According to reports, nearly $500,000 worth of Ethereum were stolen by hackers who manipulated users into sending money to their cryptowallet by altering the enigma.co website, posting messages using a Slack administrator account, and sending spam emails to the company’s mailing lists. The messages created a false sense of urgency for the company’s prospective customers via a presale announcement.
Enigma posted an advisory on their Twitter account on August 21 that warned users of the attack. The company clarified that the presale could only be conducted via a Simple Agreement for Future Tokens (SAFT), which is a legal document required for legitimate transactions. They also clarified that the actual website that will offer the tokens remains unaffected and that the September 11 ICO will push through as planned.
According to speculation from the EthTrader subreddit, the incident may have stemmed from a separate hack involving Enigma CEO Guy Zyskind's email, which resulted in information about Zyskind’s email address being dumped on the web. This same information was eventually used to pull off the attacks.
This comes just a little over a month after similar cryptocurrency theft incidents on other trading platforms such CoinDash, which were also conducting their own ICO, and Classic Ether Wallet, which hosts the Ethereum Classic (ETC) cyptocurrency. ICOs—which offer investors the opportunity to use cryptocurrencies in various projects—are not under any form of regulation as of the moment. However, this might change in the near future as the Securities and Exchange Commission (SEC) recently announced that ICOs fall under securities regulations, which will place stricter measures in place for future ICOs.
The Enigma fiasco once again highlights that despite the advantages of cryptocurrencies, it is still prone to attacks from cybercriminals who are looking to take advantage of the still largely-unregulated industry. Cryptomining malware is only a part of it, as cybercriminals can use psychological engineering to turn basic spam and phishing attacks into effective attack vectors. By implementing measures that aim to mitigate these kinds of attacks, users can ensure that they don’t fall victim to malicious elements. This incident also highlights the need to properly secure online accounts, as a single compromised account can lead to huge losses for both the company and its customers.