How they tried to hack our ICO

DDOS on preICO stage

DDOS is a huge number of simultaneous requests from different IP addresses sent to the server, making it choke, unable to cope with the load. We were attacked twice during the preICO with each attack lasted approximately 30–40 minutes. Then the attackers apparently ran out of money and the attack stopped. We honestly admit our fault: we did not realize that such a small and inconspicuous company without huge PR actions will attract any attention and reacted to this issue blithely, but in vain. However, except website unstable work and rare outage, the attackers did not achieve anything. Oddly enough, attack was made by Facebook accounts. We received tens of thousands of requests from Facebook during the DDOS attack, but it did not prevent us to reach a goal, and then cap of 5000 ETH.

The reason they did it became clear after I received a letter with the following content: “Hello, we see that you are being DDOSed, let us protect you!”. Nice attempt, but no.

What to do next? Connect an intermediate CDN-service. We connected Cloudflare and more DDOS attacks were not noticed. It’s better to do this before starting ICO campaigns.

Phishing attack on our ICO

This was a more serious attack with scammers managed to deceive a dozen users, collecting somewhere around $ 50,000. We knew that such attacks would occur and registered similar to our domains, but not all of them. This is my mistake: I bought a package of KICKICO.* domains in Godaddy, but not all of them. I did not notice that it did not include the .co domain, which scammers successfully used.

How the attack was conducted: scammers registered the domain of the same name in the .co domain zone and completely cloned our site including all the campaigns. It was possible to detect this phishing site only after passing through some links, but even they were led through a proxy service so that we could not detect intruders’ IP address in case they accidentally follow the link. Moreover, they also cloned the Starbase platform repository in the github, and called it kick-ico. As I understand, the plan was to organize a DDOS attack on our site and, after it was down, give a link to phishing site in all communities and chat rooms, declaring that there is a working mirror with functioning payment acceptance system. However, the DDOS attack did not happen. In addition, I quickly wrote letters to the Cloudflow and Github registrars with the report on the attack and request to block the repositories, partition the domain and disconnect the hosting. Github blocked the attackers almost immediately, Cloudflower did it in two hours. Domain registrars did not respond, but this was enough to break the scammers plans and save our community from losing money.

What to do: register ALL similar domains. Monitor Github and look for similar names in Google which can be phishing. Monitor Githab and Bitbucket for phishing and prohibit any links or publication of any addresses in public and chat rooms. Specify the only correct website and crowdsale smart-contract address on Twitter and in all of your official social networks. Hire a 24/7 support with messages monitoring and removing phishing posts leading to fake resources or fake addresses. Warn the community about the attack, but do not publish links to fake resources by yourself. I did this with a picture with the red text of SCAM!, as a result, no one would go over there by mistake.

Slack vulnerability

As befits every large ICO, we created a channel in Slack. There is a strong believe, there is something is wrong with company if it is not using Slack. I can say the exact opposite: if the company has a Slack, then something is wrong with it. Slack is full of bugs that attackers use: for example, it is worth nothing to create an account just like a moderator and start writing personal messages with a fake purse address. Moreover, anyone can change the topic in the chat (we did not find where it turns off, apparently, nowhere) and put a fake address there. The worst part is blocking such fraudulent accounts takes more time than creating them again. Pre-moderation or filters on messages containing addresses — no. Surely you can spend a month writing a slack bot, which would automatically delete them, but the abundance of vulnerabilities in Slack probably will allow fraudsters to find some other way. Personal messages cannot be controlled at all. As a result, we decided to remove the Slack Channel altogether and moved the community to the Telegram.

Back-end and smart contract attack

The last attack was partially successful and was made by someone else. We conducted 5 or even 6 audits of our smart contracts and the server, but there was a hole somewhere. As a result, the script responsible for processing bitcoin payments was compromised and send a smart contract operation that completed the collection of funds and transferred some 600 million of our coins to an unknown purse. As a result, we had to re-negotiate not only the new smart contract of the campaign, but also the smart contract of the token, so that 600 million coins turned into a meaningless set of figures.

Here we suffered losses: before the attack, the rate of charges was $ 18–19 thousand per minute. After an hour and a half break, when we resumed the collection, we were collecting “only” $ 4–5 thousand per minute. This did not stop us from reaching the goal of 50 000 ETH, but slowed down the process and, most unpleasantly, we will have to assign a new token to all our users. As a result, those who bought tokens before the attack will receive a new version within a week, but until this point they will not see them on their accounts. This, of course, is unpleasant. However, the money remained safe and the attackers did not inflict on us except for a small reputational damage.

What to do? Check the smart contract very, very carefully and maximize the server protection. Close all ports, create IP whitelists, which can be accessed by them. Order audits of smart contracts and test, test and test. Order penetration tests, hire hackers to try to break everything: from the server to smart contracts. During the audits, we closed more than twenty vulnerabilities, including serious ones, but still missed one. We bring our sincere apologies.

Nevertheless, I believe that the campaign is proceeding successfully. We have reached the goal and will soon announce a hidden cap, upon which we will complete the campaign. If there were no attack, we would certainly have collected much more, maybe twice as much. However, we have enough money to realize all that we have planned and promised in our White Paper. Soon we will seriously surprise everyone a few more times. Now we are preparing something really big, so everything is just a beginning.

Stay tuned!