COVER STORY: MUCH ADO ABOUT ICOS
In 2017, the many initial coin offerings (ICOs) available in the market presented an enticing opportunity for investors to fund start-ups powered by blockchain technology. However, as the number of offerings quadrupled within the space of a year, investors found themselves having to ascertain the credibility of these ICOs. All the more so, when the three-letter abbreviation is frequently mentioned in the same breath as the word “scam”.
An ICO is a way to raise funds using blockchain. Investors receive digital tokens that can be sold on an exchange or used to access the new product.
However, there are fraudsters who take advantage of the hype over these offerings to make easy money or pull pranks. A recent example is an ICO undertaken by Lithuanian start-up Prodeum in January that disappeared within a few days of its launch after raising just US$11.
Another example is Confido, a cryptocurrency start-up that raised nearly US$375,000 and then vanished in November. Such cases have occurred so frequently that Facebook banned ads related to ICOs and cryptocurrencies last month.
In Malaysia, two offerings have been shut down. Ecobit — allegedly a carbon credit project — attempted to launch an ICO last year, but was placed on Bank Negara Malaysia’s financial consumer alert list.
CopyCash Foundation, which planned to establish a social trading investment platform using the Ethereum blockchain, with CopyCashCoin as a standard Ethereum ER320 token used as either a subscription or commission token, was told to cease its ICO earlier this year by the Securities Commission Malaysia (SC). The regulator then issued a cautionary statement on ICOs, warning the public that such schemes may run afoul of securities laws.
Not all ICOs are tarred with the same brush, however. The most notable success is Ethereum, which raised up to US$18 million four years ago and is now the second largest cryptocurrency in the world. Others such as Bancor and Filecoin have raised a considerable amount of capital. But as they are still in the early stages of development, the jury is still out on them.
Regulators around the world have taken steps to halt suspicious ICOs. South Korea and China banned these offerings last year while the US has ruled that ICOs are to be regulated as securities.
But before the regulators take action, how can investors determine whether an ICO is genuine? This is becoming more crucial as their popularity will probably not abate anytime soon. Even though bitcoin prices have declined more than 50% from their peak last December, in January ICOs still raised the highest amount of funds since last October, according to cryptocurrency website Coinist. Last year, ICOs raised up to US$3.8 billion globally, exceeding that raised by venture capital funds.
According to a report by advisory firm Ernst & Young (EY) last month, the lack of fundamental valuation and due diligence by potential investors has led to extreme volatility in the ICO market. Unlike initial public offerings (IPOs) of company shares, where valuations are based on the company’s revenue and customers, typical ICOs have no customers, revenue and, oftentimes, no working product. The valuations are based on its white paper that describes the product, which can be risky and speculative due to the lack of concrete data.
Bobby Ong, founder of cryptocurrency ranking website CoinGecko, suggests that retail investors avoid investing in ICOs. “The ICOs that you see are the successful ones. A lot of them do not do well or run away with the money. Only investors who truly understand cryptocurrencies should even consider ICOs,” he says.
While regulators globally have halted many ICOs, their ability to trace the money raised or freeze investor funds held in a virtual currency is limited. That is because traditional financial institutions are not involved in ICOs, so there is no central authority that collects user information. And most ICOs are global in nature, according to the US Securities and Exchange Commission (SEC).
“There are dozens of ICOs launched every day, and 80% to 90% of them are questionable. When it is a bull market, everybody makes money. But when things get tough, it can be a bloodbath. This thing can fall anytime because of announcements by governments about investigating exchanges. It is very sentiment-driven and events-based,” says Ong.
Rene Bernard, a committee member of the Access Blockchain Association (Malaysia) and CEO of LuxTag Sdn Bhd, agrees. “It is like a friend offering you a cool idea and asking you to give him money now in return for a voucher for future delivery. You do your due diligence and take on the full risk. You cannot expect any support or protection from the government. The responsibility has shifted from the regulator to the individual investor and people need to accept that,” he says.
Most start-ups fail, he points out. And since ICOs invest in start-ups, investors should expect them to be risky. However, there are some precautions they can take and questions they can ask when evaluating ICOs.
Understand the purpose
First, they need to ask why the start-up is choosing to launch an ICO. Is blockchain an essential part of its product? Does it require blockchain to work effectively?
If this idea can work without blockchain, why is it doing an ICO? Is it just to get money from the market? “If the idea cannot be executed without blockchain, it is interesting to us from a technological point of view,” says Ong.
Another question he asks is if there is a hard cap to the amount raised by the ICO. If there isn’t, his next question is, why would they need to raise so much?
“That is what happened to Tezos. It opened its ICO for two weeks and raised US$230 million. It is a better sign if there is a hard cap because with a smaller cap, there is a higher chance for it to increase in value later on,” says Ong.
The Tezos ICO in the US ended up in a class action lawsuit last November due to conflict between the founders and promoters of the project. The proceeds from the offering are now part of the dispute and the tokens have yet to be issued.
Check out the team
Finding out the background of the ICO issuers is one of the most important steps for investors. Ong suggests that investors search for online profiles of the founders on sites such as LinkedIn and Twitter as well as review previous projects they have worked on.
However, it can be difficult to find information on the founders and advisers of projects. The scarcity of information itself can be seen as a red flag. The data can also be faked.
Prodeum, for instance, listed a few individuals as its advisers. But the listed “advisers” later denied their involvement in the project and said they were victims of identity theft. Ethereum founder Vitalik Buterin also issued a warning on Twitter for people to be aware of ICOs citing his name.
“I admit it is not easy to research people behind crypto projects. Everyone brands themselves as an expert these days. I rely on what I have read about people in the news, seen in talks or who have worked on other notable crypto projects before. I also use LinkedIn to see their previous work experience to see if they worked in a notable company before doing the ICO,” says Ong.
“Icobench.com/people does a good job compiling the people behind ICO teams and allows you to see which other projects they are associated with. But I wouldn’t use it as a main barometer as it is easily hyped up and a person that has many projects may not necessarily be good. Also, a person may be associated with 20 projects, but if even one of those projects is questionable, their reputation is ruined.”
Robin Lee, founder and CEO of HelloGold Sdn Bhd, says investors should be able to approach the founders and ask any questions they want. He launched an ICO for HelloGold in Singapore last year, and says investors frequently contact him through messaging channels.
“We are talking to our investors on a 24/7 basis because they are always pinging us on Telegram, WhatsApp and WeChat. If you want to participate in the space, read the white papers, check out the team, ask the right questions and make sure you are satisfied with the answers,” he adds.
Lee’s profile can be found online. He was a manager at the SC for five years and chief financial officer of the World Gold Council for four.
“There are projects underway to authenticate people in the blockchain space. Now, you have to rely on the usual sources and triangulate from LinkedIn, Facebook, social media commentary and messaging groups. And, hopefully, be able to differentiate the real from the made up,” says Lee.
Read up on warnings from regulators
Many regulators have issued guidelines and warnings regarding ICOs, including advice for investors. The prevalent view is that ICO tokens can be viewed as securities and placed under the purview of existing laws.
The US SEC’s decision to regulate some ICOs as securities was triggered by the Decentralised Autonomous Organisation’s (DAO) offering last July. If the regulator deems an ICO to be a sale of securities, it requires the ICO to be registered with the SEC unless it has an exemption. Most exemptions are only for accredited investors and registration information for ICOs and its issuers can be checked online. The regulator also warns investors to check if the blockchain is public, whether the code has been published and if the issuer has had an independent cybersecurity audit.
The Monetary Authority of Singapore has similar views on some ICO tokens being issued as securities. It issued a “Guide to Digital Token Offerings” last November, which highlights when ICO tokens are to be considered securities through several case studies.
For example, if a company issues ICO tokens only for its investors to use its services — with no other rights or functions — they are not viewed as securities nor do they fall under the related regulations. However, if the tokens represent a share in the company or are part of a collective investment scheme, then the company needs to comply with existing laws.
Malaysia’s SC issued a statement last month stating that ICOs may trigger regulatory requirements under existing securities laws. The regulated activities include fundraising, fund management and dealing in capital markets. The regulator prohibits ICO operators from taking deposits or carrying out any form of banking, foreign exchange administration activities and remittances without authorisation.
Read the white paper
The best way to know what the start-up is attempting to offer is to read its white paper. It usually provides information on the founders, the company’s goals and the timeline to achieve them as well as a description of the product and how the technology works.
One thing Ong looks out for when reading white papers is the risk disclaimer. “If a lawyer has read through a white paper, there are pages and pages of risk disclaimers. If there is no risk disclaimer, the team probably has not made the effort to contact a lawyer or the lawyer is pretty lousy. That sends a signal to me that the team probably doesn’t care enough about it or wouldn’t pay a lawyer to check these things. But it does not mean that when you have all these things, the token will perform,” he says.
Lee says that in HelloGold’s white paper, he included information on its business plan as well as strategies to reach out to customers and potential competitors. “You should give as much information as you can. The kind you would normally provide a traditional investor. If you don’t, it means that you are hiding something or that your idea isn’t fully thought out.”
Some ICO operators also provide a sample code, either on its website or in the white paper for review. “There is usually a GitHub-type link so that people can look at the coding and comment on it. What’s really interesting in this space is when it first started, they opened the books up, literally, rather than keep everything secret. I think that is the right thing to do. People should be as transparent as they can without breaching confidentiality agreements,” says Lee.
Beware of hacking risks
According to the EY report, more than 10% of ICO funds are lost or stolen in hacker attacks, amounting to almost US$400 million. The hackers target ICOs and cryptocurrencies because of the irreversibility of blockchain-based transactions and basic coding errors that can be exploited.
Some common methods of theft are via phishing, site hacking, accessing private keys and wallets and hacking stock exchanges. The recent heist at Japan-based cryptocurrency exchange Coincheck is an example. Up to US$530 million was stolen from users. DAO’s ICO in 2016 was perhaps the most infamous ICO hack, with US$50 million of ether (the Ethereum cryptocurrency) lost. According to several reports, the hackers may have exploited weaknesses in the coding.
When Lee was raising funds through his ICO, he experienced many hacking attempts, but none were successful. “I have a good tech team. We did penetration testing a couple of times and we didn’t have (working) links to our addresses,” he says.
“If you put links of the address on the website, then people can come and replace your link with theirs. It becomes ‘e3’ as opposed to ‘e’, for example. And when you send your money there, it is gone.
“This can happen in many ways now. On Slack channels or social media platforms, they could say HelloGold is offering a discount for the token, and if you send it to this address, you will get the discount. This happened to us. We have an automated message sent out every hour to say we never simply publish our address.”
Instead, HelloGold only reveals its address to verified users with safety mechanisms in place.
Ong recommends that investors use a private wallet with keys to store the ICO tokens. There have been cases where investors lost their ICO tokens stored in exchanges because these exchanges recognise the tokens.
“You need to store it in a hardware wallet to be safe. For example, if you have ether in your Coinhako wallet, you can’t just send it to the ICO address. You need to send it from a wallet where you control the private key, which could be myetherwallet.com,” he says.
But investors have to be mindful of the web addresses they are directed to. Some investors of an ICO launched by CoinDash last year lost millions of dollars when a hacker changed the address of the ICO and led the donations to another party.
“There are a lot of phishing attacks. If you just search on Google, maybe the first advertisement is a phishing website such as myetherwallet.co or myethereumwallet.com. And when you click on it and put in your password, it is a fake website and it steals all your coins,” says Ong.
“These things happen on a daily basis. People forget that cryptocurrency is a decentralised system. In cryptocurrencies, once you lose your coin, it is gone forever — transactions are one way.”
Learning how to buy and keep cryptocurrencies is something investors should master before investing in ICOs.
Outlook for ICOs
Despite all the volatility and risks associated with ICOs, Bernard, Ong and Lee hope that the regulators will not slap heavy-handed regulations on them or the cryptocurrencies. These offerings are still viewed as a form of fundraising for start-ups that often do not have other sources of funding. They also allow investors to take part in building these start-ups — an opportunity usually open only to high-net-worth individuals.
Lee says ICO investments could come with clear warnings, as do cigarettes, about their risks. “You can create something that says on every website, ‘These are very risky investments and you are likely to lose all of your investment.’ The white papers can have watermarks with these warnings,” he adds.
“I think ICOs are a great opportunity from a financial inclusion perspective. Imagine if you were given the opportunity to invest in Google or Tencent when it was just an idea. You could have invested a thousand or two thousand dollars, but you never got the chance because you either had to be within that circle or part of a venture capital firm. ICOs enable investors anywhere in the world to participate in very early-stage investments.”
After an eventful year, Bernard expects the hype about ICOs to tone down slightly this year. “I think the hype peaked last year. So, we expect more serious projects and investors to be more diligent. I think the number of projects will slow down and the number of serious projects will go up and adhere to the regulatory environment,” he says.
Ong, on the other hand, thinks ICOs are not suitable for everyone. “It is not suitable for the average guy. You may read the white paper, but these guys can still take your money and run. And there is not much you can do about it.”
“Some of these guys are incorporated in the Virgin Islands. Do you have the money to hire a lawyer and sue them? Just like Tezos, a bunch of people banded together and took out a class action lawsuit against the foundation in Switzerland. It has been a few months already and the lawsuit is still stuck there.”