This week, the decentralized cryptocurrency marketplace was gearing up for its Token Sale, also known as an initial coin offering (ICO), in order to give thousands of users the chance to use their ethereum (ETH) to invest in virtual currency-related projects and products.
However, on August 21, Enigma sent out frantic messages to users, begging them to not send any ethereum to any wallet address as "certain Enigma accounts were under attack."
At the same time the warnings were sent out, some users said they had received very "convincing" emails concerning a "pre-sale" of tokens before the official ICO.
While some investors recognized the emails as a phishing scam, others did not -- and responded by sending their funds to cryptocurrency wallet addresses controlled by an attacker.
The marketplace claims that no company funds or wallet addresses were stolen, and user account information remains safe. However, for investors that already fell for the scam, this is hardly consoling.
Based on the fraudulent wallet address, of which funds are continually being transferred out of, it appears that up to $500,000 in ETH has been stolen.
Enigma says that the enigma.co domain was compromised, together with a Slack administrator account and mailing lists -- which allowed the hacker to send out phishing emails from a legitimate Enigma email address.
"WARNING: ENIGMA SLACK COMPROMISED, DO NOT SEND FUNDS.
Hi Everyone, our Slack channel and certain email lists have been compromised. We are working diligently to resolve the issues.
DO NOT SEND FUNDS TO ANY ADDRESSES.
We will provide further updates on the situation shortly. DO NOT SEND FUNDS."
In an email to users, Enigma said it was "deeply sorry" and the team "deeply regrets the harm that has been done to our community."
"[We] will work hard to make this right," Enigma says. "We're actively investigating the scam attempt and the parties involved with multiple partners, including law enforcement, vigilant members of our community, other companies in our space, and exchanges."
On Reddit, user iCantHack has suggested that the security practices of Enigma CEO Guy Zyskind are potentially to blame for the breach.
According to the user, the executive had admin access to Slack, the website, and the Google account where they hosted the "presale," and the attacker was able to use an old password contained in a previous data breach and dumped on the web to access his account -- of which the password had not been changed for over a year.
Those who have lost funds are asked to get in touch with the marketplace, although there is no confirmation at this time that refunds will be granted.
In July, during CoinDash's ICO, hackers pulled a similar trick to make off with $7.4 million in stolen funds. The unknown perpetrators allegedly compromised the CoinDash website at the time of the offering, simply tweaking the wallet address posted to collect investor funds to another that they controlled.
CoinDash quickly realized what had occurred and asked traders not to send any more virtual currency, but the damage had already been done.
Only a week later, a further $30 million in ETH was stolen from multi-sig wallets containing the cryptocurrency due to a security vulnerability. Among the victims who had their wallets drained were Swarm City, Edgeless Casino, and Aeternity.
In related news, last month the US Securities and Exchange Commission (SEC) said that in the future, token events and sales may be bound by federal securities law, which in turn may require ICO providers to register, reveal their financial positions, and name executives and operators.