Cunning hackers have successfully duped investors out of almost $500,000 after compromising the servers of the online currency platform Enigma.
The organization, set up by MIT whiz kids and due to launch its new cryptocurrency on September 11, had its website, email servers and Slack channel hacked. The attackers then used these channels to spam out a message to those interested in the group, asking for money.
"We are pleased with the enormous support we have gotten in the last few weeks," the bogus message reads. "The Enigma team has decided to open the Pre-Sale to the public. The hard cap for this presale will be 20 million. Please note that tokens will be calculated and distributed based on how much the pre sale raises."
Meanwhile, the hackers had put their own digital wallet address on Enigma's website and directed would-be investors to it. At time of going to press they've reaped nearly $500,000, but the word is out. Enigma has shut down the offending Slack channel and is warning investors about the scam.
— Enigma Project (@EnigmaMPC) August 21, 2017
In a statement, Enigma said that the group had not lost any funds itself and was still planning to make its initial coin offering (think IPO but for digital currency) on September 11 as planned.
"We're changing all passwords, engaging 2FA, and taking other security precautions," Enigma said on its Telegram group. "It is a very very hectic time for all of us. I realize some of you lost money and are very very upset. We hear you. Give us some time and we will soon announce the next steps that concern the victims of this attack."
The fact that the organization didn't have two-factor authentication turned on in the first place is a red flag, and they indicated that this scam was made possible by sloppy password use or reuse. Some on social media suggest that the CEO had his password pwned on another site and was reusing it for Enigma's servers, but that hasn't been confirmed.
Enigma said that it was working with the bitcoin exchange Bitfinex about freezing accounts to stop the purloined e-currencies from being moved, however it hasn't said if this has been successful. It's also going to be of limited use in the US after Bitfinex pulled out of the American marketearlier this month. ®