Hackers have stolen $7 million in Ethereum virtual money from CoinDash, an Israeli cryptocurrency social trading start-up.
The company said that it suffered a massive security breach in which the company’s crowdfunding page was hacked during a token sale event yesterday. The perpetrators breached the CoinDash website and replaced the official Ethereum address to a fraudulent Ethereum address, meaning that users were sending their money to the address controlled by hackers rather than CoinDash’s official address.
CoinDash said in a notice that more than 2,000 investors sent Ethereum to the malicious address, amounting to a total of 37,000 ETH.
The company said that it would reimburse the victims with the amount they would have received by sending their Ethereum to the correct address.
“We are currently gathering information regarding each of the attack victims and will release the complete list for our contributors and community review shortly,” the company said. “CoinDash will further compensate its contributors using the resources at its disposal.”
CoinDash also has launched an internet forensic investigation to determine who was behind the hack and has contacted law enforcement agencies.
“This is another innovative way for attackers to abuse vulnerabilities for profit, which demonstrates why it is crucial to holistically protect your web applications, not focusing just on the transactions, but having a healthy layered security as well,” Ben Herzberg, security group research manager at cybersecurity firm Imperva, told Infosecurity. “The fact that this is done with a cryptocurrency wallet ID makes it very effective, as it will make it much harder to trace the criminals, due to the anonymity provided by the algorithms behind Ethereum. However, similar techniques are used for other types of cybercrime as well, including altering web content for other use-cases such as site defacement, attempts to infect clients with malware, attempts to gain credentials and more.”