Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes

Pierluigi Paganini July 18, 2017

Hacker steals $7 Million in Ethereum from CoinDash in just 3 minutes after the ICO launch. Attacker tricked investors into sending ETH to the wrong address.

Cybercrime could be a profitable business, crooks stole $7 Million worth of Ethereum in just 3 minutes. The cyber heist was possible due to a ‘a simple trick.
Hackers have stolen the money from the Israeli social-trading platform CoinDash.
CoinDash hacked
CoinDash launched an Initial Coin Offering (ICO) to allow investors to pay with Ethereum and send funds to token sale’s smart contact address.

Hackers were able to divert over $7 million worth of Ethereum by replacing the legitimate wallet address used for the ICO with their own.

In three minutes after the ICO launch, the attacker tricked CoinDash’s investors into sending 43438.455 Ether to the wrong address owned by the attacker.

At the moment the hacker’s wallet has a balance of 43,488 Ethereum (around $8.1 million).

Let’s see the details of the attack?

CoinDash’s ICO published an Ethereum address on its website to allow investors to transfer the Ethereum funds.

After a few minutes of the launch, the company warned that its website had been hacked and confirmed that the ICO legitimate address was replaced by a fraudulent address.

The startup asked to stop sending Ethereum to the posted address.

“GUYS WEBSITE IS HACKED! Don’t send your ETH!!!” reads the message from CoinDash HQ.
“Wait for the announcement of the address”

Too late!

“The CoinDash Token Sale opened to the public on July 17 at 13:00PM GMT, starting with a 15 minute heads up for whitelist contributors. During these 15 minutes, 148 whitelisted contributors sent 39,000 ETH to the token sale smart contract that were secured with a multisig wallet.” reads the statement issued by the company.“The moment the token sale went public, the CoinDash website was hacked and a malicious address replaced the CoinDash Token Sale address. As a result, more than 2,000 investors sent ETH to the malicious address. The stolen ETH amounted to a total of 37,000 ETH.”

The company confirms it gathered around $6 million during the first three minutes of the ICO. It announced that it would issue tokens to the people who sent these funds to the correct wallet, but it also ensured that it will issue the tokens for the users that have been impacted by the hack and that sent the money to the hacker’s wallet.

“The CoinDash Token Sale secured $6.4 Million from our early contributors and whitelist participants and we are grateful for your support and contribution. CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution. Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly,” said the company.

However, CoinDash clarified that it would not compensate users who sent funds to the hacker’s address after the website was shut down by the company.

“CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution,” the company noted.

“Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.”

Some users speculate the cyber heist is an insider’s job … stay Tuned

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Ethereum, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment