How to steal money with ICO. We analyze typical scenarios for the abduction of funds and ICO

In 2017, cybercriminals managed to steal 10% of all funds invested in ICO through Ethereum. The total damage amounted to almost 225 million dollars, 30 thousand investors lost an average of 7500 dollars. We'll figure out how to steal money at the ICO. Here the whole hacker arsenal can be involved, and the most primitive methods can be used.

"Even before the ICO, we encountered a dozen phishing sites, DDoS attacks and threats - from IGIL and from the Italian mafia:" Translate 10 bitocons for this purse, otherwise we'll destroy you! ", - recalls the preparations for the September ICO Ilya Remizov, Technology Director of Blackmoon. His team appealed for protection to us - in Group-IB, and we cleared phishing sites, neutralized these extortion blackmailers.

In less than twenty hours Blackmoon collected more than $ 30 million. But such an ideal ICO does not always happen. Not only speculators and crypto-enthusiasts have been trying to earn money on crypto-currencies for a long time, but also hackers who use their skills for theft and cyberattacks.

Crypto-currency has been attracting cybercriminals since 2011: it was then that hackers began actively hacking online wallets, crypto-exchange exchanges and exchangers, stealing private keys from purses of individuals. Some banking Trojans - TrickBot, Vawtrak, Qadars, Triba, Marcher - have been redirected to users of crypto-currency wallets.

Having sensed the smell of money, not only traditional cybercriminals began to attack crypto-exchange exchanges, but also pro-state hackers. For example, in recent attacks on South Korean crypto services suspected of hackers from the North Korean group Lazarus.

In the early days of Bitcoin, hackers needed quality training and an extensive repertoire of techniques. The wide spread of ICO has significantly changed the situation. Often even an attacker who does not understand anything in the blockade and information protection has the opportunity to break the jackpot.

The path to ICO

When the team decides to conduct an ICO, it primarily develops White Paper (WP), a document that describes the technology and business model of the project. On the basis of the developed WP, ​​lending is created, and the organizers attract a community whose interest in the project is constantly fueled by news and the opportunity to communicate with the team. At some point, announce the date of ICO, followed by a series of activities up to an hour of "X": advertising campaigns in search engines and other resources, mailing lists and so on. At the appointed time, the ICO opens, investors get the opportunity to purchase the project's tokens, and the project takes the crypto currency into its purses.

On which of the steps in the ICO path do hackers appear? For everyone! Hackers, like all other investors, also want to make money on the ICO. As soon as the first version of White Paper is published, the attackers will have a starting point to start the operation.

Theft White Paper

One of the features of the projects of the block-industry is full transparency and openness. Most of the development and source codes are published in the public domain. Obviously, first of all the team publishes the WP.

Most recently, an interesting case was recorded, where the cybercriminals could make money by copying someone else's project. The scheme looks very simple: it takes legitimate, well-designed White Paper in Russian, it is made a full copy through Google Translate, creating a lending with the description of the project, a new team (fake, of course) and a new brand. The project competently spins on the Web: contextual advertising appears, huge threads on Bitcointalk.org and so on.

For example, our workshop colleagues from Crypto Detectives found that the owners of the Wi-Fi Global project copied and transferred WP to the team worldwifi.io. If you look closely, Wi-Fi Global is just a slightly reworked version of World Wi-Fi. At the same time, the community in Telegram with Wi-Fi Global has more than two thousand people and, according to the project participants, they managed to attract 500 thousand dollars for pre-ICO.

Account compromise

Since the project site usually has detailed information about all the team members, intelligence for the attackers is greatly simplified. It's no secret that there are a lot of dumps of leaked passwords on the web. If the compromised password is used elsewhere, it can lead to extremely undesirable consequences - not only for the account holder, but for the project and investors.

It was such an unpleasant story that happened to the authors of the Enigma project. Hackers managed to earn half a million dollars even before the date of the ICO was announced. Attackers were able to compromise the Enigma website and several accounts on social networks.

The founders of the project are from the Massachusetts Institute of Technology. The CEO apparently did not like to use different and complicated passwords for his accounts. Thanks to this, hackers got access to his email address (which did not have two-factor authentication). Of course, it was not difficult to seize access to other services and accounts linked to the address. Afterwards, the credentials of the other team members were compromised. Attackers got access to the enigma.co page (the site where the tokens were being sold was not compromised) and the Slack messenger.

Having access to enigma.co, the hackers posted there an announcement of selling tokens, wrote about it in Slack in a chat for the community and made a mailing list on the stolen list. All this - to spread your address, which was suggested to translate tokens. In total they managed to collect 1492 ETH - about one and a half million dollars.

Defects

All the worst, as a rule, occurs on the day of the ICO. A flurry of DDoS attacks simultaneously with the influx of users, an avalanche of messages to the channel of the project in Telegram and Slack, spam on the mailing list.

The most offensive thing that can happen is the deface of the site during the ICO. The goal of hackers is very simple: put your wallet on the official project portal and raise funds for it.

The victim of such an attack was the project CoinDash. During the ICO site CoinDash was hacked, hackers put on the main page of the project illegitimate wallet. It's clear that all investors rushed to throw crypto currency not on CoinDash wallets, but on hackers. Victims of the attack were more than two thousand investors, having lost in aggregate about 37 000 ETH.

The project team turned out to be decent and reimbursed the investors who fell into the hands of hackers.

Phishing

Phishing occurs almost always when a more or less well-known project goes on the ICO. The distribution of fraudulent emails, as a rule, is accompanied by a powerful DDoS attack on the project site. The meaning of all this is very simple: hackers copy the content of the site, make a similar domain and spread on the Internet. There is nothing unusual here, just like always. In the case of ICO, two types of phish are created: the first type is imprisoned for stealing a private key of the user, the second simply asks to transfer the crypto currency to the purse or smart contract address.

How can someone leave a private key on the scam site? Does not this seem suspicious? Alas, when the desire to quickly enrich itself in the business is involved, it does not happen that way. Judging by Etherscan, people sometimes do and repeat translations, without getting anything in return.

According to statistics from Chainalysis, about 56% of all funds stolen from ICO were stolen by phishing attacks. An approximate estimate of the damage from phishing is $ 115 million. According to Group-IB, a large phishing group earns from 3 thousand to 1 million dollars a month. Now phishing is the most popular way to steal funds from investors. At the height of the "crypto-currency fever", everyone aspires to buy tokens as quickly as possible (often they are sold at a big discount) and do not pay attention to such trifles as the crooked domains.

A typical scheme - attackers buy contextual advertising in search engines, organize an avalanche of messages in instant messengers and in any way try to catch traffic to a phishing site. In general, if you want, you can even enter the indicator of the investment attractiveness of the project, by calculating the number of phishing sites made on its basis.

Preparing for one presentation, I made a screenshot with the search for ICO STORM Token on Google. It is noteworthy that the first three links are phishing, placed through contextual advertising. In addition, there is often a phishing MyEtherWallet. Be carefull!

There is a very good project etherscamdb.info, where aggregate phishing by ICO. There are 2533 entries in its database. Essential for such a young industry. For only MyEtherWallet registered 2206 phishing domains.

When you lose after collecting

The worst option for any ICO team is to lose funds after a successful collection. This happens because of inaccurate handling of crypto-currency, vulnerabilities in smart contracts and ziroids in popular wallets. And even if you remove vulnerabilities in your own software, the risk of losing funds in other cases is difficult to level out.

A good example is the project The DAO, in which the attackers were able to steal at least $ 53 million. Another example is the aeternity project, which stole $ 30 million through a zee-sensitive vulnerability in Parity's wallet.

Vulnerabilities of smart contracts are actively studied by the community. For example, in the work of scientists from the University of Cagliari (PDF) different techniques of operation are described. There are also attempts to improve security - for example, the utility Oyente checks smart contracts for vulnerabilities in an automatic mode.

Most likely, "criminal" smart contracts will find their application in the world of high technologies. For example, in the research work "The Ring of Gig: a study of future criminal smart contracts" (PDF) researcher Arie Eels and his colleagues are considering options for how to use smart contracts to harm.

How to protect a team: a sample scenario

The most vulnerable part of any project is his team. Poor protection of personal accounts, lack of a basic culture of computer hygiene often leads to the fact that accounts of messengers and social networks are compromised and attackers are able to send links to phishing sites to the left and right, to discredit the team, to change data on sites and so on. Worse than this can only be a compromise of private keys from crypto-currency purses.

So, here's what you need to do to ensure that the ICO is not overshadowed by crime.

Protection from DDoS attack. Almost every untwisted project faces attacks of this type. It is better to take care in advance of quality protection from DDoS. The inaccessibility of a site often repels potential investors from investments.
Protection of the project team. All team members must protect their personal accounts on social networks, put two-factor authentication, introduce password policies.
Information security of applications. Naturally, you need to check everything for the presence of vulnerabilities and make high-quality settings for access to critical services on servers.
Verify smart contracts for known vulnerabilities. You must at least scan them automatically.
Educate the community to recognize phishing. This is a relatively simple and cheap measure that will significantly protect potential investors from loss of funds.

Сonclusions

After analyzing more than one and a half hundred attacks on block projects (exchanges, exchangers, purses, funds), we came to the conclusion that most of the problems lie in the vulnerability of crypto services themselves using blocking technology. In the case of Ethereum, cryptosystems face both vulnerabilities in their own smart contracts, and with well-studied problems such as defeats, compromising accounts and phishing. Often hackers do not even need to know the specifics of the work of smart contracts and the subtlety of the work of the blockbuster. Traditional and well-developed methods work well when users are stolen from crypto currency.