Blog | Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings

February 1, 2018

Initial Coin Offerings (ICOs) are a way of crowdfunding cryptocurrencies and cryptocurrency platforms. By the end of 2017, almost $4 billion was raised in this way. However, as consumers rush to be the first to invest in a promising new cryptocurrency or platform, their investments can instead go into the account of criminals. These criminals seek make their money in four main ways:

  • Targeting genuine cryptocurrency platforms
  • Exit scams
  • Imitating or spoofing cryptocurrency platforms
  • Price manipulation

This is only one aspect of cryptocurrency fraud, but you can learn more in our latest research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud.


Targeting Genuine Cryptocurrency Platforms

At the end of January, a Japanese cryptocurrency exchange platform called Coincheck announced the theft of over $500m in NEM. The cryptocurrency NEM has since stated that attackers targeted a vulnerable wallet that had not used the currency’s available security features. $530 million surpasses the record set by Mt Gox in 2014.

Targeting these platforms doesn’t have to be complex. In July 2017, criminals compromised the CoinDash website, replacing the initial Ethereum address to one controlled by the attacker. This new address received at least 2,314 payments from prospective CoinDash investors, totaling over 40,000 Ether. Over $7 million in Ethereum had been transferred to the fake address by the time CoinDash noticed the issue and suspended the ICO.


Figure 1: Attacker’s Ether wallet during CoinDash ICO in July 2017


More recently, the Initial Coin Offering for blockchain application company Experty was targeted by actors who sent phishing emails to potential coin buyers, prompting them to send funds to an attacker-owned wallet in return for a 33% bonus. The attacker’s wallet reached about 125 Ether ($125,000). We’ll be digging into approaches to phishing and account takeover against cryptocurrency holders in a future blog.


Exit scams

An exit scam refers to those cryptocurrency or platforms that are established with the plan to attract many customers before disappearing and stealing all the funds. There have been a host of exit scams in 2017 and 2018, including Confido, Benebit and Plexcoin.

This week, the US Securities and Exchange Commission (SEC) claimed to have shut down an alleged Initial Coin Offering scam by AriseBank. The site claims to have raised over $600 million of their $1 billion goal. The SEC determined that AriseBank had violated security regulations as they were selling financial products that required the firm be registered with the SEC. While the SEC has put a concerted effort into identifying and assessing potentially fraudulent ICOs, the sheer number of new cryptocurrency products and platforms means exit scams will likely continue for some time.


Spoofing Cryptocurrency Platforms

Rather than create their own new cryptocurrency, criminals can also impersonate existing platforms. A recent example is the announcement that Telegram would be launching its own coin, which has led to a host of different spoof domains hoping to lure unsuspecting consumers into investing on the wrong platform. Despite Telegram stating that any announcement would be first done on Telegram, this has not stopped the creation of several spoof sites. Grampreico[.]com (shown below) is one such example, making $2000 to date.

Figure 3: Grampreico[.]com claiming to be the initial coin offering for “Gram” token

A different, though similar, approach is to register a similar looking domain and clone the contents of the target website. Myetherwallet[.]uk[.]com is a good example of a spoof site, a site that offers the ability to access your wallet through providing them with your private key.

Figure 4: Spoof site for myetherwallet[.]com


Cryptocurrency Price Manipulation

Just as traders illegally inflate prices of stock in the real world, so too do groups of cybercriminals. This technique is known as “pump and dump”, and several online groups exist to inflate the price of smaller, less well-known currencies in order to cash in on the increase in value.

Figure 5 shows the process followed by one Discord “pump” group, describing how they first “spread great news on twitter and Reddit”, before “mass retweet, like and react on the tweet”.

Figure 5: A description of how “pump and dump” works, as described in one Pump and Dump Discord group


Questions to Ask Yourself Before Investing in an ICO

ICOs can be a great way for consumers to identify promising coins and platforms early on and profit from their rise. However, potential investors should be wary of sites or seller with unsolicited offers, or coins that guarantee high returns without solid justification. Three questions you can ask yourself are:

  1. Does the coin you are looking to invest in have an active online community with engaged developers?
  2. Have other online users reported the coin as a scam?
  3. Does the coin’s documentation hide behind marketing jargon that makes no effort to explain the technical aspects?

For those that do invest, make sure you have strong password hygiene and make use of multifactor authentication to secure your accounts.

To learn about other tactics, including account takeover and crypto jacking, download a copy of our research paper, The New Gold Rush: Cryptocurrencies are the New Frontier of Fraud or listen to our podcast below:

Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.

Previous Report
6 Considerations When Purchasing Threat Intelligence
6 Considerations When Purchasing Threat Intelligence

When selecting the optimal CTI solution for your organization, buyers should use CARTER as a guide to asses...

Next Video
[On Demand Webinar] Cryptocurrency Fraud
[On Demand Webinar] Cryptocurrency Fraud

Cybercriminals have developed several schemes to defraud those looking to profit from the growth in cryptoc...


Request a Live Demo

First Name
Last Name
Phone Number
Job Title
Thank You
Error - something went wrong!