Blockchain Security Breach: Hackers Stole $7 Million From CoinDash Initial Coin Offering

Cryptocurrency is supposed to be much safer than fiat currency like dollars or pesos because blockchain tokens are harder to steal. But nothing is impossible for hackers. This week the Israeli blockchain startup CoinDash learned this lesson the hard way when hackers hijacked the company’s initial coin offering and stole $7 million worth of ether.

Hackers broke into the CoinDash website during the ICO and reportedly swapped the startup’s account address for an unaffiliated address, redirecting the funds. The startup immediately halted the fundraising campaign and promised all contributors would receive the ICO’s CDT tokens, both early contributors who gave a sum total of $6.4 million and duped participants who sent ether to the wrong address.

This scandal raises questions about security in the cryptocurrency space. Blockchain tokens may be immutable, but are they safe?

Read: Rumors About Anonymous Ethereum Millionaires Raise Questions About Blockchain Privacy

The blockchain community flooded Reddit with criticism of the CoinDash ICO, claiming people warned the company via Slack about security flaws before the ICO launched. There is still no hint as to who hacked the ICO or why. Some critics on social media are claiming the CoinDash hack was an inside job, although that would have been counterproductive in terms of overall profit. (CoinDash did not immediately reply to requests to comment. We will update the article if we hear back.)

Twitter, forums and other crypto hubs exploded with outraged chatter. Online discussions about members of the CoinDash team reeked of anti-Semitism, calling CEO Alon Muroch a “Jewish bastard” and a “scammer” related to Jewish bankers. Critics also harped on his involvement with a past failed ventures called GetGems. Muroch addressed the issue of racist criticism in a YouTube video earlier this month. He denied any involvement with GetGems fundraising or leadership team, which reportedly disbanded in 2016 after raising money.

Regardless, there are currently few protections for ICO investors because the business model is still so new. “It’s a wonderful, powerful tool [ICO], but it’s so easy to do like a ponzi scheme concealed as an ICO,” Marco Amadori, CEO of the Italian bitcoin company Inbitcoin.it and resident expert at the nonprofit Blockchainlab in Milan, told International Business Times. “Offering unregulated shares of your company just by publishing a white paper and a website.”

Read: Could Online Harassment Slow Blockchain’s Growth?

It’s worth noting that each ICO is unique and many deliberately avoid language and incentives comparable to traditional securities or shares. Even so, Amadori said this hack could have easily been avoided. The startup’s website was hacked, not the Ethereum-based account itself. He argued insecurity on a third party platform, in this case the website and not the blockchain, is a widespread issue as cryptocurrency becomes mainstream.

“Bitcoin was created and invented just for this reason,” Amadori said. “If you hand your money to a third party, you get some convenience but you lose power over the ownership of your money. You also give them the power to disappear with your money.” Third party sites like cryptocurrency exchanges have been hacked before, like the $460 million heist involving Mt.Gox in 2014. In both cases, Amadori said the security breach reflected inexperience.

“It’s a cultural problem. You need to learn how to handle security,” Amadori said. “It’s a bit like the wild west, with all the opportunities and all the cost. There is no protection.” Crypto Lotus hedge fund co-founder Joshua Goldbard was not impressed with the CoinDash ICO preparation either. “If you’re doing an ICO, you should probably hire a security consultant,” Goldbard said. “I don’t feel good about what is happening in the [ICO] market right now. You wouldn’t do a massive sale of a company without hiring a broker or someone like that.”

Blockchain transactions, using bitcoin and Ethereum, usually leverage transparency as a security feature. People are less likely to steal if everyone can watch exactly where the stolen tokens go, then theoretically track them to any cash out in fiat currency.

But hackers have already found ways to work around that issue. For example, the hackers involved with the recent Petya/NotPetya ransomware attack used a bitcoin tumbler to basically launder the money through high-volume addresses, mixing stolen bitcoins in with so many legitimate transactions that the stolen funds became nearly impossible to track. Not completely impossible, but it would take a lot of time and resources.

“If you piss off a nation-state, and they have $100 million to go find out where your money came from, they’re probably going to go find it,” Goldbard said. “It’s just really a function of time and the difficulty of that data science problem.” In the future, Goldbard suggested blockchain startups publish the ICO address on multiple platforms, including news outlets. Even if hackers tamper with one site, they won’t be able to mess with all of them. It’s up to buyers to research the companies they invest in.

Amadori doesn’t think it would be feasible, or ethical, to change blockchain protocols to make anonymous token users easier to find. “Criminals are using also streets, phones and probably also water bottles to drink from. We didn't crippled those tools to harm them because it will harm us more, since the criminals are luckily a small minority,” he said. “It is really important to have censorship-resistant transactions.”