Hacker phishes Experty ICO, steals $150,000 in Ethereum

Updated: The cyberattacker targeted ICO participants through a fraudulent "pre-ICO sale" scheme.
Written by Charlie Osborne, Contributing Writer

Experty's keenly-awaited ICO has dissolved into disarray after a hacker targeted investors and stole roughly $150,000 in Ethereum (ETH) ahead of the event.

Experty's Initial Coin Offering (ICO), also known as a token sale, is designed to raise funds for a "Skype-like voice and video application" which could also take secure payments through the Blockchain.

ICOs are similar to IPOs -- but may not be regulated in the same way -- and offer investors tokens in a project, rather than shares in a company.

Token sales can be a lucrative endeavor, not only for companies looking to raise funds outside of traditional banking methods but also for traders who invest in the early stages of projects which end up as a success.

However, these time-sensitive events and coin trades have also become a lucrative attempt for attackers seeking to fraudulently cash in.

Experty's ICO is expected to launch at the end of this month. As first reported by Bleeping Computer, an unknown threat actor sent fraudulent pre-ICO messages to Experty users which had signed up for announcements.

These phishing messages, while littered with poor spelling, urged users to invest within 12 hours to receive bonus Experty tokens (EXY) in exchange for their Ethereum.

The phishing email also contained a wallet address which is not associated with the company.

It appears that many fell for the scam, and while the wallet is now empty, a total of 74 transactions have been made in the last few days in ETH worth roughly $150,000.

Experty uses the Bitcoin Suisse service for handling token sales and so any transfers to this wallet are outside of the firm's control. In addition, it is possible that more than one wallet was used during the phishing scheme.

However, this does not mean the company is without fault. According to a statement posted on Medium, the hacker was able to find out the email addresses of Experty users as "one of [the company's] reviewers was compromised and hackers gained access to some information about users."

The information was stolen by compromising a PC belonging to a team member that was involved in conducting an Experty PoC (Proof-of-Care) review.

While any funds sent to Bitcoin Suisse are secure, this does not help matters for users whose information was leaked, leading to phishing.

Experty has acknowledged this and as a goodwill gesture will give 100 EXY tokens to everyone whose ETH address was in the firm's database.

For those that transferred ETH to the cyberattacker, however, this will not bring back their investment.

Bitcoin Suisse has also warned users not to send funds to the wallet.

"We are taking precautions and increasing security to ensure that this does not happen again," the company says. "The Experty community is our number one priority, and always has been. We will continue to work towards a safer and prosperous future, and we hope that you will be there with us."

See also: CFTC files lawsuit against Entrepreneurs Headquarters over Bitcoin Ponzi scheme

Last year, CoinDash's ICO was compromised in a similar fashion. Rather than phish users, a hacker infiltrated the CoinDash website and changed the ICO's wallet address, stealing roughly $7.4 million in ETH in the process.

Veritaseum's ICO ended up in disaster hardly a week later after almost $8 million in VERI tokens were stolen. Ernst & Young estimates that between 2015 and 2017, hackers targeting cryptocurrency ICOs have managed to steal at least $400 million.

Update 11.22 GMT: In a new company statement, Experty has made a gesture to those who fell for the scam by promising to reimburse them for their losses. The company said:

"We are greatly saddened by the recent email scam that has targeted our community due to [the] recent data breach. We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier, from our company allocation.
If someone wishes to receive ETH instead, we ask them to please contact us privately about this."

Any Ethereum sent to the attacker's wallet after the timing of this announcement -- at 21.30 UTC -- will not be refunded, to prevent "people purposely sending money to the scam address to receive EXY tokens," according to Experty.

How blockchain technology can transform our world

Previous and related coverage

    ICOs raise $1.2B in one month alone

    For the first time, Initial Coin Offerings have surged past the $1 billion mark in a four-week period.

    Hackers steal almost $400M from cryptocurrency ICOs

    ICOs are risky, potentially lucrative, and now a top target for threat actors looking to cash in.

    Hacker jailed for DDoS attacks against Skype and Google

    The 21-year-old has been jailed for running a botnet and selling malware in the Dark Web.

      Editorial standards