge providers to set minute rates for the amount they would like to get compensated.
They see the most relevant use cases for the technology as those who are in the legal, consulting or medical fields. These professionals can log on and automatically receive cryptocurrency for their time.
They were going to use the ICO to issue the native ERC223 token for the start-up, the Experty Token (EXY). The main crowd sale of these tokens was planned on the 31st of January.
What is no doubt interesting is that the Experty ICO made use of something called a “Proof of Caring” or PoC. If this is a concept that you initially scratched your head at, don’t worry, so did we.
Proof of Caring is supposed to be a way in which those who promote the ICO and write a number of reviews on them online. Those that were able to promote the ICO effectively during this PoC stage “showed that they cared” and were attributed a higher level.
In these higher levels, they could earn more tokens within the three different tiers. Although PoC seems to be an innovative way to draw attention to an ICO, it looks a great deal like a Multi-Level Marketing scheme.
Irrespective of how the project wanted to promote their ICO, the PoC example left the user data vulnerable to the hacker.
How the Scam Took Place
According to an announcement on Medium, the Experty team was able to establish that one of these PoC reviewers had their account somehow compromised. This PoC user somehow also had information of all of the other PoC users.
This meant that the hacker who was able to get into this individual’s account also had access to the names and contact information of all those others who were registered.
This was no doubt some really important customer information that the hacker was able to leverage. On the 27th of January, these users started getting emails alerting them to a pre-ICO of the tokens.
The emails were spoofed and originated from firstname.lastname@example.org. This was chosen no doubt to confuse the investor into thinking that it was coming from the ICO itself or from Bitcoin Suisse, the company facilitating the ICO.
They were also told that they had only 12 hours to invest in the pre-sale before it closed for them. The hacker told the participants to send the funds to his address. This created the FOMO affect and provided the impetus to send the funds.
$150,000 and Counting
So far, there have 71 transactions to the hacker’s wallet which was eventually picked up by Bitcoin Suisse. Although it may have staved off the flow for the time being, there is at least $150,000 that is now in the hands of the perpetrator.
There were also reports that the hackers had used more than one Ethereum address for the phishing scam. This means that he may have been able to extract a great deal more than is initially being reported.
The Experty team released an official communication on the hack. They wanted to compensate the community by giving everyone who has their ETH address in the database an additional 100 EXY tokens which is about $150. They went on to say
We are taking precautions and increasing security to ensure that this does not happen again. The Experty community is our number one priority, and always has been. We will continue to work towards a safer and prosperous future, and we hope that you will be there with us
This is of course not much consultation for the 71 or so people who lost their funds to the hacker. Moreover, the PoC reviewers should not have had access to the details of all of their compatriots.
Lessons to be Learned
While it was no doubt reckless for private data to be in the hands of a group of users, the ultimate responsibility for falling for the scam has to lie with the user. Phishing scams rely on victims that don’t think twice before they fund.
In this case, those who had funded should have known that the ICO was only commencing on the 31st of January. They should have also have been suspicious as to the email address that was used to promote the pre-sale.
When it comes to pre-sales, ICO announcements, air-drops etc, if you have the inkling of suspicion, just wait. It is far more costly to fall for a scam than it is to miss out on a “hot” ICO.
Featured Image via Fotolia