‘Even Vitalik fell for it’: how phishers targeted Ethereum

Individuum has published a Russian translation of the book “On the Cipher” (The Cryptopians), in which Unchained podcast host Laura Shin tells the story of Ethereum’s rise. ForkLog publishes an excerpt from this documentary techno-thriller about how, during the ICO boom, ether drew the attention not just of investors but of a legion of wrongdoers.

ICOs ignited interest in Ethereum. On 18 June, with ether hovering at $391, the flippening seemed within reach. Bitcoin’s market share had slid to an extraordinary 37.84%, and Ethereum’s had climbed to 31.17%. Ethereum was now worth $34.4bn, against bitcoin’s $41.8bn.

Two days later came another large ICO, this time with new ideas to make it more democratic. Jarrad Hope, from Perth, an internet marketer who had made his money on poker bots, and his long-time business partner Carl Bennetts were building Status—a messaging platform and open-source Web 3.0 browser. When venture capital showed little interest, Jarrad and Carl went to the crowd. Their Slack channel had about 3,000 fans at first, but when Status.im announced its ICO that swelled to over 15,000. Mostly, scammers, phishers and “when-mooners”—those who cared only about when bitcoin would “go to the moon”—poured in. Sharks now circled the community, waiting for someone to drop a private key carelessly.

In the week before the ICO, in Singapore, where the digital nomads Jarrad and Carl were then based, Jarrad was typing a warning not to hand over keys (only phishers ask for those) when a window with the ¯\_(ツ)_/¯ emoji popped up on his screen. His antivirus began choking on notifications of new connections. He snapped his laptop shut, sprinted to Carl’s room, hammered on the door and yelled that he’d been hacked. Carl burst out in his pyjamas, and the two of them spent the entire day saving their Status accounts, their business and their personal lives.

Hackers besieged them on one side; on the other came queries from regulators such as the SEC. (The SEC declined to comment.) Jarrad and Carl studied the Howey test to run the Status Network Token (SNT) sale without violating securities law and blocked U.S. IP addresses.

Jarrad felt like Indiana Jones sprinting through a cave with a boulder about to seal the exit. To keep up, he lived on Joylent—Europe’s version of Soylent—and worked fourteen hours a day or more.

One big problem they sought to fix was whales grabbing a disproportionate share of tokens. Jordi, a member of the White Hat Group and a friend of Jarrad’s, proposed a dynamic ceiling—a hidden limit that changed once a certain target was reached. For instance, the first cap, at 12m Swiss francs, would be public; after that, the sale period would end either in 24 hours or earlier if a hidden ceiling was hit. Lower limits would also kick in according to specific block counts. As the white paper put it, the mechanism was “an attempt to prevent large investors (whales) from grabbing all SNT tokens”. If someone sent too much money, part would be accepted and the rest returned.

When the sale opened at 4am Singapore time, Jarrad’s heart sank. No funds were coming in. Then it dawned on him: people were sending sums so large the contract was rejecting transactions. Within minutes nearly 11,000 pending transfers had piled up, totalling 450,481 ETH ($161.7m). The new constraints only jammed the network further: when one transaction failed, people immediately blasted another. Much of Ethereum ground to a halt. The network was so clogged that some Ethereum domain-name auctions were interrupted. The Status ICO ran for 24 hours to give every time zone a chance. In the end they raised over $100m. (One community member remarked: “Status raised more than it could ever dream of for sticker packs and ads”.) But the contract refunded more than it accepted, and without the hidden ceiling they might have taken in over $200m. Alas, Jarrad says, the plan did not stop whales, who simply bought under each cap—though they later complained they had burned a fortune on fees.

For Taylor, the Status ICO was a tsunami. If 9,000 transactions per hour during the BAT sale, and 30,000 during Bancor’s, had been astonishing, Status drove that figure to 100,000. Nor was it even the only ICO that week—TenX, a decentralised exchange plus a crypto debit card, raised $83m the next day, and identity-verification project Civic took in $33m. A day later, on Friday, OmiseGo—a financial-services platform backed by Thai payments firm Omise—raised $25m in an ICO whose participants had their identities verified at Bitcoin Suisse. On the MEW network-traffic chart, that week would look like a sudden spike.

On Sunday, a post on 4chan—an anonymous, anarchic, dark version of Reddit—declared: “Vitalik Buterin’s death confirmed. Insiders dumping ETH.” It added: “A fatal accident. Now it becomes clear. He was the main link.” ETH fell 8.6%, from $315 to $288, wiping about $4bn off Ethereum’s market capitalisation. Vitalik quickly dispelled the rumour, tweeting a photo of himself holding a sheet of paper on which he had written:

Block 3,930,000 =
0xe2f1fc56da

It was a recent Ethereum block and its hash. He captioned the photo: “New day, new use case for the blockchain.” Even so, Ethereum’s market share shrank to 26.68%, while bitcoin’s rose to 40.34%.

The next day EOS, pitching itself as a faster (but more centralised) rival to Ethereum, launched an ICO that would run for nearly a year. A month earlier it had advertised the sale on Times Square during the Consensus conference, which drew 2,700 attendees. Ironic, given that EOS blocked American IP addresses. That week ether again traded between $200 and $330.

Horrified by the frenzy, Taylor tweeted from the MEW account: “Oh come ooon 🙁 Did last week teach you NOTHING?! Snap out of it (you too, BPI investors!) and look around” (a dig at the EOS ICO) and “Sit down—we have news. Great products can exist without tokens or taking all the money” with a gif of the camera pushing in on a half-naked wrestler John Cena, mouth agape in shock.

In June ICOs raised $472m; on 1 July one of the most high-profile, Tezos, began. Backed by Tim Draper, it was seen as a potential Ethereum rival with two advantages: formal verification—mathematically proving a smart contract would behave as its creator intended, to avoid DAO-like fiascos—and on-chain governance to handle questions such as a post-DAO fork. Tezos would raise a record $232m.

Taylor, like Jarrad, began to spot a growing security mess. Clones of the Status site (Status.im) appeared with URLs such as statusim.info and statustoken.im that led to a phishing page advertising an airdrop—a free token giveaway. It was not a real airdrop but a phish, and SNT would be “given” only after the victim entered a private key. (A private key is needed solely to send funds from an account; sharing it is akin to handing over the code to a bank vault.)

Phishers also went after Taylor and Kosala’s creation, spinning up lookalike sites at myethewallet.net, myetherwillet.com, myelherwallet.com, myeltherwallet.com and so on. In the so-called Coinhoarder campaign, phishers bought Google AdWords for myetherwallet.com and typolike domains so their phishing pages ranked at the top of search results. They looked like MEW clones, so users entered passwords and hackers could plunder their wallets.

Even Vitalik fell for a scam. Someone hacked Jeff’s Skype account and messaged Buterin: “Hi, V, we’re still waiting for 925 ETH according to our checks,” then sent an address. Vitalik wrote to Jeff that he had sent the money. Jeff replied that it was not his address. Vitalik had sent a quarter of a million dollars into the void.

If May’s ICOs had ruined Taylor’s routine, scammers finished it off. Waking at 10pm, she would sit at her computer until 5–6am, doze until 7–8am, ping her support rep and ask them to watch for hacks and other security issues. She’d crash, wake at noon or 1pm and, if nothing had happened yet, cram down some food and wash and dress. But if there had been a hack, she would leap out of bed and work until 6pm, only to realise she had never really started her day.

On 17 July another ICO, CoinDash, began—but before the sale the site was hacked and the receiving address swapped. The attacker took 43,500 ETH (nearly $8.5m at the day’s high). Although the crypto community tweeted warnings, another $1m flowed to the address within an hour. That pushed Taylor over the edge. She tweeted from the MEW account:

1/ Alright, damn token creators, listen up. I’m out of patience. It’s 10am. I haven’t gone to bed yet.
…

4/ You chase easy money instead of helping Ethereum become what it should become. You promise a lot and only end up losing money.

5/ Fake addresses, scam bots, phishing, exploits, and domain and phone hijacks have been happening since the very beginning, and yet somehow you are still not ready.

…

8/ Don’t think you’re blameless here, investors: you’re at fault too.

9/ Throwing money at any address, clicking as if Nigerian emails had never existed, and not demanding more of your investments is part of the problem too.

10/ Get smarter already. 2,000 uniques in 2 hours fell for the same scheme that’s worked for years. Time to grow up.

When she woke the next morning, she heard the excited voices of Kevin and the operations manager. She came downstairs. Kevin said: “The Foundation’s multisig has been hacked” (meaning the EF). Still groggy, Taylor replied: “No way,” and headed back to the bedroom. If it had been hacked, her phone would be blowing up. Then she saw her phone was dead.

Published from the edition: Laura Shin. On the Cipher. An Insider History of the Cryptocurrency Boom. Moscow: Individuum, 2024. Translated from English by Sergey Karpov.