In a statement made on August 21, 2017, members of the Enigma team, whose token offering was the target of a hack, announced that control has been reestablished over "all compromised accounts, including the website."
The team said that some of the website will remain deactivated as the team continues to work on the issue, and warned users not to send money or personal information to anyone. According to the announcement, its mailing list, the www.enigma.co domain, and a Slack administrator’s account were all compromised. The team affirms that no company funds, wallet addresses, private keys, catalyst strategies, Twitter accounts, or Facebook accounts were stolen or hacked, and neither was its blog.
For the time being Enigma's Slack channel will remain offline and closed to newcomers. The team welcomes direct communication through its Telegram account.
One report indicates that close to $500,000 in Ether was sent to an address tied to an elaborate phishing scam, which encompassed a Slack message and email campaign, as well as altering Enigma's official website in order to fool would-be token offering participants. In total, 1,492 Ether was sent to the scam address, which by now has been mostly funneled out.
A reddit community member suggested that CEO Guy Zyskind's email may have been the source of the hacking incident, as it was apparently the target of a separate hack wherein sensitive login data for that email address was dumped onto the internet – as per the report, Zyskind allegedly never reset his password, nor had enabled two-factor authentication for the email, which contained sensitive information that hackers may have exploited to get access to the Slack channel, Enigma website, and user mailing list.
Despite this incident, Enigma maintains that the site from which the token offering will promulgate remains unaffected. The team has also taken additional security measures, which include more effective passwords, two-factor authentication for all employee accounts, and steps to integrate access control procedures.
ETHNews reported a similar phishing scam that took place during CoinDash's token offering last month, which saw scammers usurp $7 million worth of Ether by altering CoinDash's website to temporarily display a false contract address. The impact was lasting; even after news of the fraudulence was widely reported, users continued to send Ether to the false address.
As the ecosystem is no stranger to phishing and hacking events, this latest episode is yet another reminder that constant vigilance is required on behalf of developers and users to scrutinize fact from fiction.