As we’ve written many time on this blog before, the ICO market has seen a remarkable transformation over the past few years. Hundreds of new ICO’s are entering the fray, competing to secure funding as industries across the globe realize the applications of blockchain technology and how valuable they can be.

However, that’s not to say that there haven’t been road bumps along the way. Governments all over the world have begun to regulate token sales as an increasingly large number of poorly planned, atrociously executed, and even outright fraudulent ICO’s enter the marketplace. While this is to be expected, what’s even more surprising is that many of these projects that had every warning sign imaginable still succeeded in raising (or conning) millions of dollars out of over-eager investors. Between failures and scams, there are enough big flops in the last year alone to write several articles covering the details, let alone just one.

While it’s easy to point out evident warning signs in hindsight, hopefully the blockchain industry along with their investors will realize these mistakes going forward into 2018 and beyond. With just over 50% of all ICO’s in 2017 having already failed, helping investors learn from these mistakes and disasters will do the industry much good.

Case 1: The Ponzi Scheme — Onecoin

Easily one of the most egregious failures of 2017, Onecoin, based in Sofia, Bulgaria, had all the hallmark signs of a scam from it’s inception to its dismal conclusion. Considered to be an illegal Ponzi scheme both due to how it’s compensation structure was organized as well as the fact that many of its senior members were previously involved n Ponzi schemes in the past.

The basic premise of Onecoin is that it sells educational materials on cryptocurrency trading and other related topics, with members being able to buy various packages ranging from 100 to 118,000 Euros. Each of these packages also came with “tokens” that can be used to “mine” Onecoins. There were various levels of packages, each varying drastically in both price as well as the number of tokens (much of the so-called “educational material” was plagiarised from various sources). The idea is that once someone paid for an investment into one of these packages, they would be able to mine Onecoins to in sufficient enough quantities to earn back their initial investment. Of course, as is the case with these types of schemes, an ever-increasing pool of recruits was required to maintain the illusion.

Aside from the basic business premise, there were other warning signs. The team had little to show investors, and many of the members falsified their backgrounds. Dr. Ruja Ignatov, the founder of Onecoin, was guilty of doing exactly that. Also worrisome was that their website itself had a plethora of spelling mistakes and technical problems.

The death knell for this project was sounded earlier in January this year when Bulgarian police raided one of OneCoin’s offices in Sofia. However, this wasn’t before Onecoin managed to rack in over $350 million in funding, making it one of the largest black marks in ICO fundraising history.

Takeaways:

The case of Onecoin will be the textbook example of what to look out for in potentially dubious projects. It’s business model relied on excessive recruitment, with little to show in terms of prototypes, alpha builds, or any technical papers. Promises and appeals to greed, rather than details and factual evidence, was how the project appealed to investors.

Detailed background checks would have revealed that Ignatov’s past (particularly her Oxford education) wasn’t accurate, with other members of her team — such as Sebastian Greenwood — having worked on other Ponzi schemes in the past. While the numerous errors and mistakes on the project’s website should have been a red flag, as is often the case, peer influence is one reason why this happened.

A simple google search restricted to 2017 would yield a number of Reddit, Quora, and other forum posts talking about Onecoin as if it was a positive, innovative, solution. Stories of how people made money (usually being one of the lucky beginners who got in early in the scheme) would pop up on the first page of Google. While no institutional investor would count this as evidence, many smaller, individual contributors who might not know that much about the ICO world (especially since the entire market was exploding in popularity for the first time during that timeframe) could find these stories emotionally influential in their decision making.

Case 2: The ICO Security Failure — Coindash

Coindash will go down in cryptocurrency history as a warning of what poor ICO security can cause. The company, which was based out of Israel, found itself the victim of a small security loophole that cost the company close to $10 million dollars.

Coindash’s ICO was originally set for 28 days, with a hard cap of $12 million in funding. However, just 13 minutes after the start of the ICO, an unknown hacker managed to hack into the system and replace the ETH address of the website with a fake one. Because of this mistake, millions of dollars of Ethereum was sent to the hacker’s address. Although the company did manage to save a few million in the fundraising process, this error was entirely preventable and was a big blow to the confidence of investors and caused the ICO to be suspended.

Unfortunately, these types of technical glitches have happened before, as many can recall the infamous DAO hack in 2016 which cost the company over $70 million. When a few members of the Ethereum community came together to launch DAO as a separate application on the Ethereum blockchain, there was much fanfare and excitement. Unfortunately, the code underlying DAO’s smart contracts had a number of flaws which allowed the hacker to get away with exploiting just one of these errors.

Takeaways:

In both of these cases, it isn’t as easy to spot how investors could have seen this coming. Unlike the evidence Onecoin debacle, both of these projects had legitimate applications. In this case, it’s worth quoting Benjamin Franklin in saying that an ounce of prevention is worth a pound of cure, and blockchain start-ups should take their time in implementing their code, sparing little expense in making sure everything is perfect. While the downside in time and investment that comes from patience is minimal, the costs that come with a hurried launch are potentially massive.

Case 3: The Social Engineering Hack — Enigma

While there are many stories of hacks and technical errors causing the loss of millions in ICO investments, there are thankfully few stories about how social engineering (or social hacking) was used to achieve a similar effect. In the context of information security, social engineering involves manipulating people into either performing actions or giving away classified information. While ICO’s tend to be largely immune from these kinds of ploys, the story of Enigma proves that these kind of mistakes can still happen.

Enigma is a security and cryptography coin focused on providing advanced encryption methods, drawing its namesake from the German encryption system in World War 2. Ironically, Enigma’s mailing list, website, and Slack accounts were all hacked ahead of the company’s planned ICO. Instead, hackers used Slack to reach out to their investor base about an early “fake” ICO, impersonating it’s management team and hoping that their deception would fool some of their investors. While found the message suspicious, others jumped the gun and would end up losing $500,000 in Ethereum in the process.

What allowed these hackers to take over and pretend they were the official management staff is perhaps the most shocking part of the story. Enigma’s CEO, Guy Zizkind, had his account hacked because he hadn’t set up two-factor authentication yet. This common feature of most wallets and exchanges is a standard security precaution and is one of the most important things users can do to protect themselves. Ironically, the leader of a security-focused ICO wasn’t taking his own personal data security that seriously.

Takeaways:

Social engineering attacks are normally conducted either in person or through electronic means, such as a convincing-looking email asking for account verification. These attempts take advantage of human error rather than technical flaws, and even executives are vulnerable if they don’t take the proper precautions.

Ensuring basic security measures are taken as well as educating team members on basic information security is essential. This is especially true for small start-ups, were these topics often aren’t necessarily covered due to the small nature of the team.

Final Thoughts

As 2018 goes on, blockchain projects would do well to learn from the mistakes of their earlier competitors. With regulatory agencies now jumping onto the scene, the most blatantly obvious scams and fraudulent projects will hopefully be shut down. As such, errors in technology, as well as human mistakes, will remain some of the biggest ICO mistakes a project can make.