Eager would-be investors in the Bee Token Initial Coin Offering (ICO) have fallen prey to a simple phishing scheme in which scam artists managed to steal roughly $1 million in cryptocurrency.
As reported by Bleeping Computer, hundreds of investors fell for the scam over last week, in which scammers targeted users with a phishing scheme.
The phishing emails sent pretended to be from Bee Token and urged investors interested in participating in the ICO to send funds in Ethereum to wallets under the scam artists' control.
Bee Token's ICO began on 31 January and ended on 2 February after raising its 5000 ETH hard cap target ahead of schedule.
The "home sharing economy" startup wants to build a decentralized Blockchain-based marketplace for hosts, guests, and mediators involved in rentals and disputes.
As the ICO launched, Bee Token became aware that the scammers had begun phishing and quickly issued a set of security updates asking users not to send their Ethereum (ETH), the cryptocurrency of choice in the ICO, to any wallet address outside of the firm's official website and statements.
Three wallets have been connected to the phishing scheme (1,2,3), which contained close to $1 million at the time the ICO ended. However, it is possible that more wallet addresses were used in the phishing scheme and additional funds were stolen.
Bee Token said it was aware that some users had received fraudulent emails and said, "we are taking this matter very seriously and are actively reviewing the situation."
"At this time, we have no evidence that any of Bee Token's systems were compromised in this event," the startup added. "We will update the community as appropriate once we have additional information."
In the meantime, some participants have vented their frustration at the operation of the ICO and the high lock price of the token in comparison to pre-sale rates.
ICOs have become a potentially lucrative event not just for investors, but cyberattackers. Last month, Experty users keen to invest in the platform's ICO were targeted in a pre-ICO phishing campaign and were swindled out of roughly $150,000 in Ethereum.
As information stolen from an Experty team member was used to target the investors, the company has offered refunds in tokens, or potentially ETH, to victims.
Due to the risk of scams in relation to ICOs, Facebook has banned cryptocurrency and ICO advertisements.
According to Ernst & Young, between 2015 and 2017, threat actors were able to steal close to $400 million by attacking ICOs alone.
The most common attack vectors are the unauthorized access of private keys, the theft of funds from both wallets and exchanges, and a simple switch of wallet address at the time of the ICO or in "pre-ICO" phishing email scams.
Update 7.2 10.00GMT: Bee Token has revealed additional details on why interested investors were targeted.
"There was unauthorized access to one of Bee Token's third-party vendors (which we have since terminated usage). The data that was potentially accessed includes email addresses, first names, and last names only, and this impacted [less than] 1 percent of our email list.
We have no evidence that Bee Token itself was compromised by this event. We have not identified any malicious activity in our database, and also confirmed with Onfido that your KYC data was not affected by this event."