Hacker Allegedly Steals $7.4 Million In Ethereum After Hijacking ICO

An anonymous reader writes: An unknown hacker allegedly took over the website of an ethereum startup called Coindash, directing investors to send money to his or her own ethereum digital wallet, instead of the one controlled by Coindash. While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

Can it be invalidated?

[kaka.mala.vachva]

I don't know much about cryptocurrencies, but since this isn't physical tender, can't hacked currency be invalidated?

Re:

[xxxJonBoyxxx]

It can but it's a PITA and threatens to devalue currencies. See:
http://www.coindesk.com/ethereum-classic-explained-blockchain/

Re:

[fuzzyfuzzyfungus]

Yes, in the sense that it's scarcer. "Not so much", in the sense that you've just told everyone that you can, and will, disappear chunks of their invisible internet money that you find suspicious.

When your value depends mostly on confidence, that's a risky move.

Re:

[mysidia]

Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

If that is their intention, they should announce it immediately to help mitigate damage (Make sure the hacker doesn't spend further and leave other people holding the bag).

Re:

[Luthair]

Even if Ethereum doesn't split the currency, couldn't the coins and derivatives be blacklisted in the "legitimate" sphere making them relatively worthless? They're technically stolen property so dealing with them could be illegal in many jurisdictions.

Re:

[rtb61]

So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments. So that all transfers can be tracked but kept secret because you at the core, want to do two things, cheat the tax man participating in criminal payments, whilst also participating in the who gets in early wins in the ponzi scheme coin mining scam. I'll bet you want digital currency to work when the power is out. You are not one of those survivalists with a

Re:

[kyrsjo]

> So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

So basically Bitcoin?

Re:

[gnick]

So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

Who said anything about untraceable? I thought these transactions were entirely traceable. Anonymous maybe, but not untraceable.

Re:

[Anonymous Coward]

There was no hacking. The people behind the contract wrote it horribly and someone took advantage of that fact. They didn't like it, because they and their friends lost some money, so they decided to fork it, and illegally invalidate the contract.

Re:

[Applehu Akbar]

Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

Re:

[mysidia]

If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

I guess what needs to be done is introduce trusted "Blacklisting" authorities that all users, and possibly all nodes will honor.

If an address is BLACKLISTED, then all services and bitcoin nodes check the path coins have taken, and the coins that passed through a blacklisted address cannot be spent anywhere further, they are tainted: Both transaction/payment providers/exchanges/retailers or othe

Re:Can it be invalidated?

[cunina]

Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

Re:

[cunina]

I would argue that Ethereum became less valuable as a result of the fork.

Re:

[r0kk3rz]

Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

Not quite, some central authority might suggest its a good idea but it's ultimately up to the miners to decide to follow through. This is what happened with TheDAO and not everyone agreed and so now we have Ethereum Classic fork as well.

This is ultimately how blockchains work, its up to the miners to agree what the 'current state' of the chain is and they can change their mind at any time.

Re:

[Cyberax]

No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash.

Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

Re:

[Anonymous Coward]

No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash

Etherum already undid some transactions that people didn't like. This lead to a fork of the block chain and the creation of Etherum Classic.

Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

All cryptocurrencies can revert transactions if enough people agree to it. Defeats part of the attraction to them, but it can still happen.

Re:

[Kjella]

Of course you could. Technically it's not even a problem, create some kind of master key that clients will accept the signature of instead of the user's key and it'll be the almighty god of that crypto-currency. And who would you like to have sitting on that key? What makes them trustworthy, what standard of proof, what appeals process in what jurisdiction against having your assets seized? The Internet Court of public opinion and loose allegations? What happens if the hacker manages to spend the money firs

Re:

[Khashishi]

AFAIK, if enough miners (>50%?) want to invalidate the transactions, they can do it. Simply fork the blockchain, removing any transactions they don't want. Of course, they will have to collectively identify which transactions should be invalidated.

Re:

[CaptainDork]

Internet packets are not affected by blunt force trauma.

Re:

[HumanWiki]

...and nothing of real value was lost.

As opposed to other invented forms of currency that only exist as long as the collective organizations that invented them exist?

Why didn't I think of that...

[__aaclcg7560]

How do I hijack an icon file (*.ICO) to get $7.4M?

Re:Why didn't I think of that...

[OzPeter]

How do I hijack an icon file (*.ICO) to get $7.4M?

I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

Re:

[HumanWiki]

How do I hijack an icon file (*.ICO) to get $7.4M?

I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

UH-OH!

Re:

[CaptainDork]

Fuck that.

What about my goddam Compuserve one?

Re:

[TheRealMindChild]

https://www.exploit-db.com/exp... [exploit-db.com]

Re:

[DontBeAMoran]

You big dumbass. They're not talking about icon files, they're talking about ICO [wikipedia.org].

Re:

[AmiMoJo]

How did the Information Commissioner's Office even have $7m lying around to be stolen?!

Re:

[DontBeAMoran]

Maybe they reported the number wrong and it was 0.07400000 ETH, valued at USD$14.

Re:

[AmiMoJo]

Maybe it was 7 millidollars, i.e. $0.007. Or at least it will be by next week.

PGP Signed Message.

[0100010001010011]

No different than a hacker changing a mailing address to amass money sent to an address.

Why the hell did they not sign it with a PGP key to authenticate that they were who they said they were?

Re:

[fuzzyfuzzyfungus]

Some people just make dumb mistakes. Others read the (admittedly pretty cool) descriptions of the mathematical properties of cryptocurrencies and foolishly assume that those properties somehow rub off on the decidedly less elegant infrastructure on which basically everything done with the cryptocurrencies depends.

I'm not sure what the exact breakdown is; but it's practically a business model for the 'exchanges': Get people to hand you the mathematically validated cryptographic stuff in exchange for IOUs

ethereum

[Osgeld]

a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

or some shitty bitcoin thing, or both .... moving on

No wonder ethereum is so popular

[The Grim Reefer]

While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

Wow, I had no idea you could mine over $7million "almost immediately". No wonder Ethereum is so popular. Must have been using one of those out of stock NVidia or AMD video cards for that.

Meh

[thegarbz]

Will only be worth $3.5million in 2 weeks anyway the way these currencies are going.

Re:

[DontBeAMoran]

He could always convert his ETH into Dogecoins just to be sure.

Crypto-money - what did you expect?

[GerryGilmore]

Some of my buddies were bemoaning not having bought some Bitcoin after one of its runups in price. I told them they'd be better off in Vegas. At least there you get free drinks while watching your money disappear.

Re:

[twistofsin]

I just bought a new motorcycle with the money I made selling some of my Bitcoin.

If you invested any money in Bitcoin in the past and suffered a loss you are definitely doing it wrong.

Re:

[kyrsjo]

I think this XKCD is pretty applicable:
https://xkcd.com/1827/ [xkcd.com]

Re:

[Anonymous Coward]

Couldn't the same be said for investors of Bernard L. Madoff Investment Securities LLC until it all came crashing down?

Beware of Cryptofeit currrency too!

[theendlessnow]

Vendors are urged to examine the data directly. Repeating numbers like 111111111... or numbers like 55378008.... or even 1234567... these need to be examined closely. Right now vendors aren't even looking at cryptocurrency, so it's easy to pass off fakes.

When is an investment lost...

[redengin]

The investors sent their money to the wrong address. Coindash will do its best to make good by still issuing tokens (shares) to investors. Now it's up to Coindash to tighten their budget and make a go with a $7M liability. Either way, the investors knew that their investments were always at the risk of Coindash failing. This setback just happened very early in the ICO lifecycle.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion