Lost in the excitement and ongoing momentum of the ICO craze is the fact that, despite the crowdfunding model’s enormous potential, we’re still surrounded by risks.
To date, there have been thousands of ICOs and token sales, and although many go off without a hitch or shock, there have been a shocking number of ICOs that end in investors losing their money. Sometimes, ICOs themselves are fraudulent, and they’re designed to steal users’ money. These scam ICOs have become a large problem, but the heavier regulation and oversight from most governments will likely curb them to a degree.
Many times, hackers and fraudsters will take advantage of an upcoming ICO to scam users in a variety of ways, from phishing attacks to more insidious methods. Statistics published in January 2018 by consultancy firm Ernst & Young showed that approximately 10 percent of all funds raised by ICOs between 2015 and 2017 were stolen by hackers—roughly $400 million in two years alone.
This year appears to be no different, with some major hacks already coming to light and it seems like everywhere we look, new stories of hacks are popping up. As recently as July, KICKICO, a support platform for ICOs, claimed that roughly $7.7 million worth of its tokens had been stolen via an elaborate attack. This is far from the only story I’ve seen, and ICO scams continue to harm the sector to the tune of millions of dollars.
In these cases, the problem is not finding the right ICO to invest in, but rather that even when they choose a legitimate company, they are still at risk of external hackers and others who may steal their funds. No matter how well-intentioned, the best ICOs and investors can even be victims in a variety of attacks that can get past the most robust security. It makes me wonder what we can do to protect ourselves, but the situation is not entirely hopeless.
Why It’s Hard to Avoid ICO Scams
The aforementioned Ernst & Young study had one other statistic that shocked me: the majority of funds lost to hacking attacks come from phishing attacks, which claim up to $1.5 million in funds stolen every month. Though that number may vary from month to month, it does illustrate an important point—it’s not always easy to spot an attack and even the most well-meaning ICOs are not fully safe from enterprising hackers or fraudsters.
The reality is that most of us who invest in ICOs are not always tech-savvy industry insiders. In many cases, people looking to participate in these sales are regular users who are excited about the project they’re funding or are looking for a way to enter the crypto market. Hackers have developed several methods to disguise their attacks by leveraging an ICO’s identity, and in some cases to attack ICOs directly.
Widely used phishing attacks can include something as simple as creating a fake website that is nearly identical to an ICO’s site but with a slightly different URL. For example, I’ve seen websites claiming to be Sentinel Protocol’s, but with a single letter changed in the URL. In this case, Sentinelprotocol.io would be changed to Sentinaprotocol.io. Most users wouldn’t look twice to confirm, but it could be catastrophic.
Other techniques include sending solicitous emails from official-looking accounts or impersonating team members on Telegram and other social media. In all of these cases, the goal is to get users to give away their personal information, share their wallet addresses or otherwise expose themselves to scams. Additionally, hackers can deploy malware and other software-based exploits that seek out vulnerabilities in wallets, exchanges and other related tools.
Other attacks are less personal and aim for flaws in software or the ICOs themselves. When my colleague Patrick Kim, founder and CEO of Sentinel Protocol, had over 7,000 ETH coins stolen directly from the Ethereum Mist wallet, the problem was so well hidden that he had to examine the source code to discover it. The culprit was a small line of code that duplicated transactions and secretly drained his account without him even realizing. The problem was only fixed after he publicly mentioned it to the foundation that created Geth-Mist wallets. While he was able to detect the issue, as he himself is the security expert, most people are not knowledgeable enough to realize why they’re hacked, so it’s difficult to guarantee they won’t be hacked again in the future.
The issue that stands out universally through all these cases is that, too often in the industry, the idea of decentralization has been translated as a lack of responsibility on the part of crypto organizations, even including the groups behind ICOs. In many cases, decentralization has been used to avoid the security and consumer protection concerns that other traditional IT companies would not have.
This means that the burden of protecting consumers falls on regular users like you, and as most of you are not cryptocurrency experts or tech-savvy developers. It can be hard to know how to spot scams or fraud, and even so, there are things everyone can do to be safer when searching for ICOs to participate in and to ensure that even when we invest we are still taking every precaution possible.
How to Avoid ICO Scams
Staying safe when participating in ICOs takes some work, but it is not impossible, regardless of your familiarity with the cryptocurrency world. The most important thing is to be aware and to closely examine every part of an ICO before participating and giving money to the company.
It begins by probing the website on a surface level to look for red flags that can stand out straight away. For scam ICOs, this includes things like checking website URLs and pages for things that may seem off.
Additionally, you should always ensure the tools you’re using—whether popular crypto wallets (both hot and cold), exchanges or other services—have track records and a reputation for prioritizing and providing user security. This includes using products that the community recommends, which are open source, and which are not afraid to share their security records.
Verifying the sources of your communications is also vital. Knowing the right Telegram channels, websites and usernames of team members can help you avoid disclosing sensitive information to the wrong person or the wrong channel. Vigilance is always a primary defense, but it can be hard as an individual to keep track of the many attacks and exploits faced by other investors.
The crypto community is familiar with fraudsters’ attempts to pass themselves as team members and demand additional coins or information. However, it can be difficult to keep track of every single one of these attempts. Vigilance is crucial, but it can be hard to do on your own. In the end, shared collective knowledge can be the best defense against a variety of attacks. This is why Sentinel Protocol is building the Uppward Chrome Extension—to help users catalog and learn about existing scams, and to protect themselves and others.
Difficult, But Not Impossible
Just as ICO scams present new types of threats to investors and companies alike, the solutions we use to combat them cannot be conventional. Using blockchain, which creates these problems, can offer the best defense. By leveraging the technology’s decentralized storage and sharing, and combining it with an incentivized economic model, we can create a stronger security network for regular users. While the concept of collective intelligence was not really feasible with centralized systems, blockchain is the ideal platform.
I envision a world where we can use collective intelligence to protect everyone from fraud and ICO scams. Imagine a world where a single platform can collect scam data from hundreds of projects and be accessible by any company looking to add security to their own sales. They could instantly block and blacklist hundreds of scam wallets, addresses and accounts, as well as cut off the avenues for hackers to reach you. Sentinel Protocol is working hard to make this safety net and is looking forward to leveraging its collective knowledge to better protect everyone.