The ICO market is growing fast. Between 2015 and 2017, more than $3.7 Billion was raised via ICOs, according to a report by Ernst & Young. Over 2017, the cryptocurrency market in general hit highs of $150 Billion, while crypto assets saw investment hit $8.5 Billion.
But with so much money flying around, it’s inevitable that a criminal element will attempt to take advantage. Scams, hacks, and Ponzi schemes are all being used to tap into the largely unregulated ICO market and are costing investors millions.
In fact, a report by Fortune magazine found that between 2015 and 2017 over 10% of the total capital raised from ICOs had been stolen by hackers or otherwise lost. That’s roughly $370 million!
We are seeing an increase in hacking attempts with our own ICO clients, especially those with impressive investor interest.
For example, Verasity.io, which launched last week, has seen a huge influx in brute force attacks and phishing scams after raising more than $33 million.
We’ve been working with Verasity.io to help provide advice to all of their potential and current investors to minimise phishing scams, while assisting them to secure all potential penetration points.
Why are hackers targeting ICOs?
As more of our lives are made digital, the potential for hackers and scammers to make money online increases. They’re attracted by an alluring combination of:
- A lack of regulatory authority for ICOs
- The irreversibility of blockchain transactions
- Information overload
- A lack of investor awareness and education
While project founders focus their efforts predominantly on their technology, marketing, and attracting investors, they often don’t prioritise security. Hackers know this and exploit weak points in a company’s security.
Even a legitimate business will be seen as a scam if investors lose their money, and they’re highly likely to file a class-action lawsuit against the company if the funds are stolen due to lax security.
So, just because your business is legitimate, don’t think that’s enough to save you from legal proceedings should your funds be stolen.
How are hackers stealing investment?
There are a number of ways a determined hacker can swipe the funds from beneath your nose.
The most straightforward way investment is stolen is through pure theft. Digital platforms are always susceptible to penetration, including digital wallets.
The best, and perhaps only, sure-fire way to protect your wallet funds from hacking is to transfer them to cold storage – a hard drive or paper wallet. Of course, these can be stolen by traditional means, but it adds a layer of security that is much harder to get around.
It is also advisable to use two-factor authentication for any digital wallets or backups, as well as for access to domains, email accounts, etc. Two-factor authentication (2FA) requires both a password and something physical, such as a passcode sent to a mobile device or a fingerprint. While not fool-proof, 2FA makes it that much harder for a hacker to access your platforms and wallets.
Finally, it’s obvious but still worth saying: do not use the same password twice.
You can use the toughest encryption on the planet to secure your platform, but if you use the same password on multiple platforms, your security is only as strong as the weakest platform. We advise picking a strong and unique password for your digital wallets, platform, website, and anything else connected to your business (and elsewhere, for that matter).
Vulnerabilities in the Source Code
We’ve all heard of hacks that have exploited weaknesses in web applications and perhaps some of you have even been victims of such hacks.
When it comes to ICOs, the source code of your application is written into the ICO smart contract and can’t be changed. If there’s a vulnerability within your source code at the time of launching your ICO, it is much harder to change than simply applying a patch.
The only real way around this is to identify and fix all potential vulnerabilities before your ICO goes live. Audit your code, test it, retest, get someone else to test, you could even conduct a test run using a private blockchain to be extra sure.
Spending a little extra time and resource on the audit stage is far better than losing your business, money, and reputation publishing code with a vulnerability that’s impossible to patch.
Domain Hack and Phishing
Often overlooked yet ever-present is the possibility of phishing scams. We all see them in our spam email folder every day!
A common variation of the phishing scam is for hackers to purchase domain names that look very similar to your own or which have a different suffix. They then copy your website design and send phishing emails to potential investors. But instead of the investment coming to you, it goes straight into their wallets.
To avoid fake sites scamming your investors, it’s a good idea to buy all the domains you can that look similar to your own. That includes domains with different suffixes as well as domains that use hyphens or easily misspelled words.
There are also other weak points within the domain setup itself – from your hosting provider to employees’ email accounts. Once hackers have control over your domain, it becomes very easy to change your wallet address to their own, and you may not even realise until it’s too late.
To minimise the chance of domain hacking, make sure you use 2FA and secure passwords for every account on every platform to minimise the chance of domain hacking, and never share passwords with other members of staff – not everyone will be as security savvy as you are!
What else can you do?
Education is the main line of defence. Educate your investors on what to look out for in phishing scams and how to tell your legitimate site from a fake. Educate your staff on how to use 2FA and secure their passwords. Educate yourselves on the potential weak points in your business and source code.
The danger is that you’ll miss something due to a lack of experience with ICOs. That’s why we always advise using a specialist partner to help run your ICO. Not only will they know what vulnerabilities to look out for, they will also invest heavily in their own platform security to avoid damage to their own reputation. Besides, a platform with a good reputation for security will also help attract big investors!