Q&A: How to protect Initial Coin Offerings against cyberattacks

The rise of Initial Coin Offerings has also resulted in an increase in cyberattacks – a new service looks to counteract the problem

The rise of Initial Coin Offerings (ICOs) has suddenly become a big ticket news item. This has seen $150bn of capital raised this year, but on the flip side $150 million has already been stolen – with some very high profile attacks on DAOParity and Coindash. To counteract this, Positive.com has launched a brand new service to safeguard ICOs against theft. Leigh-Anne Galloway, Cyber Security Resilience Lead at the company explains more in the lightly edited Q&A below.


How did the ideas for this come about? 

In the same way that Uber used technology to revolutionise modern transport, ‘technologisation’ is causing drastic development in the Fintech sphere for both the traditional companies – i.e. the banks – and consumers. The strong reaction of the banks against developments in blockchain is simply further evidence that a revolution is underway.

The challenge is that the new blockchain/cryptocurrency companies leading this wave do not have risk at the forefront of their mind. Their motivation is to be novel, which means they are aiming to develop as quickly as possible and rushing. As a result, there have been a number of notable attacks that have cost companies, and their investors, very substantial sums of money. It was clear to us that ICOs have become a target for cyber criminals – in 2017 alone we are looking at $150m stolen.  

What is also clear is that these attacks are preventable if the right precautions are taken in advance of and during an ICO. Furthermore, cryptocurrencies that already exist, such as Ethereum, can be checked in real life, studied, and we can learn to understand the vulnerabilities that will affect the world’s financial system during the blockchain implementation. This means that in the future we could help the whole system, all large financial organisations, which is what primarily drives us.


Why are cyberattacks a particular issue for companies going thorough ICOs?

ICOs are a popular target for criminals because they are currency based, which means there is a cash flow that attackers are looking to take advantage of. A successful hacker can get access to anonymous money without their own de-anonymisation. Because the majority of countries can’t work with ICOs in legal terms yet, the sphere is not yet regulated. So there are less risks to hack ICOs than banks, which is why hackers go there - it’s easier and less risky.

ICOs are also vulnerable because the code must be final when it goes live. If a bug is found after it goes live, the contract can be frozen but it is very difficult to alter it. This risk is exacerbated by the fact the code is public, and accessible by anyone. Because the contract itself is an application, it's very important that it is assessed before it goes live.


What can you do to help?

Positive.com helps companies secure their offering in two stages. First, we help companies prepare - analysing the source code used in the smart contracts that issue tokens to investors in exchange for Ether cryptocurrency; removing technical vulnerabilities and logic flaws in a private blockchain; and conducting a vulnerability analysis of web and mobile applications, OS and network infrastructure. We also train employees in security best practices, and how to spot and avoid social engineering attacks.    

The second stage of protection is designed to safeguard the ICO whilst live, with 24-hour round the clock monitoring from a Security Operations Centre to ensure attackers cannot bring down connected infrastructure, deface websites or infiltrate networks. Depending on the client’s needs, we can provide a cloud-based enterprise-grade web application firewall (WAF) and Security Information and Event Management platform (SIEM). We can also provide our own customised scripts to fulfil specific roles – for example, monitoring transactions on the blockchain.

Confused about cryptocurrencies? Check out: What you need to know about cryptocurrencies

How is your service unique?

We are unique in being dedicated specifically to the security risks inherent in an ICO. Our team also has a fantastic cyber security track record, with specialist source code analysis and vulnerability analysis experience across a range of sectors, and has helped some of the largest companies in the world prevent and remediate breaches.


What is the most misunderstood part of this process?

It is often wrongly assumed that because ICOs are based on the blockchain, they are secure de facto. This is not the case. Smart contracts are written by people, so mistakes in the source code cannot be excluded. Even if there are no logic flaws in the contract, there are many other paths of entry hackers can and do attempt to exploit – web application vulnerabilities being a prime example. The blockchain is sophisticated, but all the sophistication in the world comes to nothing if a hacker can re-direct investors from your website and siphon off funds.

ICOs have their own specific security issues compared to enterprise applications because they don’t have their own server infrastructure but are hosting in AWS or Microsoft Azure and use public servers (Gmail, Hotmail, etc.) as their mail servers. 

They are often tech savvy, and understand security – adding features such as two-factor authentication (2FA) – but even these measures can be used against the ICO. Often their second factor is OTP through SMS messages, which can be intercepted through services on the dark web, making them vulnerable. Worst still, the whole ICO domain can be stolen for a very little amount of money ($100-200) by manipulating password recovery features. And social engineering is always a risk, which is why we also conduct employee training.

The rise of blockchain technology: Everything you need to know about... Blockchain

Is there any advice that you find you keep repeating?

There are three pieces of advice we give over and over again to those preparing an ICO.

  • Take care of the application security of your source code as early as possible, because it is very difficult to change when it goes live.
  • Try to Google all your team members and use other open sources to understand what social engineering methods hackers can use to conduct attack.
  • On the day of the ICO, pay extra attention to all requests to technical support that require changes to be done in administration panels.

When millions of dollars of assets are at stake, there is no room for error. ICOs need to be monitored, and the smallest anomalies investigated immediately.


There is a lot of hype around ICOs at the moment – will this ever become as popular way to raise funds as other more conventional methods?

The evidence suggests that this is already becoming a popular method for fund raising. The numbers speak for themselves – more than $150bn already this year, with individual ICOs raising into the hundreds of millions in days. I suspect the extent to which ICOs become a mainstream method of raising investment is dependent on it conquering some of the perceptions of being “risky”. Improving the security of ICO will form part of this process.