Enigma, a company building a machine-based investing platform and infrastructure for crypto-assets, suffered a serious setback on Monday (21st August 2017) when vulnerabilities in the security of its website and some social media accounts were taken advantage of by criminals to launch a phishing attack targeting potential investors in the project. Although the company did not lose any of its own funds, some members of the community were duped out of approximately US$500,000 by the scam – leading to a loss of trust and goodwill for the company in the immediate aftermath.
Preparing to launch an ICO in September for its Catalyst investment platform, Enigma hopes to provide a means for developers to build, test and execute micro crypto-funds. Using Catalyst is intended to simplify the investment decision process for crypto-assets; through Enigma Catalyst, users will be able to build their own crypto-hedge fund.
Harnessing the hype that surrounds most ICOs, the attacker or attackers hacked into the website and some social media accounts of the company and sent out messages to the community, persuading many to send funding to the attackers wallets under the guise of funding the Engima project. Although many realised this to be a scam, other did not and almost half a million dollars was stolen in the form of 1,492 Ether. Enigma pointed out in a response that it has repeatedly informed the community that funds would not be taken before its crowdsale on the 1th of September.
In the wake of the attack, Enigma temporarily closed its website and Slack group, using its uncompromised Twitter and Telegram accounts to communicate developments. A number of different sources have cited issues surrounding passwords and a lack of two-factor authentication as being the vulnerability that led to the phishing attack being able to take control. Following the accounts being compromised, Enigma has announced that it has regained control of its accounts; although the community Slack has been deactivated as a temporary security measure.
To avoid this happening again, the team urged the community to confirm messages using all available methods of communication, and announced that it is employing improved security measures, such as strong passwords and two-factor authentication for all employee email accounts, in addition to ‘proper access control management and compartmentalization’.
This basic failure in security is particularly concerning due to being so easily avoidable; however, as a result, Enigma has stepped up its security significantly and will now be focussed on providing a flawless performance. In a move to compensate those affected by the scam, and possibly to regain a measure of goodwill, Enigma co-founder and CEO, Guy Zyskind has stated the company will restore funds to those that lost their money, and also noted that, due to the efforts of members of the community, some of the stolen funds have been tracked and locked. Work is also being undertaken in collaboration with a specialised cyber-crime division and others in order to try and recover the stolen funds.
Enigma will still go ahead with its token sale on the 11th of September, 2017. The actual presale, which Enigma sent specific invites out for previously, reached its $20M contribution cap after the attack.