ICOs are risky, potentially lucrative, and now a top target for threat actors looking to cash in.
Cyber attackers have managed to line their pockets with almost $400 million in cryptocurrency by targeting ICOs, a new study has found.
According to a new research report (.PDF) by Ernst & Young, over 10 percent of all funds changing hands during these events have been lost or stolen.
This equates to roughly $400 million in cryptocurrency from $3.7 billion in funding between 2015 and 2017.
Initial Coin Offerings (ICOs), or token sale events, have garnered the interest of investors in recent years. The events are an opportunity to fund cryptocurrency or Blockchain-related projects and companies and can prove lucrative in the long run.
ICOs have been popular enough to outstrip venture capital investments in Blockchain projects in recent years, despite the potential risks.
These events may be of interest to investors, but they are also a red flag for threat actors looking to cash in fraudulently.
Ethereum marketplace Enigma was gearing up for its ICO when a phishing campaign swindled $500,000 out of investors, while ICOs launched by CoinDash, Veritaserum, and EtherParty were all compromised by attackers last year.
These are only the most high-profile names to be targeted through ICOs, however, as the report found a total of 372 ICOs have been attacked in the last two years.
Hackers have been able to steal an average of $1.5 million per month through ICOs, and the report suggests that attackers "are attracted by the rush, absence of a centralized authority, blockchain transaction irreversibility and information chaos" of such events.
"Project founders focus on attracting investors and security is often not prioritized," the report says. "Hackers successfully take advantage -- the more hyped and large-scale the ICO, the more attractive it is for attacks."
The most common attacks are the substitution of wallet addresses at the time of the event -- as we saw with CoinDash -- the unauthorized access of private keys and the theft of funds from both wallets and exchanges.
The most common attack vector is phishing, followed by Distributed Denial-of-Service (DDoS) attacks, direct website compromise, employee attacks, and exchange hacking.
Calls have been made for more regulation and tighter security surrounding ICOs, with regulators worldwide now thrashing out ways to legislate these events and protect investor funds.
"As ICOs continue to gain popularity and leading players emerge globally, there is a risk of having the market swamped with quantity over quality of investments," said Paul Brody, EY Global Innovation Blockchain Leader. "These high-risk investments and the complexity of ICOs need to be managed to ensure their credibility as a means of raising capital for companies, entrepreneurs and investors alike."
On Monday, US Securities and Exchange Commission (SEC) regulator Jay Clayton warned businesses not to jump on the Blockchain bandwagon or offer ICOs without the expertise and regulatory backing.
The US agency has added ICOs and companies which have changed their name to something Blockchain or cryptocurrency-related without cause to their watch lists in the face of market disruption and surge share pricing due to the trend.