Crypto ICOs Lose 10% of Funds to Hackers

Almost $400m has been stolen from initial coin offerings (ICOs) in the past, with phishing the most commonly used technique for cyber-attackers, according to Ernst & Young.

The global consultancy’s latest research highlighted major risks in the capital raising process for new crypto-currency organizations.

Some 10% of all ICO funds are lost to hackers, who are “attracted by the rush, absence of a centralized authority and blockchain transaction irreversibility,” the report claimed.

Phishing nets attackers up to $1.5m per month either by tricking the recipient into making a fund transfer or handing over the private keys to their digital wallets.

“Criminals use DDoS attacks to disable the original site and publish phishing site addresses on web forums and social media that promote ICOs,” the report continued. “Investors, driven by FOMO, do not check the site, and transfer funds to the criminal’s address. The likelihood of crypto funds being returned is close to zero.”

Hackers also target the exchanges themselves: in fact, $2bn has already been lost globally via this route and the frequency of attacks is increasing, according to Ernst & Young.

“Most exchanges do not disclose policies and controls over personal data storage and use. This represents great value on the black market and chances of its misuse are high even without a breach,” the report claimed.

Arseny Reutov, blockchain security expert at, explained that ICOs could do several things to protect themselves, starting with ensuring that the underlying code of smart contracts is purged of any vulnerabilities.

“Secondly, organizations must ensure that the web applications their ICO use are being monitored and protected in real time – all the security of the blockchain means nothing if a hacker can misdirect funds from the web page,” he added.

"Finally, there is the human factor. A major risk here is that open source intelligence will be used to target members of the team – our own research suggests that every ICO has a team member whose password can be found online. ICOs must do everything within their power to stop investors being tricked by phishing attacks.”

What’s Hot on Infosecurity Magazine?