WIRED: A Very Dumb Mistake Costs Cryptocurrency Miners Big Time
THE DIGITAL FINANCIAL services developer Enigma prides itself on ultra-secure products. The company’s Catalyst platform protects financial info with a cutting-edge combination of blockchain-inspired privacy technology and cryptography. So it comes as no small surprise that on Monday, scammers took over the company’s website, mailing lists, and Slack accounts by exploiting some extremely basic security mistakes Enigma had made. The blunders also facilitated a scam that ultimately cost Enigma supporters almost $500,000.
Enigma has planned an Initial Coin Offering for September 11—an unregulated cryptocurrency fund-raising campaign that startups use when they want to raise capital for their company without going through the process of working with an established financial institution or venture capital fund. (The SEC has promised to clamp down on these ICOs, but so far is in the exploratory phase.)
With the ICO in mind, scammers compromised official Enigma channels to create a sense of legitimacy and urgency. The plot proved easy to pull off. At least one of the passwords protecting the Enigma accounts, which included a Slack account with administrative privileges, had previously leaked, and reports indicate that the accounts weren’t protected by two-factor authentication.
The hackers began defacing the company’s main site and Slack accounts, and pushed a special “pre-sale” ahead of the ICO, directing money toward their own cryptocurrency wallet. They also went rogue on the company’s mailing lists. Many users realized that the push was a scam, but the hustle did tempt some interested backers into sending 1,492 coins in the cryptocurrency Ethereum, which converts to almost $495,000.
Enigma said in a statement on Monday that its community fund-raiser, also called a crowd sale, was always set definitively for September 11, and emphasized that its secure servers had not been hacked. But a spokesperson confirmed that the scammers compromised account passwords using various methods. And in response to the incident, the company says it is adding strong, random passwords and two-factor authentication for each account, plus implementing robust password changing and better system compartmentalization. “We’ve moved up a number of critical security steps and taken additional measures to protect the community going forward,” says Tor Bair, Enigma’s head of marketing and growth. “We’re now very well aware of the potential threats and are taking no chances.”
Though honest mistakes can happen at any growing organization, the Enigma community grappled with the implications of the incident on Monday, wondering how a specialized cryptography company could only now be realizing the need for stringent account hygiene. “This will go down in crypto history as one of the stupidest moments ever. We need a meme,” one Reddit user wrote. Some Redditors even claimed that they used the breached credential repository Have I Been Pwned to determine that the Enigma accounts scammers accessed reused a previously exposed account password from CEO Guy Zyskind. But Zyskind told WIRED that none of the breached Enigma accounts relied on reused passwords.