More than 10% of Initial Coin Offering funds stolen – according to EY

A new Ernst & Young report has suggested that more than 10%, or $400 million, of the $3.7 billion raised in Initial Coin Offerings (ICOs) have been stolen due to cyber attacks. According to the report, hackers are stealing up to $1.5 million in ICO proceeds a month.

The big risks in the ICO market, according to the report, are flawed token valuations, unclear regulations, heightened hacker attention and congested networks.

Arseny Reutov, blockchain security expert at has commented on the findings, stating that “ICOs provide a huge opportunity for scammers and attackers as they are essentially taking advantage of the promise of people making a huge return from relatively low investment. Unfortunately, this report shows the financial loss being inflicted is devastating when viewed at scale.”

>See also: Israel on the way to regulate ICOs

“The reality is, the second a company goes public with an intention to do an ICO, it is waving a huge flag to cyber criminals that it is both valuable and also in a very vulnerable phase of its company growth. This research is proof that ICOs are not doing enough to protect themselves.”

The fear of missing out

The fear of missing out (FOMO) is driving token valuations without any connection to market fundamentals, according to the report. Investors are transferring funds at record speeds. In some cases, ICO investors are contributing capital an average rate of over US$300,000 per second.

The top three countries leading in originating ICO projects are the US ($1,031 million), China ($452m) and Russia ($310m).

>See also: What was learned from cryptocurrency in 2017 and what to expect in 2018 

However, EY’s report suggests that the ability for ICOs to meet fundraising goals is declining. It found that 90% of projects with funds raised via ICOs reached fundraising
goals in June 2017, compared with 25% in November 2017.

Security breakdown

Phishing is the most widely used ICO hacking technique, according to report.

“There are some very basically things that ICOs could and should address to improve their security posture,” suggests Reutov.

First, “it is absolutely vital that the underlying code of the smart contract is purged of any vulnerabilities through development – once this goes live it cannot be changed. Secondly, organisations must ensure that the web applications their ICO use are being monitored and protected in real time – all the security of the blockchain means nothing if a hacker can misdirect funds from the web page.”

>See also: Bitcoin, Ethereum and other cryptocurrencies surge

“Finally, there is the human factor. A major risk here is that open source intelligence will be used target members of the team – our own research suggests that every ICO has a team member who’s password can be found online. ICOs must do everything within their power to stop investors being tricked by phishing attacks. This is the hardest thing to secure, the only solution is to educate investors on the risks and warning signs and communicate as effectively as possible on official channels, to avoid investors being duped.”

“This could potentially be a linchpin moment for the future of ICOs – they could disappear as quickly as they emerged. If ICOs are to prove themselves as a viable fundraising option, they must address the issue of security urgently.”


Note: EY research conducted in collaboration with Group iB on 372 projects that have conducted an ICO. Data based on public sources across
exchanges, data aggregators, ICO reports, ICO trackers, news sites, blockchain network scanners/platforms and dedicated blockchain social media.
* Includes Hong Kong

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...