Hacker Allegedly Steals $7.4 Million in Ethereum with Incredibly Simple Trick
Image: vchal/Shutterstock and Ethereum. Composite: Rachel Pick/Motherboard
A hacker has allegedly just stolen around $7.4 million dollars worth of ether, the cryptocurrency that underpins the app platform ethereum, by tricking victims into sending money to the wrong address during an Initial Coin Offering, or ICO. This is according to a company called Coindash that says its investors were sending their funds to a hacker.
On Monday, Coindash, which offers a trading platform for ether, was slated to launch its Initial Coin Offering. These are essentially crowdfunding drives that allow investors to own a stake in the app by buying digital assets called tokens. Initial Coin Offerings are an incredibly popular method of funding an app on ethereum, and some ICOs have raked in millions of dollars within minutes of going live. Even the silliest apps have been able to raise thousands of dollars in token investments during recent ICOs.
Coindash's ICO, like many others, launched simply by posting a string of text representing an ethereum address for investors to send money to on the app's website. However, mere minutes into what was supposed to be another successful ICO, Coindash warned that its website had been hacked and asked people not to send ethereum to the posted address.
It's still unclear exactly what happened, but it seems like the hack was incredibly simple: The hacker allegedly took control of the Coindash official website and changed the text on the site, publishing their own ether wallet address instead of Coindash's. When people went to "invest" in Coindash, they actually sent their ether to the hacker, not the company.
Even though Coindash noticed the hack and warned investors quickly—just three minutes after the ICO launch—the damage was done.
"WEBSITE HACKED," Emmanuel Gimenez, an employee of Coindash, wrote in the company's official Slack account, which Motherboard obtained access to.
"GUYS WEBSITE IS HACKED! Don't send your ETH!!!," the Coindash account on the popular Bitcointalk forum wrote at roughly 9:06 AM EDT, six minutes after the ICO launch.
"The Token Sale is done, do not send any ETH to any address," Coindash announced on Twitter on Monday morning.
At the time of writing, would-be investors have sent 43,438.45 ether (around $7.4 million USD at the current exchange rate) to the Coindash address that the company says belongs to a hacker. Etherscan, a web tool for tracking ethereum transactions, is warning that "there are reports that the Coindash Crowdsale address has been compromised."
"All we know now is that an outside attacker changed the address right after the sale started," Ram Avissar, the marketing director of Coindash, told Motherboard via Slack. "We have halted the Token Sale contract and trying to understand the best way to compensate those who were affected."
In a statement published in the company's Slack channel, Coindash said that it "suffered a hacking attack" where an "unknown perpetrator" or hacker "maliciously placed" a fraudulent ethereum address on its website.
In response, some users on social media are crying foul. On Reddit, for example, users are speculating that the hack was really an "inside job" that allowed Coindash's creators to run off with millions of dollars while blaming an anonymous hacker who will likely never be found. There's no proof of any foul play on Coindash's part, however, and Occam's Razor may favour Coindash's own explanation: A hacker simply took advantage of the weakest security link in the ICO. That is, the Coindash website itself.
Whoever is the culprit, investors are angry at Coindash. "Oh come on i have already sent my eth," wrote a user of Bitcointalk. "I want my money back. It's your website and it's your fault that not do everything for the security." Another person who claimed to have invested wrote on the Bitcointalk forum: "Too late, I already invested!!!! Already 31k ETH send to the address!!! You guys better get my money back." Motherboard could not confirm that these people had actually invested, but Etherscan confirms that large amounts of ether was transferred to the address.
The alleged hack is one of the biggest in ethereum to date. After a token-based ethereum investment fund called the DAO lost more than $50 million in a hack last year, ethereum's developers made the difficult decision to split the currency in two in order to restore the lost funds. However, that move was seen by many as unnecessarily risky (and spawned a rival cryptocurrency), and is unlikely to happen again.
In the official Coindash Slack channel, the app's developers wrote that all investors, even if they sent funds to the phony address, will receive tokens.
"All CoinDash investors will get their tokens," the developers wrote in Slack. "We are working to solve the situation."
Disclosure: one of the authors, Lorenzo Franceschi-Bicchierai, owns a small amount of ether.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.