The ICO hackers are at it again. Enigma, a de-centralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam.
Enigma, which was started by a group of MIT graduates, did not lose any money from the attack. Whoever orchestrated it grabbed money from the Enigma community, people who joined the company’s mailing list or Slack group of over 9,000 users to learn more about its ICO in September.
The hacker posted Slack messages, altered the website and spoofed emails to a community list which were made to look official and urged money to be sent to their crypto wallet.
That’s netted the hacker 1,492 in Ether coin (worth $494,170.68) at the time of writing, according to Etherscan. That’s despite the Enigma team having warned its community that it would not collect money in this way prior to the ICO next month.
In response to the incident, the company has taken its websites and Slack group down and it is posting updates via its Telegram group and Twitter account.
Users on Reddit found that Engima CEO Guy Zyskind’s email was accessed by the hacker. His email had been part of a hacking of a different services in the past and had been dumped on the internet, but seemingly Zyskind had not taken the time to change the password. TechCrunch found an alert for the email address on haveibeenpwned.com. Likewise, there was no two-factor authentication or last line of security to keep anyone with the password out.
A spokesperson told us that “certain team passwords were compromised for the enigma.co landing page and Slack.”
They said the dedicated website for the Enigma token sale was not affected.
“It resides on a separate, more secure server which was never compromised,” the spokesperson said.
Previous ICOs have been impacted when attackers took control of ICO sites and added third-party wallet addresses to syphon money into their account. That was the case with CoinDash, which lost $7 million in July, and Veritaseum, which had $8.4 million stolen in a ‘victim-less’ hack the same month.
Enigma said it has implemented new security measures, including strong passwords and two-factor authentication for all employee email accounts, as well as “proper access control management and compartmentalization.”
It’s pretty inexcusable that these measures weren’t in place from the beginning. The breach will be particularly embarrassing given how basic it was to gain access, and since one co-founder — not Zyskind — shared his “simple solution” for preventing ICO hacks with Business Insider just last month.
The episode is also a lesson in caution for those who clamor to take part in the booming ICO market. ICOs, also known as token sales, raised more than $1.2 billion in the first half of 2017, that’s more than the total amount invested in early-stage startup funding and the trend is set to become more prominent.
Getting in on an ICO before it goes public can net investors lucrative sums of money, but with many companies — such as FileCoin, Omise, and Kyber — opting for closed community sales over open public affairs, getting in early has never been more critical. That may leave some would-be investors more open to being scammed than usual, as appears to have been the case with Enigma.
Here’s the full statement from Enigma:
1) No investor or company funds were stolen or compromised. All company funds are safely secured via multi-sig wallets comprised of hardware wallets. We believe scammers were soliciting community funds by posing as the Enigma team and posting an ETH address for users to send funds. We have announced on multiple occasions that we will not be collecting any community funds for any reason before our crowd sale on September 11. Our official pre-sale is done with accredited investors only and we require heavy legal due diligence. These funds also will not be collected until September.
2) We have retaken control of all Enigma accounts, but we have deactivated our 9000+ user community Slack for the time being as a security measure. Our official communication channels at this time will be Twitter and Telegram. @EnigmaMPC, t.me/enigmacatalyst, t.me/enigmacatalystann. Users should always wait to see critical communications confirmed across ALL channels.
3) We’ve moved up a number of critical security steps and taken additional measures to protect the community going forward. We’re now very well aware of the potential threats and are taking no chances.
1. Strong, different, random passwords for each account – whether held by an employee or official communication channels for the company
2. 2FA for all such accounts
3. Weekly password rotation, and daily rotation in the week leading to the token sale
4. Proper access control management and compartmentalization
We also intend to do a live stream doing our crowdsale September 11 to ensure the community’s trust in our team and sale. We remain a public-facing team, and we continue to firmly stand behind Enigma’s vision and future.