ICO Hack — CoinDash-ed

Abstract

In one of the most serious ICO hacks of this year the website of CoinDash was hacked and using a fake ETH address, hackers diverted USD 7 million worth of ETH to their address. While there have been continuous news of ICO Slack channels and Bots been hacked but hacking of a ICO website takes the hacking threat to all new proportions and puts to question to the security measures the ICO sponsors and teams are putting (which is almost non-existent) during ICO period.

This has severely hit investor confidence and also put into question the lack of accountability, governance and monitoring around ICOs and how they are run.

Timeline

Last information about the start of CoinDash token sale.

CoinDash twitter account reports that their website has been Hacked

End of Token Sale to mitigate damage but still users were sending ETH to the hacker’s ETH Address
Efforts were underway to prevent further hack
News of Official Statement from coindash.io which reflects they have got back their domain.

The official Statement from the CoinDash team

Claims Form link to describe how to recover the ICO

Interlude

All this while social media and their Telegram group resounded with sad stories how many investors were scammed and there was no one from team to reply or to help them:

The Fake ETH account in the hacked site to which the transactions went

The Fake_Coindash ETH address to which all ETH went. the name looks lame but the damage was huge.
Complains about how the team members were missing as users were getting scammed
There were many who just lost their ETH
Even the Telegram chat was not secure and many scammers were posting fake addresses
There was dismay and panic
There were some who were trying to calm down
And there ware many scammers who wanted to cash into this panic

Finally this message summed it all

Prognosis

During this frenzy many opinion came but to some which I agree are below:

“It’s really important to note that their website was a WordPress that wasn’t even taking the simplest security measures into account. Almost anyone that knew of or was willing to purchase a zero-day could have done this hack. Or if they weren’t protecting against known vulnerabilities, almost any semi-experience hacker could have performed this attack. 
 WordPress is the most vulnerable platform to build on if your not willing to put the effort in to secure it.”

Also despite having an alpha App and investment funds like TaaS investing, the hack happened is really bad.

There is More…..

Allegations

Though very crude and very speculative but some grave allegations regarding the CEO and the team were raised.

Finally….

Though this may seem like a joke but the travesty of the whole situation is that so many ICO investors have lost their ETH and there is no way to recover it back. And though there were many who called on Vitalik Buterin to intervene like it was done for #TheDAO but the situation during the #TheDAO saga and market capitalization fo ETH was different and now the only offer to them is a google form where they have been promised CDT who took part in the ICO and got scammed which in the initial stage has no value and it also depends if it will ever appreciate in any value after such a huge hack and ensuing PR disaster.

Point to Note

Transactions sent to any fraudulent address after our website was shut down will not be compensated.

They have already secured 6.4 million USD in Pre-sale and hence for them I do not have any crisis except the current PR and the temporary backlash if any from major investors.

For me point to note before concluding is even when people were getting hacked during pre-sale itself was it not prudent to do a complete security audit of the whole website and process and protect the investors. In the present scenario this shows the the high degree of irresponsibility and almost criminal on the part of the ICO team to have not done enough due diligence and been so lax regarding their ICO which seems to be the norm now a days.