Hackers steal $400m from cryptocurrency startups by exploiting 'information chaos'

Cybercriminals have stolen up to $400m (£286m) from cryptocurrency start-ups over the past two years by exploiting hype and basic coding errors, research has found.

It is believed that more than 10% of funds raised through Initial Coin Offerings (ICOs) – out of a massive $3.7bn in total – were compromised by hackers between 2015 and 2017, according to Ernst & Young (EY), one of the world's "big four" professional services firms.

"Hackers are attracted by the rush, absence of a centralised authority, blockchain transaction irreversibility and information chaos," revealed a report published on Monday (22 January).

ICOs are essentially a method that cryptocurrency firms use to raise money. Tokens – or coins – transform into currency on the platform if the project launches successfully. The research showed that they are increasingly popular in the US, Russia and China.

The paper said: "Ten percent of ICO funds are lost as a result of attacks. Project founders focus on attracting investors and security is often not prioritised. Hackers successfully take advantage – the more hyped and large-scale the ICO, the more attractive it is for attacks.

"Both projects and investors are exposed to attacks. The most common types of attacks include substituting wallet addresses, accessing private keys, stealing funds from wallets and stealing funds from exchanges. Phishing is the most widely used hacking tool during an ICO.

"Beginning in early 2017, the frequency of such attacks began to grow, driven by the simplicity and effectiveness.

"Hacking also leads to indirect losses: for example, a project's loss of reputation and investors' loss of their sensitive personal data."

Cryptocurrency heist

The EY research studied 372 ICOs from around the world and was conducted in collaboration with Group-IB, a cybersecurity firm headquartered in Moscow.

It came amid reports of a cryptocurrency heist on user wallets linked to IOTA, a fintech network designed for the internet of things (IoT), which experts blamed on phishing.

The typical ICO has no customers, no revenue and in most cases, no working product. Often, EY said, the only foundation for the ICO is a white paper that describes the planned technology and a small piece of software that governs how the tokens are issued and managed.

Valuations based solely on a white paper are always going to be risky and speculative and in many cases evidence suggested investment is bolstered by FOMO, or Fear of Missing Out.

"As ICOs continue to gain popularity and leading players emerge there is a risk of having the market swamped with quantity over quality," said EY blockchain expert Paul Brody.

"These high-risk investments and the complexity of ICOs need to be managed to ensure their credibility as a means of raising capital for companies, entrepreneurs and investors alike."