A hacker has tricked Experty ICO participants into sending Ethereum funds to the wrong wallet address. He was able to do this by sending emails with a fake pre-ICO sale announcement to Experty users who signed up for notifications.

An ICO (Initial Coin Offering) is similar to a classic IPO (Initial Public Offering), but instead of stocks in a company, buyers get tokens in an online platform. Users can keep the tokens until the issuing company decides to repurchase them, or they can sell the tokens to other users for Ethereum.

Companies use ICOs to raise funds for projects they want to launch but for which they can't get backing in the financial system.

Experty is preparing a blockchain-based VoIP calling system, where users pay with cryptocurrencies instead of money. The ICO was supposed to help the company raise funds (in the form of the Ethereum cryptocurrency) to build this service. Interest was high as Inc.com ranked the Experty ICO as one of the top 10 ICOs to watch in 2018.

Users tricked by fake pre-ICO announcement email

On January 26 and January 27, Experty users who signed up for notifications for the Experty ICO started receiving emails with a pre-ICO sale announcement of Experty (EXY) tokens. Users were asked to send money to a Ethereum wallet if they wanted to buy EXY tokens and be part of the ICO.

The email was a fake because the actual Experty ICO was scheduled for January 31, and not this week. The email users received was not sent by the Experty team, but by a hacker. A copy of the email is available below, courtesy of security researcher Indrajeet Bhuyan.

The Ethereum wallet address in this email is not associated with the Experty team, who previously announced they would be handling sales of Experty tokens only via the Bitcoin Suisse service.

Hacker made at least $150,000, possibly more

The Ethereum wallet address in this email currently holds over $150,000 worth of funds, received from 71 transactions. Both Experty and Bitcoin Suisse are now warning users not to send money to this wallet.

According to a screenshot posted by Chris Koerner on Twitter, the hacker appear to have used more than one Ethereum wallet address with the emails, so there is the possibility that users lost even more funds.

You heard it here first: The @experty_io #ICO just now got HACKED. It was one of the more legitimate and hyped ICOs, and they even used @BitcoinSuisseAG (same as $OMG) for all KYC. All customer data was leaked. Just got an email. Stay safe, and avoid @experty_io ICO. pic.twitter.com/pVM4l8gzWX — Chris Koerner | No BS Crypto | Altcoin Expert (@noBScrypto) January 27, 2018

Hacker compromised Experty staffer

Under normal circumstances, the emails of people who signed up to be notified of the Experty ICO are kept private.

According to statements from Experty and Bitcoin Suisse, the hacker was able to get his hands on this list of emails by compromising the computer of one of the people who carried out Experty's PoC (Proof-of-Care) review.

Experty initially said it would give 100 EXY tokens (worth around $120) to every person in their email database. In a statement issued on January 29, the company announced extra compensation for users who sent money to the scammer's wallet.

UPDATE [January 29, 06:00 ET]: Article updated with new information on Experty's January 29's announcement.