It was bound to happen: after hundreds of millions of capital was raised through "Initial Coin Offerings", with the recently concluded Tezos coin offering raising a record $232 million in 2 weeks, it was inevitable that (at least) one would get hacked. On Monday morning, that's precisely what happened to CoinDash, a blockchain startup focusing on "cryptocurrency social trading and portfolio management platforms", which sent out an urgent warning to investors advising of a severe cyber security breach of its crowdfunding page.
Website has been hacked.— CoinDash.io (@coindashio) July 17, 2017
Apparently the hack involved switching over the legitimate address to a fake one, to which "investors" were sending their funds. The CoinDash warning reads:
This is an emergency message delivered to you in order to stop you from sending your money to an unauthorized ETH address. It seems like our Token Sale page was tampered and the sending address was changed. Please stop from sending your funds to any of the addresses until we say otherwise. We are currently examining the situation and will shortly send further instructions.
The site also issued a follow up announcement:
CoinDashers, soon we will get the site back and release our official announcement about what just happened. Everyone who participate, both with the right & fraud address will get his CDT. Pleases be patient as we are trying to make things clear
Less ambitious than the Tezos offering, the CoinDash Token Sale only started a bit earlier today (July 17th, 2017), and was supposed to last for 28 days or until the funds raised reach a $12 million hard cap.
This is what the ICO's bonus structure was supposed to look like:
- First day bonus – 30%
- First week bonus – 20%
- Second week bonus – 10%
Rest of the Token Sale period bonus – 0%
However, it was not meant to be, and moments ago the startup tweeted that "The Token Sale is done, do not send any ETH to any address. Official statement regarding the hack will be released soon."
The Token Sale is done, do not send any ETH to any address. Official statement regarding the hack will be released soon.— CoinDash.io (@coindashio) July 17, 2017
Some background on this particular ICO and statup, courtesy of Finance Magnates, which recently conducted an interview with CEO Alom Muroch:
The Coindash platform will enable cryptocurrency investors to manage and analyze their portfolios, share insights about the market and display achievements, as well as copy-trade and receive trading signals.
Coindash’s current partners include CryptoCompare, Smith & Crown and RSK Labs, WINGS, ethere.camp, Antshares and HyperChain Capital. Back in May 2017 Coinsilium Group Limited (NEX:COIN), the London-based blockchain venture investment fund, confirmed that it has completed its investment of $75,000 in Coindash.
The scammer’s address has been quickly tracked down: https://etherscan.io/address/0x6a164122d5cf7c840d26e829b46dcc4ed6c0ae48
While the monetary damages have yet to be confimed, according to Etherscan it appears that over $7 million was already "stolen" in 2130 transactions, as a result of the address redirection hack.