More than $7m was stolen by hackers on Monday from folks investing in a cryptocurrency startup.
Israel-based CoinDash – which bills itself as an "an operating system" for "interacting, handling and trading crypto assets" – launched what's called an initial coin offering. This is a process in which people buy virtual tokens from a fledgling biz, such as CoinDash. These tokens are vital to whatever service the company is offering. As the startup grows, these tokens are supposed to increase in value. Buying the tokens early is akin to buying shares during a normal business's IPO. It's a way of crowdfunding investment.
Well, on Monday, $7m of that investment, all in the Ethereum cyber-currency, went not to CoinDash in exchange of tokens, but to hackers, it's claimed. Security and financial technology experts voiced concerns that this latest online heist only serves to undermine confidence in digital currency trading platforms.
The thieves changed the Ethereum address for the initial coin offering address to their own money store after hacking CoinDash's site, the startup said. In the process, the crooks were able to trick backers into sending Ethereum digital cash to an account under their control before the assault was detected and the plug was pulled on the scam.
In a statement on its site, CoinDash admitted the infiltration, and said that victims tricked as a direct result of the website hack will be compensated in CoinDash tokens. More than half the funds paid by supporters went into the pockets of as yet unidentified cybercriminals.
It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack, $7 million were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 million from our early contributors and whitelist participants and we are grateful for your support and contribution.
CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly. Transactions sent to any fraudulent address after our website was shut down will not be compensated.
This was a damaging event to both our contributors and our company, but it is surely not the end of our project. We are looking into the security breach and will update you all as soon as possible about the findings.
CoinDash added that it was still under attack. "Please do not send any ETH [Ethereum] to any address, as the Token Sale has been terminated," it warned.
Tracking down the cybercrooks will be a battle of technical skills between attackers and those hoping to catch them, according to security experts. "If the hackers mess up, they can be traced, but smart hackers could cover their tracks – unless smarter hackers later uncover those tracks," Rob Graham of Errata Security told El Reg.
Mikko Hypponen of F‑Secure added: "If they cash in (and don't think through how to do it right) they can be found. Not holding my breath."
Even tracking down the criminals won't undo the damage already done to CoinDash, which has joined a growing list of hacked or otherwise compromised digital trading platforms.
Brian Honan, founder of Ireland's CSIRT and a special advisor on internet security to Europol, told El Reg: "This not being the first loss incurred by a platform, it will no doubt undermine the trust and confidence in those platforms, making many much slower to adopt digital currencies."
Fintech and payments technology guru Neira Jones agreed that the CoinDash hack is not going to have a good effect on confidence.
Adoption at risk
Kyle Wilhoit, senior security researcher at DomainTools, added: "I think this type of attack goes to show even cryptocurrency trading systems can fall prey to attackers. I think this type of incident only helps to slow the progressive growth and adoption of cryptocurrencies."
"While this may be considered isolated, these types of incidents prove that there are still serious security flaws with how some systems manage and trade cryptocurrencies. Ultimately, CoinDash has mentioned that 37,000 Etherum ($7,803,194 USD equivalent) were stolen during this attack, making it a significant event," he added.
Insurex, another trading platform, suffered a similar problem last week after hackers hijacked a Twitter feed to post fraudulent messages about pre-sales, directing marks to send digital cash into an account controlled by the crims. Insurex responded by warning punters to be wary of followup scams.
Elsewhere, South Korean police are probing an online subversion attack detected last month on Bithumb – one of the world's biggest Bitcoin exchanges – that exposed the personal details of thousands of traders. ®