In the era of cutting-edge technologies that seemed like science fiction just a few years ago, people have come to underestimate the efficiency of old-school social engineering for deploying various online hoaxes. Well, the infamous “Nigerian scam” probably wouldn’t bode well for threat actors these days. However, the crooks’ success gets way more plausible when the cryptocurrency ecosystem enters the game.
This soaring economy is chock-full of hungry investors, new startups, and ICOs aimed at bridging the gap between the two. ICO stands for “Initial Coin Offering” and denotes a campaign where investors buy tokens, of the would-be project so that the team behind it can build and launch their service. Later on, the early backers can sell their tokens – hopefully at a higher price.
Online scammers have diversified their portfolio with the influx of ICO campaigns. Their new tactic is to try and dupe early investors into sending their funds to a rogue cryptocurrency address. A few recent incidents have demonstrated that exploiting human weaknesses can be more effective than any type of manipulations with the code. With new type of scams there is no need to launch sophisticated ransomware campaigns that require hiring botnets, buying exploits, coding and updating numerous malware strains, and maintaining bulletproof hosting services.
Seele ICO backers tricked by impostors
Perpetrators impersonating admins of the blockchain project called Seele manipulated potential investors into wasting $2 million worth of Ether in early February 2018. Seele is a lure to many because it is innovative and ambitious to the bone. It stands out from the mainstream by introducing the unique concepts of Neural Consensus algorithm and Heterogeneous Forest Network, which are purportedly applicable to the domains of IoT, e-governance, social networking, financial technology, healthcare, and gaming.
The way the black hats have pulled off their scam is quite prosaic. Posing as Seele admins @nicsmith and @SeeleSupport in the project’s Telegram channel, they sent messages to some members with an offer of private sale of Seele’s ERC20 tokens. By the time this hoax was unveiled and got media coverage, some contributors had already submitted their funds to the swindlers’ Ethereum address. In the upshot of this scam, investors lost about $2 million worth of Ether.
The hacked Telegram accounts were promptly eliminated from the list of the company’s approved admins, which was, obviously, cold comfort for those defrauded. How exactly a random person could become an admin in Seele’s official channel remains a mystery. Some investors suspect the fraud was an inside job involving someone from the startup’s team, while Seele denies any speculations of that sort and blames the predicament on impostors.
The Bee Token ICO scam
Threat actors were able to defraud the Bee Token ICO contributors of at least $1 million worth of Ether at the end of last month. This ICO was intended to raise funds for the launch of Beenest, a decentralized home sharing platform powered by the blockchain. The perpetrators sent phishing emails to hundreds of users, announcing ICO crowdsale and promising a 100% bonus on all tokens sent during the following six hours.
Although the Bee crew issued a number of security alerts regarding this scam when it was still underway, unsuspecting users continued to submit cryptocurrency to the wrong addresses. Three of them held an Ether equivalent of more than $1 million when the ICO was closed, that is, on February 2. However, researchers have spotted multiple other wallets involved in this fraud, so the total amount people lost is most likely larger.
Despite the massive scam accompanying it, the Bee Token ICO raised $5 million to build the service. The bad news is that the con artists made millions as well. Bees sting, even virtual ones, when you aren’t vigilant enough.
Experty ICO fundraisers ripped off
Crafty impostors brainwashed the backers of the Experty ICO into submitting $150,000 worth of Ether to their own wallet address in late January 2018.
For the record, Experty is a promising project aimed at setting up a VoIP service where customers can pay with cryptocurrency rather than fiat money. A lot of people got interested in this startup as it received positive feedback from reputable resources, including Inc.com that ranked it one of the top 10 blockchain-based initiatives to take root in 2018.
The scammers zeroed in on individuals who signed up for notifications from this ICO. They sent competently designed emails to those users, stating that pre-ICO sale of EXY tokens had kicked off and encouraging them to contribute some extra Ether. The main catch was that the crooks promised a bonus to those who would send funds within a 12-hour timeframe. This restriction put additional pressure on those interested and got them anxious about fitting in the deadline.
Obviously, the wallet address indicated in these emails had nothing to do with Experty. The hoax worked out regardless. The fraudsters’ wallet got 76 incoming transactions transferring more than $150,000 worth of coins since the rogue token sale announcement. However, there were reportedly more wallet addresses involved, so the total volume of “contributions” may be larger.
It is also noteworthy that the scammers obtained the list of Experty ICO wannabe investors by compromising the computer of one of the company’s employees who worked on Proof of Care documentation.
The bottom line
The whole craze around ICOs is a godsend to fundraisers and cybercriminals alike. There are lots of people willing to invest in new blockchain-powered initiatives, and some of them are completely bedazzled by anticipation of a quick bang for their buck. The most astonishing thing about ICO scams is that the malefactors defraud people of millions by leveraging ridiculously trivial tactics. A well-written email or Telegram message turns out to be convincing enough to get people paying up without questioning the offer’s legitimacy.
To steer clear of such scams, look for red flags that may accompany them. Having received an offer to invest in an ICO, be sure to check whether the wallet address indicated in the message has anything to do with the startup of interest. Also, examine the company’s website and social accounts for recent security alerts. Take care of your privacy and security, don’t list your email on public sources and use reliable VPN services. Finally, follow your intuition. If the deal sounds too good to be true, do some extra research and think twice before sending out your funds.
