KICKICO Security Breach: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/kickicosecuritybreach.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/kickicosecuritybreach.php}} | ||
{{Unattributed | {{Unattributed Sources}} | ||
[[File:Kickico.jpg|thumb|KICKICO]]KickICO is a service which assists blockchain projects with raising funds for operation. In order to gain operating capital for their project, they use a smart contract to issue Kick tokens. While Kick ICO is not an exchange, it offers the ability to buy/sell tokens, and many platforms similarly have their own token. | [[File:Kickico.jpg|thumb|KICKICO]]KickICO is a service which assists blockchain projects with raising funds for operation. In order to gain operating capital for their project, they use a smart contract to issue Kick tokens. While Kick ICO is not an exchange, it offers the ability to buy/sell tokens, and many platforms similarly have their own token. | ||
| Line 8: | Line 8: | ||
The Kick ICO team ultimately restored the tokens back to their rightful owners. It's unknown if anyone may have purchased the illegitimate tokens and suffered a loss, however there are no reports of this. | The Kick ICO team ultimately restored the tokens back to their rightful owners. It's unknown if anyone may have purchased the illegitimate tokens and suffered a loss, however there are no reports of this. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="slowmisthacked-1160" /><ref name="thehackernews-2296" /><ref name="securityaffairs-2297" /><ref name="sports-2298" /><ref name="pymnts-2299" /><ref name="kickecosystemmedium-2300" /><ref name="bleepingcomputer-2301" /><ref name="kickico-2302" /> | ||
<ref name="slowmisthacked-1160" /><ref name="thehackernews-2296" /><ref name="securityaffairs-2297" /><ref name="sports-2298" /><ref name="pymnts-2299" /><ref name="kickecosystemmedium-2300" /><ref name="bleepingcomputer-2301" /><ref name="kickico-2302" /> | |||
== About KICKICO == | == About KICKICO == | ||
| Line 63: | Line 62: | ||
!Description | !Description | ||
|- | |- | ||
|July 25th, 2018 | |July 25th, 2018 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 71: | Line 70: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 90: | Line 92: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
Ultimately, no funds appear to have been lost in this case. | Ultimately, no funds appear to have been lost in this case. | ||
The situation highlights the importance of using multi-signature setups for security, rather than relying on a single key. It also highlights the importance of storing critical keys offline. This theft would not have been possible with either of these measures in place. | The situation highlights the importance of using multi-signature setups for security, rather than relying on a single key. It also highlights the importance of storing critical keys offline. This theft would not have been possible with either of these measures in place. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
<references><ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun | <references><ref name="slowmisthacked-1160">[https://hacked.slowmist.io/en/?c=Exchange SlowMist Hacked - SlowMist Zone] (Jun 26, 2021)</ref> | ||
<ref name="thehackernews-2296">[https://thehackernews.com/2018/07/kickico-cryptocurrency.html KICKICO Hacked: Cybercriminal Steals $7.7 Million from ICO Platform] (Aug | <ref name="thehackernews-2296">[https://thehackernews.com/2018/07/kickico-cryptocurrency.html KICKICO Hacked: Cybercriminal Steals $7.7 Million from ICO Platform] (Aug 9, 2021)</ref> | ||
<ref name="securityaffairs-2297">[https://securityaffairs.co/wordpress/74910/hacking/kickico-hack.html KICKICO security breach - hackers stole over $7.7 million worth of KICK tokensSecurity Affairs] (Aug | <ref name="securityaffairs-2297">[https://securityaffairs.co/wordpress/74910/hacking/kickico-hack.html KICKICO security breach - hackers stole over $7.7 million worth of KICK tokensSecurity Affairs] (Aug 9, 2021)</ref> | ||
<ref name="sports-2298">[https://ca.sports.yahoo.com/news/another-ico-hacked-kickico-loses-120331205.html Another ICO Hacked: KICKICO Loses $8 Million After Smart Contract Breach] (Aug | <ref name="sports-2298">[https://ca.sports.yahoo.com/news/another-ico-hacked-kickico-loses-120331205.html Another ICO Hacked: KICKICO Loses $8 Million After Smart Contract Breach] (Aug 9, 2021)</ref> | ||
<ref name="pymnts-2299">[https://www.pymnts.com/news/security-and-risk/2018/kickico-cryptocurrency-hack-smart-contracts/ KICKICO Announces It Lost Over $7M In Hack | PYMNTS.com] (Aug | <ref name="pymnts-2299">[https://www.pymnts.com/news/security-and-risk/2018/kickico-cryptocurrency-hack-smart-contracts/ KICKICO Announces It Lost Over $7M In Hack | PYMNTS.com] (Aug 9, 2021)</ref> | ||
<ref name="kickecosystemmedium-2300">[https://kickecosystem.medium.com/kickico-security-breach-issue-under-control-all-kickcoins-will-be-returned-ebe65a491dec Kickico Security Breach Issue Under Control All Kickcoins Will Be Returned] (Aug | <ref name="kickecosystemmedium-2300">[https://kickecosystem.medium.com/kickico-security-breach-issue-under-control-all-kickcoins-will-be-returned-ebe65a491dec Kickico Security Breach Issue Under Control All Kickcoins Will Be Returned] (Aug 9, 2021)</ref> | ||
<ref name="bleepingcomputer-2301">[https://www.bleepingcomputer.com/news/security/kickico-platform-loses-77-million-in-recent-hack/ KickICO Platform Loses $7.7 Million in Recent Hack] (Aug | <ref name="bleepingcomputer-2301">[https://www.bleepingcomputer.com/news/security/kickico-platform-loses-77-million-in-recent-hack/ KickICO Platform Loses $7.7 Million in Recent Hack] (Aug 9, 2021)</ref> | ||
<ref name="kickico-2302">[https://kickico.com/en/faq KickICO] (Aug | <ref name="kickico-2302">[https://kickico.com/en/faq KickICO] (Aug 9, 2021)</ref></references> | ||
Latest revision as of 12:53, 1 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
KickICO is a service which assists blockchain projects with raising funds for operation. In order to gain operating capital for their project, they use a smart contract to issue Kick tokens. While Kick ICO is not an exchange, it offers the ability to buy/sell tokens, and many platforms similarly have their own token.
However, this contract was managed by a single private key, which appears to have been breached, allowing an attacker to create their own KICK tokens. The attacker avoided detection by ensuring that the same number of tokens were destroyed as they had minted, however this meant that the tokens of legitimate purchasers were destroyed.
The Kick ICO team ultimately restored the tokens back to their rightful owners. It's unknown if anyone may have purchased the illegitimate tokens and suffered a loss, however there are no reports of this.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8]
About KICKICO
"KICKICO [is] a blockchain-based initial coin offering (ICO) support platform" and "fundraising platform". "KickICO is a crowdfunding platform that supports AIO fundraising, but the auction sale takes place on both the KickICO platform and campaign tokens are automatically approved for listing on the KickEX exchange. As a result, both communities - platforms and exchanges - participate in the auction. This significantly increases the organic demand for traded tokens, as it reaches the audiences of both platforms and both communities. After the successful completion of the campaign and all the necessary checks, the company's tokens become available for trading on the KickEX exchange, receiving an automatic listing there."
"AIO (Auction based Initial Offering) is a type of crypto fundraising based on fair pricing, a know-how developed by the Kick Ecosystem team. Unlike ICO, IEO, IDO and other forms of fundraising, the price of a token, offered here for sale, is not fixed, but is formed by the users themselves during the auction. The greater demand for a token is, the higher its price, and vice versa. Companies have no direct influence on the value of the token, what makes pre-sales of the token at a 50-80% discount pointless. Thus, the price of the token is formed by the market itself and by the users participating in the auctions, who take into account the importance and relevance of the products offered by the company. So, the authors do not declare the price of their token, which, after entering the secondary market, can be collapsed by those who received early allocations with huge discounts: this kind of risk is excluded."
"CEO Anti Danilevski wrote in a blog post that, on July 26, "KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform." KICKICO fell "victim to a suspected cyber attack and lost more than 70 million KICK tokens (or KickCoins) worth an estimated $7.7 million."
"[H]ackers were able to gain direct access to the smart contract of the KICKICO blockchain network by obtaining the private key of the KickCoin smart contract." "Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity." "The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets." "KICKICO admitted that the company had no clue about the security breach until and unless several of its customers fell victim and complained about losing KickCoin tokens worth $800,000 from their wallets overnight."
"During the investigation, it was found that the total amount of stolen funds is 70,000,000 KICK, which at the current exchange rate is equivalent to $ 7.7 million."
“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed.” continues the notification.
"The exec says his team immediately started investigating the hack in light of the report." "A few hours after the incident, the KICKICO team was able to regain access to its smart contract and replaced the compromised private key with the private key in its cold wallet, to protect the network and remaining user funds." "As of Friday, the company announced the situation was under control and the smart contract has been restored."
"Thanks to the rapid response of our community and our coordinated team work [sic], we were able to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage," Danilevski said. “KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said. "KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| July 25th, 2018 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $7,700,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Ultimately, no funds appear to have been lost in this case.
The situation highlights the importance of using multi-signature setups for security, rather than relying on a single key. It also highlights the importance of storing critical keys offline. This theft would not have been possible with either of these measures in place.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
- ↑ KICKICO Hacked: Cybercriminal Steals $7.7 Million from ICO Platform (Aug 9, 2021)
- ↑ KICKICO security breach - hackers stole over $7.7 million worth of KICK tokensSecurity Affairs (Aug 9, 2021)
- ↑ Another ICO Hacked: KICKICO Loses $8 Million After Smart Contract Breach (Aug 9, 2021)
- ↑ KICKICO Announces It Lost Over $7M In Hack | PYMNTS.com (Aug 9, 2021)
- ↑ Kickico Security Breach Issue Under Control All Kickcoins Will Be Returned (Aug 9, 2021)
- ↑ KickICO Platform Loses $7.7 Million in Recent Hack (Aug 9, 2021)
- ↑ KickICO (Aug 9, 2021)