A primer on how to identify fake and money grave ICOs

Patrick
Patrick
Aug 28, 2017 · 6 min read

Unfortunately, frauds and hacker attacks belong to the daily business in the crypto space. One of the main reasons for criminals (besides they are assholes) targeting the crypto space are:

  1. It’s more or less anonymous. That being said, the blockchain does not forget anything, once somebody breaks Monero a lot of people are getting fucked hard.
  2. It’s final. Once a transaction is confirmed there is no way to roll it back.

However, many of the attacks can be mitigated or completely avoided once you use your brain and understand how things work. In this post, I want to dig deeper into so called ICO scams. ICOs are a new and comfortable way of funding a company or a project. An ICO itself is a legit way of collecting money, e.g. Ethereum itself once did an ICO to fund their project. However, there are a lot more fake, scam and suspicious ICOs out there than legit ones.

Sometimes it is very hard to differentiate a fake ICO from a legit one. Regardless of wether the ICO is legit or scam, you should always accept that there is a risk of losing all your money. Even if the ICO is legit, the project could eventually fail.

Compared to phishing and hacking — which are clearly illegal activities—it is hard to prove an ICO to be scam. The people could be honest with no criminal intention but just totally incompetent. For that reason, it is necessary to do intensive research before investing (same is actually true for any other asset). In the following, we want to look at some red flags that should warn you.

ICO Red Flags

A red flag is any indicator that makes a project suspicious. Once a certain threshold of suspiciousness is reached you should avoid an ICO. In the following section, we propose a Q&A framework on how to classify certain indicators by asking some basic questions.

Team 👯‍

The team behind a project is the most crucial part.

  • Is the team visible on the website?
    If not, do not invest. There are no excuses, if they want to remain anonymous it is already a shady business.
  • Is the team real, or are they just fake?
    This question is tough to answer, LinkedIn, Twitter, Facebook etc. all profiles could be fake. Do some reverse image search with Google and check if they used stock photos or images from other peoples profiles. Try to verify their CVs, check out there previous employers, education etc. This could be hard work — However, it is your money.
  • Does the experience of the team fit the project?
    Try to find out if the experience of the team fits the project. Check if the team did something similar before. Check their Github profiles.
  • Does the team have community trusted members?
    This question is also hard to answer and it is not very clear what “trusted” means in that case. However, you should try to find out how long the person is active within the crypto community and what s/he did contribute so far.
  • Are they reachable and responsive?
    The team should offer a channel where community members and potential investors can gather and ask questions about the team and project. However, there were scam ICOs before where the team just disappeared after they took all the money.

The Project 📝

This is a rather subjective topic but very crucial. Even if the project sounds totally revolutionary doesn’t mean it is.

  • Buzzword Bingo
    If you browse through the ICO landscape, there are a lot of projects that pretend combining the latest technologies with blockchain. A.I. with blockchain, VR with blockchain, A.I. and VR with blockchain and so on. Seriously, most of this stuff is total bullshit and doesn’t make any sense. A lot of buzzwords should alert you. Honestly, one should understand the basics of blockchain technology and what the benefits are before investing in anything.
  • Promised Gains
    This is one of my favorites! An ICO should be considered as venture capital which is used to develop a nice product or technology. The product should always be the focus and not some completely unrealistic gains. If we take a look at the original Ethereum crowdsale (https://blog.ethereum.org/2014/07/22/launching-the-ether-sale/), Vitalik states “we make no guarantees of its future value.”. On the other hand, I just grabbed some random ongoing ICO called STeX, they already claim 5 to 10 fold gains. Completely unserious in my opinion.
  • White paper
    Nowadays, every project has some kind of white paper. However, many of them are really poorly written. They contain too much buzzwords and make completely unrealistic projections. Often, the product or the technology which the team wants to build is described in a very opaque way. This is one clear indicator that the team has no idea what they are actually talking about.
  • Is the project unique?
    If the project is unique and no one came up with a similar idea before, you should ask yourself if there is really market for it. If there are similar projects out there you should ask yourself why they failed or succeeded and what makes the ICO project better compared to them.
  • Does the project have a clear and realistic roadmap?
    Some projects promote a completely unrealistic roadmap. They go from pre-alpha release in 2 months to world dominance in 1 year. Claiming such unrealistic goals and too much overselling makes the whole project unserious.
  • No prototype available
    This is another one of my favorites! Teams which try to collect a shitload of money without even having a very basic prototype. This is one big red flag and you should ask yourself why someone needs money before even having a basic prototype to evaluate the idea. Specially as a software company, you don’t need much money to develop something. The only thing you need is skill and dedication and that’s what I expect from people when I invest in them. HOWEVER, EVEN IF THE TEAM HAS A BASIC PROTOTYPE, DO NOT DOWNLOAD ANYTHING ON A COMPUTER THAT STORES CRITICAL DATA LIKE PRIVATE KEYS. USE A VIRTUAL MACHINE OR SOMETHING SIMILAR TO TEST IT.
  • Why do they even need money?
    This point is related to the last two. Nowadays, you don’t really need a lot of money to develop some basic software as long as you have the necessary skills in your team. The team must comprehensibly state why and for what they need the money.

The Crowdsale 💸

The organization of the actual ICO procedure is another critical point.

  • Are there clear rules?
    Does the team disclose all necessary crowdsale information upfront, i.e. contract address, start, stop, limits, soft & hard caps etc. Not releasing such information upfront does not make any sense since most of them should be ensured by a smart contract. The CoinDash disaster shows why this is necessary (https://www.coindesk.com/7-million-ico-hack-results-coindash-refund-offer/)
  • Is there a smart contract that ensures the stated rules?
    This is very though for non technical people. However, everyone with basic programming skills should be able to verify most of the stated rules. Some ICOs out there don’t even use a smart contract to collect money, instead they use regular addresses. In the crypto space, it is all about trust and this trust can be enforced by an open source and verified smart contract. For me, ICOs not using a smart contract have a big red flag. Back in the days, we did not have smart contracts but nowadays?
  • Is the smart contract open source and verified?
    This should actually be the standard. However, it is not.
  • Are there refund rules?
    If the caps of the crowdsale are not reached, it should be possible for investors to get a refund. The rules and the procedure for that should also be stated on the website. Otherwise you have to look into the smart contract.
  • Are there escape functions in the smart contract?
    This is again a very tough question for non programmers. However, you should always check if the smart contract contains methods that allow the owner of the contract to escape with the money. Usually, if you have trust in the team this should not happen and I don’t say this is a clear indicator for scam. However, it gives the project an unserious touch if there are such methods included. An example for such a method can be found in https://etherscan.io/address/0x202bd96042127975114d8b2b1f0ef429a235313f#code
    The stated contract allows the owner to withdraw funds at any time to any address:

function withdrawal(address to) onlyOwner {
to.transfer(this.balance);
}

All of the stated points can be considered as “bad smells”. If there are too many of them one should better avoid the ICO. Certainly, there are even more indicators! I would be happy to discuss them further in the comments.

)

Patrick

Written by

Patrick

(sometimes no) 48501u73 839!nn3|2

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade