Cybercriminals have just managed to steal 7 million dollars in three minutes flat, using a fairly simple method. The victims will be hard put to recover their money. Welcome to the savage world of ICOs (Initial Coin Offering), the form in which blockchain-based decentralized application projects raise funds to get going. And they are a juicy target for cybercriminals.
What are decentralized applications?
Decentralized applications (Dapps for short) are independent open-code apps (they are not under the majority control of any organization) that work autonomously. They are implemented on a blockchain or, if you prefer, they are DLT platforms (Distributed Ledger Technology).
To be able to use a Dapp you first need to get hold of its so-called token. Tokens might be likened to non-coin-operated fairground bumper cars. First of all you have to buy a plastic disc to start up the bumper car. A token can be seen as the Dapp-access disc (with ancillary access to other things like voting capacity). The most widely known example of a token is bitcoin. Bitcoins enable you to access the eponymous network to buy and sell goods and services, paying with bitcoins.
Tokens are acquired with cryptocurrency like bitcoins or ethers (the Ethereum cryptocoin is probably the second most popular Dapp after Bitcoin). It is the Dapp developers who decide which cryptocoin/s can be used for the purchase. The cryptocurrency-enabled purchase is carried out by means of a transfer between the virtual wallets of both parties, on the lines of a transfer between bank accounts. Each virtual wallet is associated with a designated address, just as bank accounts are identified by their particular client account code (CCC in Spanish initials). The difference lies in the fact that any individual can create a virtual wallet without the need of a bank acting as third party; furthermore, the cryptographic technologies lying behind blockchain guarantee the anonymity of the wallet owner.
Tokens can also become a coveted investment item. In our fairground analogy above, if the dodgem ride becomes very popular, we might consider buying up many dodgem-operating discs (tokens) low and selling them high when the market peaks. There is nothing new under the sun.
What are ICOs?
The project-financing arrangement dreamed up by Dapp developers is the public token offering. And the term “Initial Coin Offering” (ICO) has now been “coined” (the metaphor has never been more literal) to denominate this process. For the reasons explained above, it is not the actual coin that is offered but the tokens. It might have been more logical to have called it the “Initial Token Offering”, but …
ICOs seek the same objective as an IPO (Initial Public Investment) of start-ups, albeit with some notable differences.
The best way of getting an initial grip on how an ICO works is to think of a crowdfunding campaign in, for example, Kickstarter. Some there are who claim that ICOs are Kickstarter on steroids plus blockchain. And without any supervision at all.
Basically the ICO kicks off with a big-splash announcement to attract investors, with some notice of the start date (the offering itself is then usually open for a few days or a week).
And this is where the differences kick in. Thousands of people eager to invest, trying to buy the coveted tokens. Expectations are such that millions of dollars may be transferred in a matter of minutes. Thousands of would-be investors with their hopes pinned on the vogue Dapp of the day, transferring thousands of dollars in cryptocurrency to virtual wallets with no confirmation of success until half an hour afterwards. A scene that calls up stockmarket brokers. And there is no official confirmation of the token purchase until the end of the ICO term (which, I repeat, may be days or weeks). Count me out guys.
In the scenario described above (an authentic jungle, decentralized and unsupervised) it is by no means rare for a criminal to try “to fish in troubled waters “. Techniques like phishing are becoming the order of the day.
CoinDash ICO Fraud
Last July, during only the first three minutes of the CoinDash ICO, hackers made away with about 7 million dollars in ethers (the Ethrereum cryptocoin) . About 2100 transactions were made into the virtual wallet of the cybercrooks, who had managed to hack into the website that gave the address of the ICO virtual wallet and switch it for their own. About €2800 (on average) per transaction down the shute.
It will be very hard to get this money back, given the lack of supervision in this area and the difficulty of identifying the hackers. Some even suspect an inside job from within the platform. We’ll see.
Any investment carries a risk. Regulation tries to minimize these risks by laying down a series of measure and guidelines to flag up any fraud attempt. A sometimes overly-hopeful trust in technology doesn’t help at all here. Neither can ICOs be corseted in today’s regulations because there is very unlikely to be any neat fit. It is not a question here of killing off innovation or project-funding arrangements. But the right balance does have to be struck.
There are some platforms like BitcoinSuisse that try to oil the wheels and act as a trustworthy agent. This would seem to be a trend (and opportunity!) within the ICO world. Technology can also help to head off fraud, as with banking transfers, company purchases/mergers (due diligences). Under some circumstances it is even possible to track down the ownership of virtual wallets.
In any case, given the inbuilt anonymity of blockchain applications, which tends to favor organized crime, prevention of blockchain fraud looks like a tough ask. The U.S. Securities and Exchange Commission is keeping a close watch on this matter. ICOs are in the eye of the hurricane.
Author: Ángel Gavín
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV