Hackers have glommed on to the frenzy around cryptocurrency, stealing large amounts of money as companies look to chase profits through initial coin offerings.
Over 10 percent of worldwide ICO proceeds — more than $370 million so far — has been swiped, according to new research from U.K. accounting firm EY and the Russian cybersecurity firm Group-IB.
The total works out to $1.5 million being stolen from ICOs per month.
Initial coin offerings (ICO) are popular and infamously disorganized cryptocurrency crowdfunding events that have raised nearly $4 billion for startups.
“The speed and size of the ICO market draw hackers’ attention,” researchers wrote. “Hackers are attracted by the rush, absence of a centralized authority blockchain transaction irreversibility and information chaos.”
The perfect case study came in July 2017 when hackers took over the Israeli cryptocurrency trading site CoinDash just 13 minutes into the site’s ICO. The attackers breached CoinDash’s website and altered the investment address in order to steal $7 million worth of the $13.4 million raised by crowdfunding — meaning the company received less than half of what investors pledged in order to receive the new cryptocurrency, which is also called CoinDash.
ICOs are marked by a rush to attract investors. Security is often largely an afterthought.
Hackers are relying on a host of techniques in order to steal funds: substituting wallet addresses, launching denial of service attacks, hacking web applications and exchanges and breaching accounts of people tied to companies that are running ICOs.
Unsurprisingly, phishing is the most popular hacking tool employed during ICOs.
Bad security is just one aspect of the problems surrounding ICOs. EY analysts said ICOs are now synonymous with “hype, unjustified valuations and excessive risk.” They expect to see more active regulation and bans around the world.
China and South Korea outright banned the practice beginning last year, while dozens of other countries are debating regulatory actions.
In the U.S., where ICOs are legal and regulated, the SEC provides guidance on its website.