When criminals tried to con investors during its recent initial coin offering (ICO), Blockstack, a startup building a decentralized internet, used its tech expertise to turn the tables on the tricksters.

Scammers hoping to lure investors feeling left out because the firm limited its token sale to accredited investors only set up phishing sites by copying the entire blockstack.com code.

But doing so meant the fake sites were actually in contact with a server that Blockstack controlled, which fed the top banner of the legitimate site with tweets from the company’s Twitter account.

And that connection allowed the Blockstack team to undermine the phishing sites with what was effectively their own man-in-the-middle counterattack.

In a man-in-the-middle attack such as this, data is changed on a trusted website by someone who manages to insert themselves between a visitor and a publisher. For example, someone can create a Wi-Fi hotspot that changes a webpage before it reaches your browser.

Blockstack developers, though, used the attack for good, putting themselves in-between their own twitter feed and the scam websites. The team’s simple solution used the backdoor into the banner to warn those who potentially could have lost funds that the sites were not legitimate (see below).

“The server was fetching tweets from Twitter and formatting them for the blockstack.com website,” Blockstack co-founder Muneeb Ali explained to CoinDesk in an email. “For all requests for data not coming from blockstack.com, we displayed the ‘THIS IS A PHISHING SITE’ message instead of the tweet text.”

The Blockstack team provided CoinDesk with two different URLs used by the phishing scheme, which, for security reasons, we are not disclosing in this article.

“We had a couple of phishing sites that came online, where they were trying to direct traffic to them,” Ryan Shea, also a co-founder, told CoinDesk, adding the company took extra precautions:

“We made it very clear to only trust blockstack.com. So we primed everyone ahead of time.”

One of the most widely anticipated token sales of 2017, the Blockstack ICO was an attractive one for scammers to try and exploit, since hype can make links to their fraudulent sites shared on social media blend into the “noise” (much like fraudsters solicit donations to fake charities in the wake of natural disasters).

Blockstack’s token sale is nearly closed. Still, one of the two phishing sites remains active with a redesigned front page (eliminating the tweet stream banner) and offering a 10 percent discount on … absolutely nothing.

We probably don’t need to say this, but, buyers beware.

Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Blockstack.

Fish hook image via Shutterstock