Nearly $400 million lost, stolen from sales of new digital coins, Ernst & Young says

Key Points
  • Nearly $400 million, or more than 10 percent of $3.7 billion raised in initial coin offerings, has been lost or stolen, Ernst & Young says.
  • Most of the funds are stolen through phishing attacks, for hacking losses of up to $1.5 million a month, the report says.
  • Just 25 percent of initial coin offerings reached their fundraising goals in November, versus 90 percent in June, the report says.
A computer screen displays a site featuring cryptocurrency token sales and initial coin offerings in Berlin in November 2017.
John MacDougall | AFP | Getty Images

Nearly $400 million has been lost or stolen from coin sales known as initial coin offerings, accounting giant Ernst & Young said in a report released Monday.

That's more than 10 percent of the $3.7 billion raised in the initial coin offerings, and another worrying sign for the token sales.

Initial coin offerings raise funds for projects based on blockchain technology by selling digital coins, which will grant access to a future technology platform, or at least climb in value, similarly to how digital currency bitcoin has soared in price. Developers also say the initial coin offering circumvents what can be a bureaucratic process of venture capital raising — EY estimates cumulative venture capital investments in blockchain projects is less than half what initial coin offerings have raised.

But the projects behind initial coin offerings often barely exist beyond a whitepaper and many are believed to be outright scams. Now there is a clear risk that investors' funds will never reach a project's developers.

"Phishing is the most common form of funds theft during ICOs," the EY report said, adding that "hackers steal ... up to US$1.5 million in ICO proceeds per month."

A phishing attack occurs when the hacker tricks someone into sharing valuable personal information by pretending to appear legitimate. For example, the report noted how scammers created a look-a-like page to eight cryptocurrency projects, and stole nearly $1.4 million in August alone.

Source: Ernst and Young

A cryptocurrency hack can also be more damaging than a cyberattack on a traditional financial institution.

The report pointed out that the average bank loss from a hack is $1.5 million, and funds are usually insured. In contrast, cryptocurrency exchanges averaged $2 billion in hacking losses as of November, and their blockchain technology prevents transactions from being reversed.

More worrisome is the loss of personal data from a hack. "Most exchanges do not disclose policies and controls over personal data storage and use. This represents great value on the black market and chances of its misuse are high even without a breach," the report said.

Token sales took off last year, reaching a peak of excitement in the summer. Many projects raised tens of millions of dollars despite only being in very early stages of development. As a sign of the risks, many initial coin offerings officially prohibit U.S. residents and citizens from participating out of fear the U.S. Securities and Exchange Commission will crack down if a project is unable to meet its business goals. In the last several months, China and South Korea banned coin offerings completely.

Partly as a result of increased regulatory fears, blockchain projects have been finding it more difficult to raise money through coin offerings.

Just 25 percent of initial coin offerings reached their fundraising goals in November, versus 90 percent in June, the EY report said. Citing TokenData, CNBC reported in late November that the month was also on pace to be the slowest for coin offerings since August.

Source: Ernst and Young