This summer was punctuated by scams and hacks of “initial coin offerings,” startup fundraisers that issue coins, tokens, or cryptocurrency to anyone who wants to invest in fledgling blockchain-related companies.
In mid-July, a startup called CoinDash lost $7 million dollars during its ICO after a hacker altered the address investors were sending funds to so the money went to a malicious digital wallet instead of CoinDash. Days later, at least three ICOs were affected by a bug in a cryptocurrency wallet called Parity that allowed crooks to nab $30 million. And thieves stole more than $500,000 during a fake, hacker-staged coin pre-sale for the digital financial services developer Enigma. As ICOs proliferate, there is a lot at stake for both the startups that rely on them for funding as well as the investors, many of them everyday internet users, who stand to lose millions of dollars.
Since 2013, ICOs have melded traditional venture capital funding rounds with crowdfunding, and while some startups like the egalitarian attributes of ICOs, many companies are using them simply because they’ve been turned down for funding by more traditional VCs and financial institutions. ICOs have exploded in popularity over the past year—even Paris Hilton is touting them—but like any emerging, unregulated financial mechanism, they are also risky, immature, and uncharted. The startups that hold them aren’t necessarily prepared for the exposure their fundraisers may receive and many backers are new to ICOs and even investing in general. With relatively little information available about how ICOs work and what to expect, participants are particularly susceptible to all sorts of fraud. And the hustles have arrived on cue.
“These ICOs have big targets on their back. It wouldn’t surprise me if attackers have spreadsheets of what ICOs are coming up and how much they’re planning to raise,” says Jackson Palmer, a product manager at Adobe who co-created the Dogecoin cryptocurrency. “ICOs opened funding to a much less experienced group of people who don’t necessarily know how to execute on good infosec practices. And the investors are very inexperienced as well. It’s the perfect storm for people to lose money.”