Hackers hijacked cryptocurrency trading platform CoinDash last week just as it was in the middle of its initial coin offering, or ICO. It’s the first known breach of an ICO, this season’s hottest fundraising method.
CoinDash, an Israeli startup, planned to raise capital by selling its own digital tokens in exchange for the cryptocurrency Ethereum, which is similar to Bitcoin. But just 13 minutes into the token sale, which began at 9 a.m. ET Monday, an “unknown perpetrator” hacked CoinDash’s website and changed the address for sending investments to a fake one, the company later announced on its website. That diverted millions of dollars in contributions to the attacker.
This is yet another example of how cryptocurrency ICOs prove to be a fatal weakness in this decentralized ecosystem. All of the projects raising money promote decentralized technologies like blockchain, smart contracts, and other things. Given that, it is remarkable to see all of those projects using a centralized website proving to be a major weakness. We have now seen two such sites hijacked recently.
The hacking of this ICO is reminiscent of last year when $50m was stolen in a similar fashion from a project called The DAO. As such, the event will likely again draw attention to possible security issues in ICO funding, amid their escalating popularity.
While the CoinDash ICO still managed to raise $6.4 million from early investors, the hacker stole $7 million worth of Ethereum before the company was forced to pull the plug on the token sale. Despite the losses, CoinDash promised to dole out its tokens accordingly to everyone who participated in the ICO before it was shut down, whether or not they sent funds to the correct address.
Thankfully, it appears that the CoinDash team will reimburse the affected investors. Tokens will be issued to the people who sent money to the wrong address. Proving ownership of such transactions to a fraudulent address will be a different matter altogether. Such events often attract a lot of people making bogus claims of losing money to the scammer and seeking to get their hands on the tokens they are “owed.” Verifying such claims will be a challenge for the CoinDash team.
For its part, CoinDash pledged to investigate the breach and move on.
“This was a damaging event to both our contributors and our company but it is surely not the end of our project”