Scammers have breached an internal system of the company behind the record-setting EOS ICO—and succeeded in tricking the cryptocurrency’s investors out of as much as millions of dollars’ worth of their new money.
The initial coin offering is on track to raise $4 billion—more than double the previous record holder—when the nearly year-long sale of EOS tokens concludes Friday at 7 p.m. ET. The proceeds will fund the development of new blockchain software by a startup called Block.one, co-founded by former actor Brock Pierce.
But while Block.one has sold almost all of its one billion EOS coins to investors, a significant portion of them—along with the cryptocurrency Ethereum often used to purchase EOS—are ending up in the hands of hackers. The thieves are cleverly preying on the acute mix of anticipation and greed that has fueled interest in the blockbuster ICO—such as the promise of free money: Several blockchain companies, including Everipedia, are planning token giveaways, or “airdrops,” to anyone holding EOS coins.
The ruse is easy to fall for, and often takes the form of a sophisticated-looking email, four of which were sent directly to my Fortune inbox. The emails, two of which came bearing the subject line “The most anticipated event has arrived!,” feature EOS’s gem-like chestahedron logo and multiple links to Block.one’s actual website (including in an official-seeming copyright line at the bottom). The text accurately describes several technical details of the EOS ICO, while mimicking Block.one’s superlative-filled marketing language.
Gettin some legit looking scam emails claiming to be giving away the remainder of $EOS distribution tokens. Everyone is thirsty out there stay safe and protect your coin!
Never supply anyone with your private keys! pic.twitter.com/eSZZezkWuB
— jbbasics (@jbbasics) May 31, 2018
It then provides a button recipients to “claim” EOS’s “unsold tokens” during the last 48 hours of the ICO. That’s where it gets tricky.
The button takes you to a website that is identical in color, background, font and other design elements to the EOS homepage. The only problem is the scam site’s web address is “eȯs.com,” a nearly imperceptible dot above the o—a diacritic mark only found in the dead language of Livonian, once spoken in parts of Latvia.
EOS’s actual website is eos.io. (The underlying URL for the fake site is actually “https://xn--es-8bb.com”—a foreign domain that translates to eȯs.com thanks to web browsers’ so-called punycode.) Eventually, the phishing site prompts visitors to enter their private key (a cryptographic password of sorts used in blockchain technology) to unlock their digital cryptocurrency wallets to receive the EOS airdrop—a request that is virtually always a telltale sign of a scam, allowing a thief to clean out the contents of the victim’s account.
Making matters worse, Block.one admitted over the weekend that an intruder had managed to breach its email support system, operated by cloud software provider Zendesk (ZEN). The scammer then sent messages and even responded to previous customer queries using Block.one’s email domain in order to lure recipients to another malicious key-capturing website.
One Reddit user lamented falling for this ploy earlier this week, resulting in nearly $62,000 worth of his (or her) EOS tokens being stolen. A spokesperson for Zendesk says the breach “took place outside of the Zendesk system,” with an intruder able to access Block.one’s account “as an authorized user.” Zendesk is “working closely” with Block.one to “resolve this issue,” which is unique to the blockchain company, the spokesperson adds.
Although Block.one temporarily shut down its Zendesk system and urged its supporters to be on “high alert for scams” in a statement published on its website Sunday, the phishing attacks have continued on other fronts. And there’s evidence that the gambit is fooling investors despite warnings.
Get The Ledger, Fortune’s weekly newsletter on the intersection of finance and tech.
On the website Etherscan, which tracks transactions on the Ethereum blockchain and network, including those of other cryptocurrencies such as EOS, a site moderator alerted users Wednesday that a wallet address under the pseudonym Fake_Phishing1255 was reported to be “associated with a fake EOS airdrop site.” Still, the suspicious account has already gleaned at least $110,000 in EOS and Ethereum (not to mention the thousands of dollars in other coins it holds), transaction records show.
Another Reddit user posted recently that he (or she) “got burnt for $13,500 rushing to get the airdrop.” The address where the stolen EOS ended up, Fake_Phishing940, has since been flagged for the scam—but was able to make away with more than $120,000 in EOS, according to Etherscan.
Some $70,400 in EOS went to Fake_Phishing1169, while $57,000 more landed at Fake_Phishing976, and another $36,000 went to Fake_Phishing1071; Fake_Phishing160 snagged an extra $10,000. And those are just some of the addresses that don’t even bother to hide their ill intent (suggesting they’re part of an organized phishing ring).
Still other unnamed accounts flagged for phishing EOS and Ethereum have collected additional amounts adding up to hundreds of thousands of dollars, pushing the total booty to at least $1 million. Fake_Phishing622, meanwhile, has amassed more than $510,000 in likely stolen digital coins, though it has yet to touch EOS.
Unlike other phishing scams, which target the elderly and non-tech savvy, the EOS attacks are cunningly designed to make victims let their guard down. The same web page that steals private keys is plastered with phishing warnings and security reminders that make visitors feel safe. The site even provides a digital address that corresponds to the official EOS one.
Nor can people rely on their usual filter for too-good-to-be-true offers when it comes to cryptocurrency, where real freebies abound. After all, just this week, blockchain project Dfinity launched a $35 million giveaway of its tokens—billing the event as the largest airdrop to date. And in March, I witnessed firsthand when the blockchain-based messaging startup Mainframe literally dropped $1 million in free cryptocurrency from the ceiling onto the heads of supporters at a hotel. Besides Everipedia, at least a dozen other companies, such as eosDAC and LetItPlay, plan to give away their tokens exclusively to EOS holders. Over the past month, I’ve received an average of 1.5 token giveaway-related emails per week.
@EOS_io Guess another scam underway talking new EOS reward "left overs". Came by email. pic.twitter.com/1y98FIyiCW
— Lennie / @mlninparadise (aka @TongaDojo) / #Recaps (@mlninparadise) May 31, 2018
None of those pitches, however, were for a legitimate giveaway of EOS tokens themselves. Block.one did not respond to requests for comment, but CoinList, which assists coin issuers in executing token giveaways, says it’s not aware of any planned airdrops of EOS itself.
With the EOS ICO now in the home stretch, cryptocurrency enthusiasts would do well to assume there’s no such thing as free EOS—and anything that says otherwise is most likely a scam.
This story has been updated with a comment from a Zendesk spokesperson.
