ICO Cybersecurity: Tales from the Crypt(-ocurrency)

Ksenia Chabanenko
3 min readSep 22, 2017

--

Most ICOs and their supporters face a range of cybercrime attempts. As an advisor at several blockchain projects, I see how hackers and scammers work day and night to steal money on the hype. Cybersecurity and investor protection have become key features of a legit ICO and a strong company behind it.

Pavel Stukolov, CEO @TokenStars, said: “Along with the rising number of initial coin offerings, we’re witnessing a massive surge in cryptocurrency cybercrime. Almost 10% of all Ethereum investments in ICOs this year (or $150M in value) were hijacked by thieves. In their attempts to establish control over ICO websites or to steal from coin buyers, criminals often stage DDoS attacks as a distraction. We at TokenStars were lucky to quickly resolve a similar issue with help from our partners at Wallarm. To mitigate DDoS-related risks, we recommend anyone who is currently working on an ICO to put their security first.”

If you’re about to launch or invest in an ICO, you should be aware of all the possible vulnerabilities, and take the appropriate measures to protect your project from fraudulent activity.

To show the scale of the issue, I collected a number of recent features on ICO cybersecurity. Not only do they show actual cases of scam attempts, but they also provide step-by-step recommendations for a secure ICO:

1.Blackmoon’s post lists the three main cybersecurity threats to ICOs, an1. proceeds to outline their procedures for protecting themselves. They use Amazon DNS servers, which are sufficiently robust to protect from a DDoS attack, and a stringent list of server security procedures to protect from penetration attacks. The post is rounded out by a list of personal security tips and handy links.

2. A major threat to ICOs is DDoS (distributed denial of service). You can learn a bit more about attacks and their types, how they affect ICOs (and why DDoS itself is not as dangerous as what scammers try to hide with it), and also find a checklist of security measures to protect your ICO from potential DDoS-related risks in theTokenStar’s Medium post.

3. Check out KICKICO’s horror story about how an ICO was (almost!) ruined by DDoS and phishing attacks, and find out how the creators successfully avoided disaster. The moral of the story is to register ALL possible subdomains for your website and make sure your purchasers only use your official site to purchase coins. Also note that Slack chat is vulnerable (this company prefers Telegram).

4. The Propy’s piece goes into the technical side of ICO cybersecurity. The team recommends sticking with html + javascript (avoiding a CMS or DB) for the token sale website, and being very careful with open ports. There’s also a handy checklist to avoid human vulnerabilities.

5. This is an ultimate phishing protection checklist from Kinfoundation . Here’s how one company ensures that people on the web get information only from the official source, thereby avoiding the dangers of scammers.

6. Here’s Ambrosus ICO that takes security extremely seriously, announcing a two-day delay in their token sale so they could take special measures to make sure everything was ship-shape. You can see anti-phishing protection here, as well as Know Your Customer (KYC) functionality. The team also avoids Slack chat, going with Discord instead.

Another close call. Somebody put up a phishing website to try and divert funds from the official ICO website, but fortunately, they were caught in time and shut down.

As you can see, navigating the potential minefield of cybersecurity threats to your ICO can be a tricky proposition. I hope these articles provide you with the know-how to protect yourself, and I wish you the best of luck!

P.S. TokenStars token sale continues! Join before September 27th to receive early bird bonuses.

--

--

Ksenia Chabanenko

Advisor at TraceAir.net; founder at group.yoken.io; ex-VP Communications at My.com & Mail.ru Group (150+ M users. LSE: MAIL)