Hacker diverts websites wallet address to his own and racks in over $7 million worth of Ethereum.
CoinDash is a social trading platform for crypto-markets.
The hack took place on Monday, just a few minutes after CoinDash launched its ICO(initial coin offering) in an attempt to raise funds in the form of Ethereum crypto-currency. This happens when a company is looking to gather funds but they issue tokens in return.
According to the company, the hacker was able to take over the official website only three minutes after the ICO began. They replaced the initial wallet address with their own. This resulted in people sending over $7 million to the new address.
When the hack was discovered the website was immediately shut down and the company posted warnings on their Twitter account informing users of the issue. They also posted an official statement on the website to provide additional details on the matter.
The company says it managed to gather around $6 million before the hack happened. It also announced that it would issue tokens not only to the people who sent these funds, but also to those who ended sending the money to the hacker’s wallet.
“The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” the company says.
However, CoinDash said that it would not compensate users who sent funds to the fraudulent address after the website was shut down.
At the moment the hacker’s wallet shows a balance of 43,488 Ethereum, currently worth around $8.1 million. CoinDash suggested that around $7 million of these funds were sent in by its users, but the amount could be higher, as some users might have sent funds after the hack was discovered.
“During the attack $7 Million were stolen by a currently unknown perpetrator. […] We are still under attack. Please do not send any ETH to any address, as the Token Sale has been terminated,” the company notes on its website.
CoinDash says it is currently investigating the breach and will provide more details on it when they know more. The company also posted a form for those who sent money to the hacker to complete.
The incident is yet another reminder that “blockchain technology in isolation cannot assure additional security,” but in fact increases risks, High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek in an emailed comment.
“Many users, fooled by investors and so-called serial entrepreneurs, blindly believe that blockchain, particularly crypto-currencies, can make a digital revolution and provide an ‘unbreakable’ security. Unfortunately, this assumption is wrong and leads to a very dangerous feeling of false security. Blockchain technology can assure a very high level of data integrity, but we need to remember the numerous intertwined layers of modern technology stack, where one breached system or host can put the entire structure at risk,” Kolochenko said.
“Victims of this hack will quite unlikely get their money back as, technically speaking, it’s virtually impossible. Moreover, law enforcement won’t be able to help either in this case, except if it is an insider attack that can be investigated and prosecuted,” he concluded.