The Enigma blockchain project had its website and several social accounts compromised. The perpetrators managed to defraud Enigma supporters of nearly US$500,000 worth of ether.
Enigma, a project started by a team of MIT graduates, was the target of a coordinated attack. The scammers managed to take control of one of the administrator accounts.
Once in control, they altered the website, posted Slack messages, and spoofed emails to a community list which were made to look official and solicited members to participate in a fake initial coin offering (ICO) pre-sale, urging money to be sent to their cryptocurrency wallet.
Reddit users suggest that the account of Enigma CEO and founder Guy Zyskind was the source of the incident. Zyskind’s email was allegedly part of a previous hack, and dumped on the Internet. He allegedly did not change his password, nor did he activate two-factor authentication. But Zyskind told WIRED that none of the breached Enigma accounts relied on reused passwords.
In total, Enigma supporters were duped out of 1,492 ether, or approximately US$494,000. The wallet has since been emptied.
Enigma said on Monday that no company funds, nor user passwords and private keys, were stolen.
Enigma said it is actively investigating the scam and the parties involved with several partners, including law enforcement, members of the community, other companies in the space, and exchange platforms.
In response to the incident, the team is introducing additional security measures including, strong, different and random passwords for each account, two-factor authentication for all accounts, weekly password rotation, and better system compartmentalization.
The attack took place a month before the launch of the Enigma ICO, which seeks to raise funding to fuel development of its data-driven cryptocurrency investment platform. It is the latest of a series of hacks targeting ICOs that have occurred in recent months.
Previous victims include Veritaseum Inc. for US$8.4 million, CoinDash for US$7 million and US$31 million worth of ether stolen from three companies that completed ICOs in July, namely Edgeless Casino, Swarm City, and æternity blockchain.