According to Bleeping Computer, a hacker managed to phish Experty ICO investors by sending emails to those signed up for notifications on behalf of the company. The emails stated that a pre-ICO was now live, and added an Ethereum address that doesn’t belong to the company.
Exerpty’s ICO was keenly-awaited. The company is set to launch a Skype-like voice and video application based on blockchain technology. Its users will be able to pay with cryptocurrencies. The ICO, selected as one of the top 10 to watch in 2018 by Inc.com, will help the company raise funds to build the service.
On January 26 and 27, users started receiving phishing emails. These were littered with poor spelling, but urged users to invest within 12 hours to receive bonus Experty tokens (EXY). Some emails promised a 33% bonus, while another one tweeted out by Chris Koerner promises a 300% bonus. This means the hacker could have also used more than one wallet.
You heard it here first: The @experty_io #ICO just now got HACKED. It was one of the more legitimate and hyped ICOs, and they even used @BitcoinSuisseAG (same as $OMG) for all KYC. All customer data was leaked. Just got an email. Stay safe, and avoid @experty_io ICO. pic.twitter.com/pVM4l8gzWX
— Chris Koerner | No BS Crypto | Altcoin Expert (@noBScrypto) January 27, 2018
The email was fake, as Experty’s ICO was set to begin on January 31. The Ethereum address in it belongs to the hacker that, at press time, seemingly moved the $150,000 worth of stolen Ether to an exchange. Following the breach, Experty and Bitcoin Suisse – a service the company uses to handle the token sale – started warning users.
The hacker managed to get his hands on Experty’s mailing list by compromising one of its employees. Per the company, the hacker managed to compromise the computer of one staffer who carried out Experty’s proof-of-care (PoC) review.
Experty to compensate users
As a gesture of goodwill, Experty recently announced that it will give 100 EXY tokens (worth roughly $120) to users whose address was listed on its now-compromised database. After presumably being pressed by various users, the company announced it will reimburse the victims.
It added that ETH sent to the hacker’s address after the announcement was published won’t be refunded to “prevent people from purposely sending money to the scam address to receive EXY tokens.” The announcement was published on January 28.
The announcement reads:
“We are greatly saddened by the recent email scam that has targeted our community due to recent data breach. We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier, from our company allocation”