ICOs can funnel in thousands and sometimes millions of dollars within a short span of time given the recent craze surrounding Ethereum, which makes the CoinDash hack even more puzzling. The company posted its Ethereum address on its website and encouraged investors to start sending in their ETH.
However, hackers had something else in mind — they instead changed the Ethereum address to their own, meaning that money that was intended to go straight to CoinDash was instead directed to another unassociated account. It was a rather simple hack and one that netted the website hackers over $7 million in ETH.
CoinDash posted an update to its website, writing:
It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack $7 Million were stolen by a currently unknown perpetrator.
Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly. Transactions sent to any fraudulent address after our website was shut down will not be compensated.
This was a damaging event to both our contributors and our company but it is surely not the end of our project. We are looking into the security breach and will update you all as soon as possible about the findings.
Etherscan puts the heist total at $8.3 million based on the current value of ETH (which is hovering around $191 this morning) and the 2,134 transactions that took place from the time the hack was in place until the time it was shut down.
While CoinDash sees this as a security breach, and a rather embarrassing and costly one at that, others are not so sure. In fact, some redditors are crying foul, saying that this was likely an inside job on the part of CoinDash to “take the money and run”.
In fact, a few redditors claim that they warned CoinDash of potential security issues, only to be rebuffed days before the hack took place. “I literally told the CoinDash people this in their main slack on the 14th, and was told I was making ‘false assumptions’, writes dillon-nyc. “Arrogance and security by obscurity always seem to go hand in hand.”
Souptacular was more blunt, writing, “Is there any proof that this was a hack? What if Coindash put an address in and then cried hacker to get away with free ETH?”
It seems a bit premature to cite “inside job” this early in the game, but all signs are pointing more towards a pretty craptacular approach to website security and disclosure practices that resulted in this heist.