A notable blockchain industry investor was hacked today, the latest target in a string of apparent social engineering attacks that have taken aim at cryptocurrency users.
The hackers claim to have stolen and liquidated 110,000 REP (upwards of $300,000) in the digital currency Augur plus an additional unknown sum of ether, the cryptocurrency on the ethereum blockchain, owned by Bo Shen, founder of VC firm Fenbushi Capital.
Speaking via Shen’s Twitter account, the hacker credited his sale with dropping the dollar value of Augur’s digital asset Reputation (REP) from 0.0035 BTC (then roughly $2.60) to 0.0026 BTC ($1.96), a decline that began early this morning. At press time, the price of REP has since recovered to just under 0.0040 BTC, according to data from Poloniex.
Statements from the hacker suggest that there is currently a team of hackers (or at least a “few”) now targeting a full list of Augur investors as part of a string of attacks that have taken place in recent weeks.
When asked why the group was perpetrating the attacks, the hacker responded:
“For money obviously.”
The hacker validated rumors circulating online that indicated big sell orders placed in ether and Augur were the result of his group.
Shen confirmed the hack to CoinDesk, though he did not disclose the total lost in the attack. In response to rumors more than $1m in ether was stolen, he responded the total amount was “less than that” but offered no further details.
Bribery and retribution
However, the hacker sought to stress that, in his view, that attacks (at least in the case of Augur) were preventable.
According to the hacker, the group had previously been in touch with Augur’s open-source development team. A prediction market project announced in 2014, the REP tokens Augur issued during its crowdsale have been traded publicly since October.
Augur core developer Joey Krug acknowledged that he has been in contact with the group before and said the hackers had asked for a $60k ransom that was not paid. Krug further noted that, as the tokens function as digital bearer assets, there is not much the technical community around the project “can do” about the threat posed to users.
“We’ve been sending emails out with instructions. If you don’t sell REP on an exchange, and store in cold storage, it’s fine. But if you store on an exchange, they can engineer your phone number, change your password and use that to login,” Krug said.
As such, the attacks highlight the security challenges investors and blockchain businesses continue to face when storing and safeguarding various cryptocurrencies.
For example, Augur indicated the attacker was able to glean information (including email addresses) from its public Slack chat group.
String of attacks
Notably, Krug suggested that he believes the hacker is the same individual that is responsible for attacks on users of the digital currency exchange Kraken.
He referred users who are concerned about the attacks to a blog post issued by the exchange in which it detailed the extent of what it believes to be a pervasive issue.
“In the past month, there’ve been at least 10 cases of people publicly involved in the cryptocurrency scene being victimized by mobile phone hijacking. The consequences have been expensive, embarrassing, enduring, and, in at least one case, life-threatening,” the exchange wrote.
The post advises users against popular communication methods such as phone calls and text messages, and advocates that users provide services like Google Voice with fake information that is more difficult for hackers to surface.
All in all, the post suggests investors follow a complex series of 40 steps to protect their assets from the attacks. Krug, however, suggested that, for now, investors should be more wary about two-factor authentication when using cryptocurrency.