Every tenth Bitcoin and Ether is stolen from ICO by scammers
According to the Chainalysis report, one-tenth of the investment in ICO goes to online fraudsters. If you consider the most common reason of it – the phishing and replacing the addresses of crypto wallets – then it turns out that most of the "investors" suffer because of their own stupidity or carelessness.
Very often, we just cannot tell for sure who hacked the site, hackers or the ICO organizers themselves. Most of ICOs, are not very difficult to hack. And, surely, the stupidity and non-systemic thinking of the employees/organizers of the ICO is really often used in hacking.
But the main problem lies elsewhere: you can theoretically protect yourself from a phishing attack, but it is extremely difficult for an investor to evaluate the project from the point of view of its technical security and ability to withstand phishing attacks. Not even extremely difficult, the best word is no way.
The only thing one can do is diversify. And you have to diversify literary everything – the ICO you invest in, the wallets you use, the platforms on which you trade. Naturally, this will take time and resources. However, it will save you if hackers find vulnerability in your wallet.
Need an example of vulnerability? There is a fund satoshi.fund. Its funds could have been stolen using the vulnerabilities found by hackers. But the fund was lucky, their money was withdrawn by “white hats” and later returned to them. Still, for a couple of weeks the money was in limbo and these were not the best weeks in their lives. But there are many cases with not so good ending.
The Number of Attacks Will Increase. Laws? Pff...
If we make a forecast for a year or two in advance, the number of attacks will increase, this is easy money for hackers. It is easy to hide and exchange \ withdraw funds. Security standards and security solutions will increase, too. It is pretty possible that large platforms will enter the market, the ones with more resources available to better organize protection and act as a kind of security service. Besides, companies that can insure against hacking can also enter the market.
As for the legislation, it does not really bother hackers. In some regions there are developments in this respect. Now and then we can read about the FBI finding participants in hacks that happened two or three years ago. The number of solved cybercrimes will grow over time. On the other hand, the punishment does not come instantly, there is always a delay that can last for years, and that unleashes hackers.
Human Factor and Work with Staff
In the course of pre-ICO of the Enigma Catalyst project, attackers stole about $500,000 transferred to a false ETH wallet. A large-scale phishing attack that used mac malware was launched against the project staff.
In the information security field, the standards have long been developed, but we must understand that ICOs are “garage startups”, and we cannot always expect the standards to correspond to the pace at which projects appear.
But if you are a startup and decide to protect yourself from hackers, some measures can still be taken. At the very least – to see what PCI DSS is.
What else is important:
- Detailed instructions for recruitment of new employees, check-list;
- Instructions for dismissal of employees, check-list;
- Open ports scanning;
- Running all internal resources through a VPN;
- Internal highly controlled email system;
- Sending sensitive data only through sensitive communication channels: XMPP \ OTR;
- Two-factor authorization everywhere;
- Restrict access to servers (also hide servers, for example, behind Cloudflare)
Another thing that helps is putting yourself in the place of a hacker and thinking of how you would hack your ICO. Perhaps, this way you yourself will find a couple of vulnerabilities. Or you can pay for the audit of the code to people with a good reputation and promise a bonus to those who find the vulnerability.
Surely, every year cryptocurrencies, both Bitcoin and Ethereum, are becoming less and less anonymous. Sooner or later the coins will pass through the Exchange and some specific person. And this person will be asked where he had gotten those coins from. There are several projects that help track coins, for example the above mentioned Chainalysis.com.
The issue of hackers supposedly servicing the North Korea government is being widely discussed now. They are accused of stealing Bitcoins for the North Korean budget. The media report that from 2013 to 2015 every month they stole Bitcoins for about $90,000 from their neighbor, South Korea.
Regardless of the attitude to such news, you should know about the solution that can significantly reduce those risks. This is the use of cold storage. Cold storage is the name for a wallet that does not have access to the Internet. It is much more difficult to hack such places. Cold storage, actually, already become the standard in the field of cryptocurrency security.
For companies, it is advisable to use wallets that require 2-3 signatures for transactions. This means, even if hackers steal a key from one of the owners, they will not be able to withdraw the money.