by Joe Ellis
Hacking is a pervasive issue in the cryptosphere. With financial freedom comes the weight of responsibility, and despite their merits, cryptocurrencies are particularly unforgiving when it comes to scams and hacks.
The most recent crypto venture to come under fire is Catalyst, from the Silicon Valley company Enigma.co. Catalyst is a machine-based investment platform for cryptoassets. Catalyst’s long-term goal is to create a marketplace for trading strategies, where investors can purchase strategies which match their investment goal. Simply put, Catalyst aims to offer a market where developers can create and sell trading algorithms or cryptocurrency funds. Investors can purchase these robots/funds through Catalyst in the hopes to emulate their financial success.
As well as facilitating an open marketplace for trading algorithms, Catalyst also significantly reduces entry barriers for those wanting to experiment with trading cryptocurrencies using algorithms.
As is the norm for most modern crypto-ventures, Enigma plans to acquire funding for Catalyst using an initial coin offering, or ICO for short. A distinguished whitelist of investors could buy tokens in mid-August 2017, but for regular investors, the token sale is due to commence on September 11, 2017.
Unfortunately, many investors who had an interest in Catalyst fell victim to a scam as the result of a targeted attack against Enigma’s CEO, Guy Zyskind. Zyskind’s accounts were compromised, allowing the attackers to carry out a highly effective phishing attack.
Unfortunately, this hack was caused by negligence on behalf of Zyskind. Zyskind had administrator access to Catalyst’s website, Slack team and Google account where the pre-sale form was hosted. His accounts were compromised due to bad password hygiene; Zyskind made the mistake of using the same password on all of his accounts.
The attackers were able to acquire Zyskind’s password through a recent database leak. They later found out that he had used the same password on all of his accounts, therefore allowing the attackers to take control over his digital identity. Worse still, Zyskind did not have two-factor authentication (2FA) on any of his accounts, so it was trivial for the hackers to gain access.
The attackers used Zyskind’s credentials to change the Ethereum address on the Catalyst website to their own, and used the sent a ‘notification email’ to all of the users on the pre-sale list from the compromised Google account. The email is shown below:
In addition to this, the attackers quickly kicked all of the admins from the Slack chat and published an announcement stating that the token pre-sale was now open to the public. Below we can see the message sent over Slack:
Naturally, investors jumped at the early opportunity to take part in the public pre-sale. Visiting the link in the above image stated that investors could get ENG, Enigma’s token, by sending ETH to this address. The address in question is now widely recognized as a phishing address, and those who tried to take part in the pre-sale had been scammed.
At the time of writing, the phishing scam has garnered around 1500 ETH, which is roughly equal to $500,000.
The Enigma project’s official statement is below:
Truthfully, this scam was hard to spot and avoid. Many investors were blindsided by the excitement of trying to buy tokens as early as possible. In hindsight, they perhaps forgot basic security practices, but it’s hard to blame them when the administrative credentials for the entire project were hijacked. For the most part, the scam looked legitimate because the attackers were able to hide behind the identity of CEO Guy Zyskind.
There are a few important lessons to be learned from this incident. For many crypto enthusiasts, this will sound like preaching to the choir. Nonetheless, to avoid being hacked yourself in a fashion similar to Zyskind, it is recommended that you:
- Use a different password for each of your accounts. Why? If you use the same password across all services, a single database leak can put your entire digital identity at risk. Since remembering a set of unique passwords is infeasible, it is recommended that you use a password manager.
- Use two-factor authentication wherever possible. 2FA requires that you input a special code from your mobile phone before you’re able to log in. So, with 2FA enabled, an attacker would need both your password and your phone to hack your accounts.
- Regularly check Have I Been Pwned? in order to check if your credentials were found in any data leaks, and be vigilant with regards to how much information you give out online.
To avoid falling victim to a cryptocurrency scam, heed the following advice: