Hackers Take Control of Enigma Using CEO’s Dumped Passwords – Steal Nearly Half a Million in Ethereum

Aug 21, 2017

Ethereum and ICOs - the hackers keep getting rich. On Sunday, hackers stole nearly $500,000 in Ethereum from Enigma, a cryptocurrency investment platform provider that was preparing to raise money through an initial coin offering. The hackers took control of Enigma's website, social accounts and its community email list. While Enigma itself hasn't lost any money, hackers posted Slack messages and sent emails to the community making people send money to their wallet.

Enigma had apparently shared with its followers that it would not be collecting any money before the ICO next month, set for September 11. However, many fell for the trick as hackers managed to get 1,492 in ether, worth around $500,000.

Hackers Hijacked DNS Servers to Steal from MyEtherWallet Users ($150K Stolen)

Hacked probably using dumped credentials

Some on Reddit have reported that the hackers accessed the email of Enigma CEO Guy Zyskind whose details were apparently dumped in one of the previous data leaks. However, he hadn't changed the password in the aftermath.

"thats what happens when MIT kids think they are just TOO smart to do basic fucking website security measures" - Reddit user

While the company hasn't said if it was Zyskind's email, it has admitted that "certain team passwords were compromised for the enigma.co landing page and Slack." Enigma Project has now implemented new security measures and has also assured to have adopted two-factor authentication for all employee email accounts. Hmm, too late and a little embarrassing for the company to not have followed these basic security measures.

The company also ensures that the website for the Enigma token sale was not accessed. "It resides on a separate, more secure server which was never compromised."

Enigma Project has now taken back the control of its websites and has deactivated Slack for the time being. In a statement on Twitter, it said:

Millions of Dollars in Ether Remain at Security Risk – 34,200 Vulnerable Smart Contracts Discovered

This isn't the first time that hackers have targeted an Ethereum related ICO. In July alone, CoinDash lost over $7 million while Veritaseum over $8.4 million. In the same month, hackers managed to make over 32 million in US dollars exploiting a flaw in an Ethereum wallet client, Parity.

CoinDash attack was similar to the latest attack on Enigma as scammers had hijacked the website replacing the wallet address with their own. While CoinDash had agreed to issue tokens to all those who had sent the money to the hackers, it's unclear at the moment if/how Enigma plans to compensate the victims.