All it took was three minutes.
Shortly after going live, CoinDash's July 17 Initial Coin Offering (ICO) was in serious trouble. The company, which allows for the trading of the popular cryptocurrency Ether (the "money unit" of the Ethereum platform), was all set for a big fundraising round with investors given the chance to invest in CoinDash with Ether. It's a well-established practice similar to an IPO: Buy into a company now in exchange for tokens, which are in some sense analogous to stock, and hope to reap the rewards later.
It didn't exactly work out as planned.
As explained after the fact on the company's website, hackers managed to change one tiny but important detail on the CoinDash website just as the ICO was scheduled to begin: The Ethereum wallet address. That little change was all it took to redirect cryptocurrency slated for CoinDash into the wallet of the attacker.
"It is unfortunate for us to announce that we have suffered a hacking attack during our Token Sale event," the company explained. "During the attack $7 million were stolen by a currently unknown perpetrator."
Website has been hacked.
— CoinDash.io (@coindashio) July 17, 2017
According to a screenshot of the CoinDash Slack channel, posted to Reddit and confirmed as authentic by Motherboard, CoinDash realized what was happening within three minutes — but the damage was done.
Angry online commenters, who may or may not have fallen prey to the scam, quickly took to Reddit to vent their frustration — with some hinting at the possibility of an inside job.
"Is there any proof that this was a hack," wondered one Redditor. "What if Coindash put an address in and then cried hacker to get away with free ETH?"
"This propably [sic] was a set up from the beginning," speculated another.
— Vibhor Jain (@cryptoheadd) July 17, 2017
However, those that sent their Ether to the wrong address may not be entirely out of luck. CoinDash says it will still issue tokens to anyone who was swindled (as long as it happened before company employees shut their site down upon discovery of the hack).
"CoinDash is responsible to all of its contributors and will send CDTs [CoinDash Tokens] reflective of each contribution," the company further noted on its site. "Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly."
CoinDash, for its part, did manage to raise $6.4 million from its "early contributors and whitelist participants" before things went south.
As for the stolen Ether? Well, that's just chilling in a wallet, waiting until the crook comes to collect. And, unless the perp left some clues behind during the hack itself, he or she will soon be sitting pretty with their ill-gotten gains. Following laundered cryptocurrency, after all, is a notoriously difficult task.