CoinDash ICO Hack: $7 Million Stolen - How Did This Happen And What Now ?


ICO's have been the talk of the town lately, and some projects managed to raise hundreds of millions of dollars during their crowdsale.
But this can also go wrong:

During the recent CoinDash ICO, Hackers managed to steal Ether worth $7 Million.

Initially, the ICO was set for a period of 28 days, with a limit of $12 million.

But only 13 minutes after the start of the token sale, an unknown Hacker managed to work his way into the system and replace the ETH address on the website with a fake one.

As a result, ETH tokens worth $7 million were sent to the Hacker's address - although the company still managed to raise about $6.4 million from early investors.

“It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event. During the attack, $7 mln were stolen by a currently unknown perpetrator. The CoinDash Token Sale secured $6.4 mln from our early contributors and whitelist participants and we are grateful for your support and contribution.”


This event will remind many of the DAO hack last year, where Hackers managed to steal over $50 million.
The DAO Hack was followed by a lot of criticism and press, creating a very negative influence on the cryptocurrency market as a whole.

Despite the attack, CoinDash still promised to compromise for the loss and still give out tokens to everyone who sent funds to the hacker's address.

The company stated that they are wholly responsible for the attack and that apologized to their contributors.

"CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly"

img

A screenshot from Etherscan, showing the stolen transactions and its value


It's great to see that the company is taking responsibility for their lack of security measures - afterall, a hack like this could have been prevented.

Nevertheless, this event took a huge toll on both the company's financial situation as well as its relationship to the customers.
But CoinDash remains positive and stated that they will continue with their work like normal.

"This was a damaging event to both our contributors and our company but it is surely not the end of our project."

How was an attack like this possible?

CoinDash itself have not released a statement about the cause of the hack yet.
But there have been some assumptions posted from a social media account:
Wu Guanggeng, COO of Chinese mining pool Bixin, assumes that the breach might have been made via the domain name server provider. According to CoinDesk, he indicated that "his source for the information was a WeChat official account that publishes cryptocurrency news for subscribers."

That WeChat account suggested that the hacker first cloned the website CoinDash.io using a fake contact address, to create a website that looks almost identical to the real one.

Then, he might have contacted the DNS provider using the registered email to request that the traffic gets redirected to his fake site.


... And how could this have been prevented?

Critics say that the company shouldn't have simply published an ETH address on their website.
That makes it way too easy for Hackers to simply replace that address with their own.
Instead, CoinDash should have set up a smart contract like most ICO's do.

What consequences will this event have?

Obviously, most ICO providers will now re-check their security measures to make sure something like this won't happen again in the future.
We can also be sure that a lot of negative press will follow this event, especially from mainstream media and cryptocurrency critics.
Many people have been criticizing ICO's and were only waiting for an opportunity like this to condemn the technology and claim that ICO's are not safe.
While most "insiders" in the crypto scene will know that this was an exception and has nothing to do with the whole concept of ICO's or even the security level of cryptocurrencies in general, it still reminds us how important it is to be aware of hackers at all times.

img


What do you think - did CoinDash handle the situation well? How will this hack affect the future?




Images: 1, 2, 3, 4, Sources: 1, 2, 3, 4, 5, 6



Want to get featured on my blog? Register for Steemit Promo

- Instagram -

- Steemit FB Group - 


© Sirwinchester


Sort:  

The only comparable thing between the DAO & that ICOs were the poor investors what manage regulary to get up the largest bounties in whole hacker history on (still) poor ETH code. People have nothing learned from Gox, DAO and will for sure not from ICOs - I mean who invest a dollar on whitepapers and no product? ... simple no serious investor what know what he do.

Yes, you have a point!
And hacking attacks like this will always occur again, because everybody thinks "oh it won't happen to me" ...

In fact that whole ICO stuff totally escalated.... there were people investing what should maybe maximal hodl Bitcoin and understand what an investment means. When they have for example no skills in coding, no network of people or just want to make the quick buck - should stay out of whole crypto space :)

Whoa, I'm impressed they are still honoring all the contribution to the fake account with CDL. Right thing to do.

@sirwinchester - This will certainly undermine not only coin-dash's reputation but the faith of crypto enthusiasts in the ICO security too. I know the effect will be temporary perhaps but the crypto world could have done without this when the bloodbath in crypto is just getting over (?).. I am not an expert to be able to comment on whether coin-dash could have handled the ICO better by setting up smart contract but it does seem so from what I am reading from other experts. As to the aftermath, I think they are stepping up to protect customer's interest. Only issues is, how much damage this $7M loss has done to them and whether they will be able to absorb it and move on?

Thank you for this article with an update on the security issue. Upvoted.

I request you to honor my blogs by a visit and comments if possible when you have time. I will feel extremely proud. Thanks

It was definitely bad timing with the crypto market crash last week. good thing the prices are recovering at the moment.
And yes, I'm also interested to know how far this $7m loss will influence coindash as a company...

Big loss now ICO has turned in ICU. very sad news.

Am speechless, what a big loss. Am confuse though, who bears this loss? Resteemed

Well since the company coindash promised that they will STILL reward every customer with tokens, even though some of them sent their payment to a fraudulent address, essentially coindash themselves have to come up for the loss.

SAD NEWS :(

what a sad news

I haven't seen this story making many waves on any of the mainstream media so I don't think that the fallout from this will be as bad. People will try to blame the cryptocurrency. But really this wasn't any kind of technical problem. Human error allowed this. As people said the most simple thing to do would just be to use a smart contract within the ether network. That aside, I doubt that CoinDash will be able to compensate these people. Only time will tell. Biggest thing it will just remind companies doing these ICOs to be careful. Though I wouldn't be surprised if some people use this as a example/excuse to push for more regulations on ICOs.

Yes I totally agree. This could have been avoided, and making a big story about "the lack of security in ICO's" would be totally false (but still, I could have imagined some press writing things like that)

I could see it too. If it does pop up in mainstream media, we won't be surprised. I very much dislike how they try and vilify crypts or present them as unsafe. When every situation like this has really been due to human error. Just more excuses to crack down on cryptos. Still, good article as always. Thanks for sharing.

We should be more careful....

How will they be able to afford to compensate users?

I'm not sure how exactly, but they are the ones who have to bear the loss, so they must have a plan. Either way, it will definitely be damaging to the company.

I am suprised that Ether growing up today.

Yes, Ethereum is already too strong of a currency itself to be set back by news like this. Also, since this attack was 3 days ago now, it seems like people are slowly getting over it.

Default position, blame the Russians if nothing else works.

In this industry and in any online venture in general, anytime you fucked something up or need to cut and bounce you blame it on a hacker. Server down? Hacker. Database entries altered? Hacker. Someone tripped over the cord? Hacker.

This is basic web security, nothing to do with cryptocurrencies. If you put up a bank account on your website and many people send money to it, you make yourself a target. Many people would want to replace your bank account number with theirs so they get the money. If they know there will be a large and fast sending of cash, this gives them incentive and time to find some security hole in your system.

If the hackers really did redirect the domain name to point to their own server, what kind of a hosting company was the CoinDash team using? Obviously the hosting company is an extremely important part of the security and if they didn't have a good one, how did people send them so much money? Don't they check for these things before investing lots of cash?

I don't know too much about smart contracts so I'd be curious to learn how they might get around these problems.

Yes I totally agree.
This has nothing to do with the security of ICO's or cryptocurrencies in general.
I just wrote that critics might use this as an excuse to talk negatively about the crypto markets.

The fact that they got hit with a simple bait and switch of their account numbers speaks volumes...

Bad for a start. I think they should look inwardly in finding out what and how it happened

This post has been ranked within the top 10 most undervalued posts in the second half of Jul 19. We estimate that this post is undervalued by $37.82 as compared to a scenario in which every voter had an equal say.

See the full rankings and details in The Daily Tribune: Jul 19 - Part II. You can also read about some of our methodology, data analysis and technical details in our initial post.

If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.

I just don't believe these things are coincidence ... something smells fishy

possible inside job or no? I'm always skeptical