Phishing Scam: Hackers Steal $150,000 in Ethereum from Experty ICO

Por Wagas em 29/01/2018 no site HackRead

Just a week after the biggest hack in the history of cryptocurrency business in which Japan-based Coincheck exchange was hacked to steal $534 million the much-awaited token sale called Initial Coin Offering or ICO by Experty has landed in no man’s land after a hacker tricked the ICO participants with a fake pre-ICO sale announcement and luring those who signed up for the notifications into sending Ethereum funds to wrong wallet address. Through this targeted attack, the hacker(s) manages to steal around $150,000 in Ethereum before ICO event was held.

ICO is quite similar to a conventional Initial Public Offering or IPO but what makes it different is that buyers receive a token from an online platform instead of getting stocks in a firm. Users are allowed to keep the token until the company that issues them is ready to repurchase them. They may even sell the tokens to others who us Ethereum.

Through ICO, Experty was looking to raise funds for a VoIP calling system that could facilitate voice and video conversations like Skype as well as allow secure cryptocurrency based payments via Blockchain. Experty had high hopes in this sale since Inc.com ranked this ICO as one of the top ten ICOs due to be held this year.

Phishing Scam

What actually happened was that between January 26 and 27, Experty users who receive the announcement and signed up for notifications were asked through email to send funds to an Ethereum wallet in order to buy EXY tokens and participate in the ICO. This was a fake email because the real ICO by Experty was to be held on January 31st; hence the email was sent by a hacker and the wallet address was also not owned by the Expert team.

Fake email address sent to Experty users

The fake Ethereum wallet address has at least $150,000 worth of funds that got collected through 71 transactions. It is worth noting that Experty has tied up with Bitcoin Suisse to initiate transactions. Now, both the firms are requesting users to not send money to the fake wallet.

According to the official statement, Experty and Bitcoin Suisse state that the hacker compromised the computer of one of the people who conducted the Proof-of-Care review for Experty. Initially, Experty stated that it will be giving 100 EXY tokens to every individual in its email database, which is equivalent to $120. However, now the company has announced additional compensation for users who managed to send the funds into the fake wallet.

Bitcoin Suisse also issued a statement claiming that the data that was submitted to Experty’s website has been hacked and compromised but nothing from Bitcoin Suisse has been exposed. Investors in ICO are recommended to double-check the wallet addresses sent by any project team before making transactions. They can use services like Clearify.io platform to verify the new address.

Refunds Due To The Data Breach

In a statement issued on January 28th, the company will be refunding its customers. 

“We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier. If someone wishes to receive ETH instead, we ask them to please contact us privately about this.”

Any ETH sent to the scammer after this announcement [January 28, 2018, at 21:30 UTC] will not be refunded in order to prevent people purposely sending money to the scam address to receive EXY tokens.”

10th Breach Against A Cryptocurrency Platform In Last 6 Months

1: July 4th, 2017: Bithumb hacked and 1.2 billion South Korean Won stolen.
2: July 17th, 2017: CoinDash hacked and $7 million in Ethereum stolen.
3: July 24th, 2017: Veritaseum hacked and $8.4 million in Ethereum stolen.
4: July 20, 2017: Parity Technologies hacked and $32 Million in Ethereum stolen.
5: August 22nd, 2017, Enigma marketplace hacked and $500,000 in Ethereum stolen.
6: November 19th, Tether hacked and $30 million worth of tokens stolen.
7: December 7, 2017: NiceHash hacked and $70 million stolen.
9: December 21, 2017: EtherDelta hacked and $266,789 in Ethereum stolen.
10: January 26th, 2017: Coincheck hacked and $534 Million stolen

Oh, Crap! Someone Accidentally Triggered A Flaw That Locked Up $280 Million In Ethereum

Mohit Kumar em 07/11/2017 no site The Hacker News

Horrible news for some Ethereum users.

About $300 million worth of Ether—the cryptocurrency unit that has become one of the most popular and increasingly valuable cryptocurrencies—from dozens of Ethereum wallets was permanently locked up today.

Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced earlier today that its "multisignature" wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.

According to Parity, the vulnerability was triggered by a regular GitHub user, "devops199," who allegedly accidentally removed a critical library code from the source code that turned all multi-sig contracts into a regular wallet address and made the user its owner.

Devops199 then killed this wallet contract, making all Parity multisignature wallets tied to that contract instantly useless, and therefore their funds locked away with no way to access them.

"These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address," devops199 wrote on GitHub.

"I made myself the owner of '0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4' contract and killed it and now when I query the dependent contracts 'isowner(<any_addr>)' they all return TRUE because the delegate call made to a died contract."

Parity multisignature wallets also experienced a vulnerability in July this year that allowed an unknown hacker to steal nearly $32 million in funds (approximately 153,000 units of Ether) before the Ethereum community secured the rest of its vulnerable Ether.

According to Parity, a new version of the Parity Wallet library contract deployed on 20th of July contained a fix to address the previously exploited multi-sig flaw, but the code "still contained another issue," which made it possible to turn the Parity Wallet library contract into a regular wallet.

The vulnerability affected Parity multi-sig wallets that were deployed after July 20—meaning ICOs (Initial Coin Offerings) that were held since then may be impacted.

So far, it is unclear exactly how much cryptocurrency has disappeared due to this blunder, but some cryptocurrency blogs have reported that Parity wallets constitute roughly 20% of the entire Ethereum network.

This made researchers familiar with the space estimating around $280 Million worth of Ether is now inaccessible at this time, including $90 million of which was raised by Parity's founder Gavin Woods.

Parity froze all affected multi-sig wallets (that is millions of dollars' worth of Ethereum-based assets) as its team scrambles to bolster security. The team also promised to release an update with further details shortly.

Explorações, hacks, phishing e Ponzi estão crescendo no Ethereum

Por  

Wassim Bendella

Em 20/08/2017 no site The Cointelegraph

ALTCOIN WATCH

Em essência, o Ethereum se estendeu sobre o meio de pagamento do Bitcoin, adicionando uma rica linguagem de programação que permite a execução de contratos inteligentes.

Embora esta tecnologia inovadora tenha atraído uma grande quantidade de entusiastas de criptomoeda que tenham tido um grande potencial, também tornou-se o lar do cibercrime de forma significativa.

Como é frequente no caso das novas tecnologias, os hackers o abraçaram e roubaram milhões de dólares nos últimos anos.

O primeiro grande incidente de cibercrime

Muitos entusiastas da criptomoeda recordam o mês de junho de 2016 como o mês do primeiro grande incidente de cibercrime no Ethereum. A rede começou a ganhar impulso quando O Projeto DAO foi anunciado, e a ICO conseguiu levantar US$ 150 milhões.

Tal montante inevitavelmente atingiu o interesse dos hackers que começaram a explorar o código do projeto e, finalmente, encontraram um "bug". Ele foi usado para drenar US$ 74 milhões do total arrecadado, que representa quase 40% do total de fundos da ICO.

Enquanto alguns deles foram recuperados, o incidente soou um primeiro alarme vermelho e exigiu mais segurança e cautela ao lidar com o Ethereum.

O surgimento dos ladrões de Ether

Uma vez que o Ethereum se torna relativamente fácil para os desenvolvedores construir contratos inteligentes complexos e aplicativos autônomos descentralizados (DApps) e, dado o aumento do preço do ETH, tornou-se a plataforma de escolha para essas vendas de token que se tornaram mais populares do que nunca.

"O aumento do cibercrime no Ethereum aumentou em conjunto com o grande financiamento de ICOs, com a receita total de cibercrimas aumentando de US$ 100 milhões em junho para US$ 225 milhões em agosto deste ano".

Fonte: Chainalysis

Não só essas ICOs paralizaram o Blockchain regularmente, mas também há um risco de segurança significativo associado a tais projetos. A Chainalysis estima que, dos US$ 1,6 bilhão investidos nas ICO neste ano, US$ 150 milhões acabaram nas mãos dos cibercriminosos.

Em outras palavras, 10 por cento dos fundos levantados vão parar em mãos erradas. Isso representa aproximadamente 30.000 vítimas, perdendo uma média de US$ 7.500 cada.

Explorações, hacks, phishing e Ponzi

Os cibercrimes comuns no Ethereum podem ser categorizados em quatro categorias: explorações, hacks, esquemas de phishing e Ponzi.

A maior exploração de arrecadação foi o DAO, mas outros US$ 30 milhões foram roubados da carteira Parity em junho de 2017.

Enquanto alguns cibercriminosos optaram por hacks e explorações de alto perfil, o phishing atualmente está gerando mais receita.

Atualmente, ele representa mais de 50 por cento de todas as receitas cibercriminais geradas este ano a frente das explorações que às vezes recebem a maior cobertura na imprensa devido à sua natureza.

Cybercrime	Stolen funds	Number of victims
Phishing	115,000,000	16,900
Exploits	103,000,000	11,000
Hacks	7,400,000	2,100
Ponzi	4,000	260
Total	225,400,000	30,260

Cibercrime - Fundos roubados - Número de vítimas

As estatísticas sobre o cibercrime no Ethereum são possíveis devido à natureza pública do Blockchain que permite a análise e auditoria de transações feitas na rede.

Mais e mais soluções são lançadas para manter as abas nas tendências Blockchain e extrair a inteligência delas.

A tecnologia Ethereum está melhorando, e os desenvolvedores estão escrevendo contratos mais seguros que são tendências positivas. No entanto, proteger os usuários do phishing é uma questão diferente.

O Ethereum Scam Database, que foi criado em 2017 pela equipe MyEtherWallet, identifica e lista regularmente os golpes em andamento, e vale a pena verificar antes de investir em um ICO.

Warning: Enigma Hacked; Over $470,000 in Ethereum Stolen So Far

Mohit Kumar
em 20/08/2017 no site The Hacker News

More Ethereum Stolen!

An unknown hacker has so far stolen more than $471,000 worth of Ethereum—one of the most popular and increasingly valuable cryptocurrencies—in yet another Ethereum hack that hit the popular cryptocurrency investment platform, Enigma.

According to an announcement made on their official website an hour ago, an "unknown entity" has managed to hack their website, slack account and email newsletter accounts, and uploaded a fake pre-sale page with a fake ETH address to send money.

The hackers also spammed their fake address in Enigma's newsletter and slack accounts for pre-sale coins, tricking victims to send their cryptocurrencies to hacker's address.

Etherscan, a popular search engine for the Ethereum Blockchain that allows users to look up, confirm and validate transactions easily, has already flagged the address as compromised, but people are still sending ETH to the fake address (given below).

0x29d7d1dd5b6f9c864d9db560d72a247c178ae86b

At the time of writing, the hackers have made over 1,487.90 Ether and are still receiving payments.

The hack comes a few days after Enigma posted an article, educating users on how to avoid phishers, scammers, spammers, and stay safe during a token sale.

"As we work hard to build the future of data and crypto trading and investing, we want to take a few moments to talk about safety," Enigma Project wrote in the blog post. "Due to our strong growth, our community has become a target. The worst elements of the crypto scene—scammers and phishers—are attracted to good projects and good communities."

This incident marks as the fifth Ethereum hack within two months, following a theft of:

• $8.4 Million worth of Ethereum during Veritaseum's Initial Coin Offering (ICO).
• $32 Million worth of Ethereum from Parity's Ethereum Wallet accounts.
• $7 Million worth of Ether during the hack of Israeli startup CoinDash's ICO.
• $1 Million worth of Ether and Bitcoins heist in cryptocurrency exchange Bithumb.

At the moment, it is unclear how the attackers broke into the Enigmas network and hacked their website, slack account and email newsletter accounts.

Since cryptocurrency enthusiasts and investors are still sending their Ethereum to the fake address, you should share this story to warn your friends and followers.

Hacker Uses A Simple Trick to Steal $7 Million Worth of Ethereum Within 3 Minutes

Mohit Kumar
Em 17/07/2017 no site The Hackers News

All it took was just 3 minutes and 'a simple trick' for a hacker to steal more than $7 Million worth of Ethereum in a recent blow to the crypto currency market.

The heist happened after an Israeli blockchain technology startup project for the trading of Ether, called CoinDash, launched an Initial Coin Offering (ICO), allowing investors to pay with Ethereum and send funds to token sale's smart contact address..

But within three minutes of the ICO launch, an unknown hacker stole more than $7 Million worth of Ether tokens by tricking CoinDash's investors into sending 43438.455 Ether to the wrong address owned by the attacker.

How the Hacker did this? CoinDash's ICO posted an Ethereum address on its website for investors to pay with Ethereum and send funds.

However, within a few minutes of the launch, CoinDash warned that its website had been hacked and the sending address was replaced by a fraudulent address, asking people not to send Ethereum to the posted address.

But it was too late, as the little change of address had already redirected cryptocurrencies sent by investors into the wallet of the hacker.

"It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event," reads a statement posted on the company's official website. 

"During the attack, $7 Million was stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants, and we are grateful for your support and contribution."

CoinDash doesn't know who is responsible for the attack, and the worst part is that the company is still under attack.

Investors are strongly advised to DO NOT send any Ether (ETH) to any address on the site, as CoinDash has terminated the Token Sale.

According to a CoinDash Slack channel screenshot posted to Reddit, CoinDash realised what was happening within 3 minutes, but it was too late.

Some people even believe that the incident was not a hack, rather an insider's job. One user said: "Is there any proof that this was a hack. What if Coindash put an address in and then cried hacker to get away with free ETH?"

The CoinDash website is offline, at the time of publication, and the company is asking affected investors who sent their Ether to the wrong address to collect the CoinDash token (CDT) by submitting information to this link.

However, investors sending Ether to any fraudulent address after the website was shut down will not be compensated.

"CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution," the company noted. 

"Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly."

This isn't the first time an ICO funding has been hacked. Last year, $50 Million was disappeared after hackers exploited code weaknesses in the Decentralised Anonymous Organisation (DAO) venture capital fund.

A criptomoeda de Silicon Valley chega a Lisboa

Por I9 Magazine

Em 12/07/2017

efconsulting

Criado por Justin Wu, um norte-americano a viver em Portugal, e por Fernando Moreira, o fundador da Angry Ventures, o Etherify é o primeiro Blockchain Venture Studio “made in Portugal”. O conceito inovador importa conhecimento dos principais polos tecnológicos do mundo e vai buscar a Silicon Valley, Dubai, Nova Iorque, Londres e Singapura a inspiração para educar, inovar e desenvolver produtos com base em Blockchain.

Numa fase inicial, a empresa dedicar-se-á maioritariamente à educação. “Em Portugal, existe ainda uma comunidade muito reduzida de pessoas que realmente sabem o que é o Blockchain. A grande maioria das empresas ainda não acordou para esta realidade e é por isso que o primeiro passo deve ser educar”, afirma Justin Wu.

Apesar do lado educativo, a empresa não esconde a vontade de acompanhar processos de inovação e de ajudar estas empresas a lançar projetos inovadores. “Para já, o foco é chamar a atenção para as potencialidades do Ethereum, mas no futuro gostávamos muito de ser parceiros destas empresas e trabalhar em conjunto”, complementa Fernando Moreira.

Ainda que recente, o lançamento tem chamado a atenção de possíveis investidores. “Temos recebido bastantes contactos de pessoas que têm projetos ou que apenas querem saber mais”, conta Justin Wu.

Nesta fase inicial, o objetivo será entrar em contacto com empresas de grande dimensão de áreas como a banca, fintech ou inovação. Na perspetiva de Fernando Moreira, são estas as que mais têm a ganhar com a aposta no Ethereum, apesar de todas as áreas poderem ser impactadas pelo poder do Blockchain.

Mas, o que é o Ethereum? E o Blockchain?

Com uma valorização galopante, o Ethereum é apontado pelos especialistas como a unidade monetária do futuro. O conceito abre as portas para a “Internet of Agreements”, onde qualquer pessoa ou entidade pode contratar outra de forma automática e sem intermediários. Esta possível realidade faz antever uma mudança drástica nas dinâmicas económicas e sociais: além de poupar tempo e dinheiro, o Blockchain permitirá que a “Internet of Things” se concretize em grande escala, mecanizando a economia.

A moeda digital, o Ether, existe online, recorrendo ao Blockchain, uma rede de computadores ligados entre si sem que sejam necessários servidores. Sempre que existe uma alteração no Blockchain, um protocolo de validação é gerado e distribuído por toda a rede, garantindo a precisão da informação sem que sejam necessários intermediários, como por exemplo entidades bancárias, tecnológicas ou governamentais. É neste ecossistema que existe o Ether, moeda digital sem fronteiras e cujo valor é muito superior ao euro (1 ether corresponde a cerca de 300 euros).

Quais as principais vantagens do Blockchain?

Como principal vantagem o Blockchain propõe-se a terminar com os intermediários. Todas as operações ou transferências (monetárias ou de informação) são feitas diretamente no Blockchain, sem que sejam necessárias taxas associadas. A total integração do sistema, permitirá também a partilha de informação por parte de diferentes serviços. Imagine, por exemplo, um cenário em que a reputação positiva numa plataforma de compras poderá ser utilizada para atestar a sua fiabilidade noutra plataforma completamente distinta.

Apesar de todas as vantagens, uma coisa é certa: a nova realidade trará desafios para empresas e governos. Em Silicon Valley já são várias as empresas a aceitar pagamentos em Ether. Do ponto de vista governamental, o Dubai é pioneiro: este ano, foi anunciado um programa que visa espalhar o Blockchain pela cidade. Neste último caso, o objetivo é substituir a documentação física por documentos inteligentes. Desta forma, será possível reduzir a carga processual, aumentando, em simultâneo, a segurança dos dados.