A hacker has reportedly stolen over $7 million in a matter of minutes from would-be investors, through what seems to have been an incredibly simple method. For days, online trading platform CoinDash was working hard on drumming up interest amongst people wanting to embrace the Ethereum cryptocurrency, using social media to let them know that its Initial Coin Offering (ICO) would be starting on Monday 17 July.
As cryptocurrency fans flooded to the CoinDash site to participate in its Initial Coin Offering (ICO) at 13:00 GMT yesterday, many of them probably didn't realise that the Ethereum address the website told them to send their funds to was actually under the control of a malicious hacker. It only took three minutes for someone to realise that the CoinDash site had been hacked, and that it was telling investors to send their money to the wrong address - but already over $7 million had been stolen.
To give the hacker some credit, they showed impeccable timing when it came to choosing when to modify the contents of the CoinDash site. CoinDash acknowledged that it had suffered a security breach in a statement published on its website:
Dear CoinDash contributors, It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack $7 Million were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly. Transactions sent to any fraudulent address after our website was shut down will not be compensated. This was a damaging event to both our contributors and our company but it is surely not the end of our project. We are looking into the security breach and will update you all as soon as possible about the findings.
There are, of course, going to be plenty of people feeling that they have been stung badly by what has happened, and regretting that in their rush to participate in the CoinDash Token Sale they have ended up out of pocket. Understandably, some are demanding refunds - although it remains to be seen what CoinDash is going to do to regain customer trust and confidence. Others, as Motherboard reports, have even taken to online forums questioning whether CoinDash was really hacked, or whether the whole "hack" is a cover story for a scam - although there is no evidence to support this theory. CoinDash is asking customers who sent ETH to the address controlled by the hackers to fill in an online form with details of the transactions they made. If this alleged hack proves anything it underlines that you're only as secure as your weakest link. In this case, it wasn't the mathematics behind a cryptocurrency which was at fault - it appears to have been a failing in basic website security. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
