Experty's Initial Coin Offering (ICO), also known as a token sale, is designed to raise funds for a "Skype-like voice and video application" which could also take secure payments through the Blockchain.
Experty's ICO is expected to launch at the end of this month. As first reported by Bleeping Computer, an unknown threat actor sent fraudulent pre-ICO messages to Experty users which had signed up for announcements.
These phishing messages, while littered with poor spelling, urged users to invest within 12 hours to receive bonus Experty tokens (EXY) in exchange for their Ethereum.
The phishing email also contained a wallet address which is not associated with the company.
It appears that many fell for the scam, and while the wallet is now empty, a total of 74 transactions have been made in the last few days in ETH worth roughly $150,000.
Experty uses the Bitcoin Suisse service for handling token sales and so any transfers to this wallet are outside of the firm's control. In addition, it is possible that more than one wallet was used during the phishing scheme.
However, this does not mean the company is without fault. According to a statement posted on Medium, the hacker was able to find out the email addresses of Experty users as "one of [the company's] reviewers was compromised and hackers gained access to some information about users."
The information was stolen by compromising a PC belonging to a team member that was involved in conducting an Experty PoC (Proof-of-Care) review.
In a new company statement, Experty has made a gesture to those who fell for the scam by promising to reimburse them for their losses. The company said:
"We are greatly saddened by the recent email scam that has targeted our community due to [the] recent data breach. We will be contacting the victims that are in our database in order to distribute the proportional amount of EXY tokens to them, including the bonuses for their tier, from our company allocation.
If someone wishes to receive ETH instead, we ask them to please contact us privately about this."
Any Ethereum sent to the attacker's wallet after the timing of this announcement -- at 21.30 UTC -- will not be refunded, to prevent "people purposely sending money to the scam address to receive EXY tokens," according to Experty.