Wednesday, January 31. Investors were eagerly awaiting the start of the Bee Token ICO. They were hoping to invest in a brand new Airbnb-type of platform that will utilize an equally brand new type of cryptocurrency. Little did they know that some of them are about to be collectively duped out of $1 million. Before we tell you how the scam worked, however, let's see what ICOs do and why scammers are so interested in them.
An ICO, or Initial Coin Offering, is a bit like an IPO (Initial Public Offering). In an IPO, investors are given the chance to buy shares in a company that hasn't been listed on the exchanges yet. In an ICO, they get to buy a new type of cryptocurrency before trading starts. The appeal is that you can get the digital coins on the cheap and later sell them on for a tidy profit. And since there's little regulation, organizing and participating in an ICO is much easier than staging an IPO and getting people to take part in it.
Bee Token said that investors would be able to buy BEE tokens starting 17:00 UTC on January 31, 2018, at a rate of 4,450 BEE tokens for 1 Ethereum. Ethereum was the only payment option, and Bee Token said that when the ICO opens, they would reveal the wallet investors need to send money to.
Before hopeful cryptocurrency enthusiasts could start pouring Ethereum into Bee Token, however, they needed to sign up and provide quite a lot of information, including email addresses, names, dates of birth, etc. All this data was stored in a database that apparently got hacked.
Moments before Bee Token's Ethereum address was supposed to be revealed, people who had signed up for the ICO started receiving emails that were crafted to look like they were coming from the innovative home-sharing company. It contained instructions on how to proceed with the investment, and, naturally enough, it came with an Ethereum wallet along with a QR code.
As you have probably guessed, the Ethereum wallet in the email had nothing to do with Bee Token. It was controlled by the scammers who somehow managed to get their hands on the would-be investors' emails.
The phishing campaign shouldn't have worked. There were too many discrepancies. For example, the scam messages said that the maximum contribution limit had been lifted from 0.3ETH to 104.43ETH, a gigantic leap that seems improbable at best. What's more, a few days before the ICO, Bee Token said that they had been made aware of some attempts at scamming unsuspecting investors, and they specifically pointed out that the company's Ethereum address will be posted on the website, and nowhere else.
Despite the red flags, and despite the fact that some of the phishing emails came from email@example.com, people fell for the scam, and according to researchers from Cyren, the scammers were able to make off with around $1 million worth of Ethereum. Why did that happen?
Because the phishing victims were in a hurry to get in before anybody else. They were too preoccupied with the potential profits to think about their security. It's not the first time this has happened, and it won't be the last. Scammers will continue to exploit users' carelessness when quick and easy money is involved, and there's nothing you can do about it.
If Bee Token's database had been properly secured, however, none of this would have been possible.
Which brings us to the buzzwords galore that is Bee Token's promotional video. About 1 minute and 22 seconds in, Tony Tran, Bee Token's CTO, says that traditional home sharing services store users' personal information on their servers. Five seconds later, while still speaking about the said personal information, he says "It's going to be hacked."
The irony is powerful.