At QUOINE, we continuously evaluate our security policies to ensure we are doing all we can to keep our customers safe. Part of this includes fully vetting any tokens that we list on our exchanges. This carries through to our ICO Mission Control platform. We will not work with projects that do not meet our high standards. We expect to see transparency, a strong team, integrity, a use case and more. As our security roundup for April shows, the crypto space is still rife with those who lie, cheat and steal. Be careful out there, QUOINERS.

Centra (CTR) ICO labelled as fraud

Centra is an ICO that promised a suite of financial products. CTR was promoted by two very famous people who aren’t into cryptocurrency: Floyd Mayweather Jr. and DJ Khaled. The ICO raised more than US$32,000,000. That ICO has now been labelled as fraudulent by the US Securities and Exchange Commission. Centra implied partnerships with massive companies such as Mastercard and Visa, which has also been proven to be false. Both of the co-founders were arrested, one of whom had allegedly booked a flight out of the country but was arrested before departure. Binance quickly responded and delisted CTR.

Sources:

Biggest ICO scam

A Vietnam based company, known as Modern Tech, launched an ICO for their own token, called Pincoin. Around 32,000 people invested in this ICO, raising a total of $660m. Investors were promised constant returns from investing in Pincoin. They were promised 48% returns a month, and there was a bonus offered for every new member you referred. At first, the investors received their returns on investment in cash, but soon they started to receive iFAN tokens instead — which was another token created by Modern Tech. Each token was being valued by Modern Tech as $5, while it was trading for a few cents at most.

Shortly after this, the team vanished, making this the biggest ICO exit scam to date. Investors even took to protesting outside the old Modern Tech offices in the hopes of being able to retrieve their lost funds. However, the listed office turned out to have nothing to do with Modern Tech.

Sources:

http://vietnamnews.vn/society/426102/666m-lost-in-massive-cryptocurrency-fraud.html#I0GukUG02zS5mp54.97

Ian Balina hacked

Ian Balina is an influencer in cryptocurrency, with more than 145,000 Twitter followers. Ian was running a livestream reviewing ICOs when he realised he couldn’t access his Google Docs account. He clearly realised something was wrong as he abruptly ended the stream. He quickly took to Twitter to ask his followers to help him track his lost coins, worth almost US$ 2 million.

This is a great example of why you need to properly secure your crypto. Ian admitted there were several issues with his security. Firstly, his email address was backed up to an unused college email. The hackers took advantage of this and reset his real email password by gaining access to his college email. Ian has stated he was aware that his college email may have been compromised in the past, but when he tried to rectify it he couldn’t so he ignored it. This was because he thought the email was useless.

With access to Ian’s email, they discovered he was storing his public and private keys on a cloud service, Evernote, which had password protection. The hackers were able to reset this password as they controlled his email. From here, all the hackers had to do was use his private keys to transfer his funds into their accounts.

This really shows the importance of security — making sure your funds are stored safely and the back up access is not vulnerable.

Sources:

Savedroid ICO exit scam?

Savedroid, an ICO that raised more than US$50 million, performed a controversial marketing stunt in April when they faked an exit scam. On April 18, they updated their website to the following picture:

All of their ICO investors assumed the worst that once again an ICO team had left with all of the money. However, the head of the project released a new Youtube video the day after titled ‘And it’s NOT gone’, where he discussed how they have not done an exit scam. The supposed reasoning behind this stunt was to open people’s eyes to the possibility of this happening to them, and to also show how easy it is for a team to do.

Regardless of the merit of the stunt, it shows two things: exit scams are a real issue and you have to make sure you properly trust the team you are investing in. It is hard to gauge the effect on the project as the token is not trading, but it seems the team lost a lot of trust with this move, thus there may be negative consequences in the long term.

Sources:

Asia governments step in to stop crypto scams

In mid-April, the governments of China and South Korea both put a stop to scams that were ongoing in cryptocurrency, within 24 hours of each other. In both of these instances, they put a stop to groups that were promoting crypto Ponzi schemes. A Ponzi scheme is where a group uses the money from new investors to pay the old investors to make it seem like the investment is profitable.

The coin in question in China was called Datang Coin, which didn’t exist. The group behind this scam were hosting events where they promoted their token, with a fake CEO. The investors were promised large daily returns if they invested enough money. The scammers managed to raise US$13 million as a result. Once this scam was discovered police took action and nine arrests have been made.

In South Korea, within 24 hours after the arrests in China, an operation run by two individuals was closed. It was revealed they had been running a multilevel business since 2015, and had recently been using it to promote another token that doesn’t exist. In total the fines for the two in question add up to more than US$20 million.

Sources:

Major individual crypto loss

On the April 9, a gentleman called Thomas lost his bag in Lucerne, Switzerland. Inside the bag were his 2 hardware crpytocurrency wallets, which provided him access to his portfolio containing more than $800,000 worth of coins. They were usually stored in the bank, removed around twice a year for transactions to be made. Thomas is offering a reward of 40,000 Swiss Francs for their return.

The fact that Thomas is offering such a reward for the return of his devices means he was not following the proper security measures. Either Thomas had not backed up his private keys or they were stored in the same location when they were lost. If Thomas had backed up his private keys in a different location, he would be able to purchase 2 new devices and restore the new devices using the private keys from the lost ones, allowing him access to his funds.

SmartMesh Loophole

SmartMesh is a blockchain based underlying protocol of the Internet of Things. On 24th April, a user of found a loophole in a SmartMesh contract and exploited it, transferring themselves 65,133,050,195,990,400,000,000,000,000,000,000,000,000,000,000,000,000,000,000.891004451135422463 SmartMesh tokens. The total value at the time of transfer was around $5,712,591,867,014,630,000,000,000,000,000,000,000,000,000,000,000,000,000,000.00 — creating the world’s first octodecillionaire (which is 10⁵⁶). The hacker managed to sell some of the tokens, but now all of the centralised exchanges that list SmartMesh have frozen the hacker’s accounts. The exploit is now fixed according to the SmartMesh team. The price of SmartMesh has increased since this issue, so it appears it has not negatively affected the price.

Sources:

MyEtherWallet Breach

On April 24, users of MyEtherWallet were attempting to log in through the website, before realising shortly after that their funds had been transferred out of their wallet. The issue was confirmed to be an SSL mismatch redirecting to a new domain. The MEW team confirmed that a couple of the DNS servers had been breached, resulting in this phishing issue. For further information, see our full write up on this event.

Verge (XVG) network attack

On April 4, a miner gained control of over 51% of the hashrate of the Verge network. Control of over 51% of the hash rate enabled transactions on the blockchain to be modified by this individual. A bug was exploited in the XVG code which enabled the miner to mine one block per second for at least 3 hours. The miner was able to exploit this bug to gain more than US$1 million worth of XVG, at the expense of falsely increasing the overall supply of the coin. This essentially means the attacker had the ability to print free money.

This was possible by using spoofed timestamps for mined blocks, allowing the miner to mine a specific algorithm, different to all the other miners using the current algorithm.

In an attempt to fix this issue with the code the developers hard forked the currency. This introduced an issue for a time where wallets wouldn’t sync past the first block generated by the hacker as the change disagreed with the attacker’s block. The issue has since been resolved.

Sources: