The cyber-attacker tricked Experty ICO participants by using a fraudulent ”pre- ICO sale” scheme.

Experty users were deceived into sending Ethereum funds to the wrong wallet address.

The hacker targeted ICO participants and sent fake pre ICO sale announcements to the users who had signed up for announcements.

An ICO is similar to an IPO, but instead of company stocks, you buy tokens that you can use on an online platform. However ICOs are not regulated the same way IPOs are.

Companies use ICOs to raise capital for their projects that can’t get backing from the financial system.

Experty, a blockchain –based VoIP calling system, was supposed to raise funds (in the form of the Ethereum cryptocurrency) to build their service. However, the attackers saw this event as way to fraudulently cash in.

The Fake Pre-ICO Announcement E-Mail

On January 26th and January 27th, Experty users who signed up for notifications regarding the ICO, started getting emails with a pre- ICO sale announcement. These phishing messages urged the users to invest within 12 hours to receive Experty (EXY) tokens in exchange for their Ethereum.

The email was obviously fake as the actual ICO date was on January 31 and was not sent by the Experty team. The email also contained a wallet address which was not associated with the company, who in a prior announcement stated that their token sale would be handled only via the Bitcoin Suisse service.

More Than $150,000 worth of Ethereum Stolen

The wallet address in the mail now has $150,000 worth of Ethereum, which came from 71 transactions. Users have been warned by Bitcoin Suisse not to send money to this wallet.

According to a Twitter post, the hacker had more than one Ethereum wallet address, so even more funds could have been lost.

“We are taking precautions and increasing security to ensure that this does not happen again,” said the company. “The Experty community is our number one priority, and always has been. We will continue to work towards a safer and prosperous future, and we hope that you will be there with us.”

But this doesn’t mean that the company has no fault in this. Usually, the emails of users who had signed up to be notified are kept private. But according to a statement on Medium, the hacker was able to find the email addresses of Experty users as “one of [the company’s] reviewers was compromised and hackers gained access to some information about users.”

According to statements from Experty and Bitcoin Suisse, the stolen information was obtained by compromising a PC that belonged to a team member who was conducting the Experty PoC (Proof of Care) review.

Experty announced that it will give 100 EXY tokens (~ $120) to every person in their email database. However, the users that sent Ethereum to the hacker’s wallet will not receive their money back, or any complimentary EXY tokens. Other companies that experienced losses due to hacks have offered restitutions to their affected users.