the scam continues with a "refund" scheme.

Suppose a malicious address is marking 1000 addresses as scam sending 1 finney for each address. In turn each of the wrongly-marked addresses are flagging the malicious address as scam are sending 1 finney each to mark the single malicious address, the number of SCAM_STAMP tokens associated with the malicious address will be at least 1000 times greater than any of the maliciously-marked addresses.

the balance of SCAM_STAMP tokens of each address is merely an index of untrustworthiness given by the community.

In order for the SCAM_STAMP tokens to be removed from one's balance, a 10 finney per token fee must be paid to ForgiveMe function, all finneys will be sent to whoever marked the address as scam. So if you want your address to be trusted, you would have to pay the fee to the community.

In the example above, the attacker would have to pay, after the attack, at least 10 ether for the trouble that it made (as the community reacted and fine it with an amount of SCAM_STAMP tokens)

Scam_Stamp Token
ScamStamp contract
0x14639c7De58E8f2c714337Cf242FA9D26d568665
https://scamstamp.com/
Motivation
The blockchain technology, as good as it is, it has some downsides. Being decentralized,
where no one entity has the ultimate power, everybody's looking at the state of the blockchain
as the current state of wealth, but there isn't any mechanism in place for reverting transactions
that have happen.
Monetary systems work because people trust a third party to provide the wellness of the
system, meaning that the there's always one way to take back the money that one has spent if
the goods / services that were received weren't the ones that were paid for.
In a decentralized monetary system, like Ethereum, there is no third party to give liability to
each party of a transaction, there are only INs and OUTs for which nothing is being accounted
for.
In a world of ever growing ICO's and promises that projects that receive funds to some
address are going to change the world for better (or worse), there hasn't been a good way to
mark those addresses as SCAM so that, people that have been burned can request their funds
back and those that haven't yet fell into the "investment" traps can check if it's safe to send
their ether to.
Solution
Scam_Stamp Token is created to flag addresses as SCAM, so that everybody knows that
funds available to an address have been gathered by scamming other people and they are not
trustworthy.
Scam stamping can be done by any address and can be applied to any address. Once an
address receives these tokens it has been marked as SCAM which means it owes ether to
other addresses, the only way to remove the balance of SCAM_STAMP tokens is to give back
the amount owed, as the only address that can transfer these tokens is the contract address
that owns the Scam_Stamp Token.
There is a 2% brokerage fee, but the rest of the funds are sent back to the people.
Scam_Stamp Tokens represent debt of one address to many, the ScamStamp contract is the
proxy used to transfer those funds.
Scammed addresses now have a chance to get back the ether that they've lost in scammy
ICOs or transactions that haven't been been fulfilled by both parties (you've sent as payment
some ether for an object that you have to receive, but it was never sent to you. Marking the
address as scam could bring back the ether that you have lost).
How does the contract work?

The principle is simple, mark an address as scam along with 10% of the amount that the
address has scammed you for. The scammer receives SCAM_STAMP tokens ( 1 token for
every 1 finney that you've sent).
For the scammer to lose the SCAMP_STAMP tokens that you've sent to it, it must pay to the
Scam Stamp Contract ( 0x14639c7De58E8f2c714337Cf242FA9D26d568665 ) 10 finney per
token. All the ether sent to ForgiveMe function by the scammer will be distributed to all people
that marked it as Scam (in the order that the MarkAsScam actions are received). Once
everything is repaid, any excess amount that was sent by the scammer to ForgiveMe function
will be sent back to it.

Fairness
For the contract to be fair and for flag-by-mistake issues to be resolved a ForgiveIt function
exists, where if one address has been marked as scam the flagger can forgive it. The amount
that was initially sent with MarkAsSpam function will be sent back to the flagger (minus the 2%
contract fee).
If the address that has been flagged is a contract that can't send/call functions on other
contracts, a ForgiveMeOnBehalfOf function exists where anybody can pay any scam-flagged
address.

Conclusions
The contract is created to give a mechanism of reverting transactions inside the Ethereum
blockchain. Even though you can't force an address to send you back money, you can mark it
so that other's will know that isn't safe to send ether to it.
Even though there isn't a way to enforce an address to pay back any amount to any address,
nobody likes to be a Stigmata.

it has been rebranded into SCAM_STAMP https://scamstamp.com - new contract, same rules
https://etherscan.io/address/0x017a5d8d82afaa22bc29d75013d6ff3656e90851

one address already marked as SCAM

https://scamstamp.com/ziberScamMarked.png

they've started to send out some ZIBER tokens to all participants in the ICO.
The address https://etherscan.io/address/0x67f1488827146bf4dc9b1a0740b64299ea24ff00 has been marked with some SCAM_STAMP tokens
https://scamseal.com/ziberScamMarked.png

https://scamstamp.com

Here's one contract for anti-scamming. It works by sending false ERC20 tokens named SCAM_STAMP to the address that you want to mark as scam.

To mark an address with 1 SCAM_STAMP token cost 1 finney, if the scammer wants to lose these tokens they have to pay 10 finney per token which goes to the address (addresses) that marked it as scam.

so let's say you've sent 2 ether to some address that scammed you, you can send 0.2 ether to MarkAsScam function of the contract https://etherscan.io/address/0x017a5d8d82afaa22bc29d75013d6ff3656e90851 which will send 200 SCAM_STAMP tokens to that address. In return, the scammer, if it wants to lose the tokens, they will have to pay 2 Ether (which will go to you) to lose those 200 SCAM_STAMP tokens (there's a 2% contract fee).

Also, before sending any ether to a contract, you could check this contract if that address was already marked as scam or not (that's free to do )


edit: rebranded into SCAM_STAMP , sounds better

Okay, so there's all this KYC on every exchange, and we all submit proof of our existence, isn't this something that one would use when something like this happens?

The address that sent the money to the address that withdrew the funds from the ICO is:  0xb9e924bD912325d3a4d44C3035382B3763184CCD which got a deposit from Bittrex.

Or is the KYC only for anti-pot money?

The actual vulnerability isn't the one stated in the announcement made by Ziber user.

The attacker firstly restarted the Crowdsale by calling the Crowdsale function
https://etherscan.io/tx/0x21d1093cd6014d8ed543c1d8e9f72f904284fb77aaa9296a1f792b745f2785a1
as we see in the Crowdsale function which can be called by anyone the owner becomes the person who is calling the function, pretty simple hack, lol.

function Crowdsale(address _token, uint _start) {
    require(_token != 0);
    require(_start != 0);

    owner = msg.sender;
    token = ZiberToken(_token);
    startsAt = _start;
  }

then just a call to Withdraw function (https://etherscan.io/tx/0xb7f0d837a10028271d7177e86b595b266302f1bc65c9db5cd7a6d48740c2c4de) and there goes 1000 ether