The explosive growth of initial coin offerings hit a major roadblock this week after a brazen hack during CoinDash’s token sale resulted in the theft of over $10 million worth of ether. The incident, which unfolded over a 48-hour period starting July 17, has sent shockwaves through the nascent ICO market and raised urgent questions about the security of crowdfunding campaigns built on blockchain technology.
TL;DR
- CoinDash ICO hacker stole approximately 43,500 ETH, worth $10.3 million at current prices
- The attacker compromised the CoinDash website and replaced the legitimate contract address with a fake one
- Over 2,000 investors unknowingly sent funds to the fraudulent address
- The theft initially stood at $7 million on July 17 before growing as latecomers continued sending ether
- CoinDash pledged to compensate affected investors with equivalent CDT tokens
How the Attack Unfolded
According to details emerging from the investigation, the hack was not a simple exploit of smart contract code but rather a sophisticated website compromise. The attacker cloned a near-identical version of the CoinDash.io platform and manipulated the site’s infrastructure to redirect traffic toward the fraudulent portal.
Wu Guanggeng, the chief operating officer of Chinese mining pool Bixin, speculated on Weibo that the breach may have been executed through CoinDash’s DNS provider. The theory suggests the hacker first gained access to CoinDash’s registered email account, then used that access to request a DNS redirection from the domain name server provider. Once traffic was flowing to the cloned site, investors were presented with a fake contract address to send their ether to.
The ruse worked devastatingly well. By the time CoinDash became aware of the breach and shut down its website at approximately 10:39 AM EST on July 17, thousands of ether had already flowed into the attacker’s wallet. The company tweeted urgently: “Do not send any ETH to any address.”
Mounting Losses
What makes the incident particularly troubling is that losses continued to mount even after the hack was publicly revealed. Some prospective investors, apparently unaware of the warnings, continued sending ether to the compromised address. One individual alone sent 50 ETH to the fake address after the breach was disclosed.
As of July 19, Etherscan.io data showed the attacker’s address had accumulated approximately 43,500 ether, bringing the total value of the theft to roughly $10.3 million given ethereum’s price of around $200 at the time. The initial estimate on July 17 had been approximately $7 million, but ongoing transfers pushed the figure higher.
Notably, the fake contract address has not made any outgoing transactions since the hack. The stolen ether remains sitting in the wallet, which could suggest the attacker is either waiting for scrutiny to die down or facing difficulties moving the funds without being traced.
Compensation and Aftermath
CoinDash moved quickly to address the fallout, announcing that investors affected by the hack would receive CDT tokens equivalent to their losses. However, the company drew a firm line: those who sent ether after the website was shut down and warnings were issued would not be eligible for compensation. CoinDash set up a Google Form for affected investors to report their losses.
The incident has become a defining cautionary tale for the ICO ecosystem, which has seen explosive growth throughout 2017. With ethereum trading at approximately $200 — down significantly from its June highs above $400 — the hack has added selling pressure to an already battered market. Bitcoin, meanwhile, has held relatively steady around $2,270.
Why This Matters
The CoinDash hack represents one of the largest ICO-related thefts to date and underscores the fundamental security challenges facing the token sale model. While blockchain technology itself may be secure, the infrastructure surrounding ICOs — websites, DNS providers, email systems — remains vulnerable to traditional attack vectors. As the ICO market continues to attract billions in capital, the industry will need to develop far more robust security practices or risk losing investor confidence entirely. For participants, the lesson is clear: always verify contract addresses through multiple independent sources before sending funds.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research before investing.