KICKICO, an initial coin offering (ICO) project that helps other ICOs raise funds, was hacked on July 26, with hackers successfully making off with more than 70 million KICK tokens worth about $7.7 million.
The company disclosed the theft of KICK tokens in a July 26 blog post, saying that the security breach “resulted in the attackers gaining access to the account of the KICK smart contract .” KICKICO discovered the breach after several victims “did not find tokens worth 800 thousand dollars in their wallets.”
Hackers were able to obtain the private key of the KickCoin smart contract, thereby gaining direct access to the smart contract of the KICKICO blockchain network. In the period that the hackers accessed the KickCoin smart contract, they were able to destroy 40 wallet addresses and create 40 new addresses under their own control.
New wallet addresses contained identical balances as those addresses that were destroyed, so the overall amount of KICK remained the same. The smart contract breach essentially enabled attackers to steal user funds from 40 different accounts.
The breach was discovered within several hours thanks to the “rapid response” of the KICKICO community and “coordinated team work,” allowing KICKICO “to regain control over the tokens and prevent further possible losses by replacing the compromised private key with the private key of the cold storage.”
KICKICO emphasized that it will fully reimburse the owners of the 40 accounts with KICK and recreate the 40 wallets that were compromised.
The KICKICO smart contract breach resembles a successful hacking attack on Bancor on July 9. In the Bancor attack, hackers managed to take control of a wallet “used to upgrade some smart contracts,” enabling them to steal about 25,000 ETH, worth about $12.5 million, and about 230 million Pundi X tokens (NPXS) worth about $1 million.