Hackers hijacked cryptocurrency trading platform CoinDash on Monday just as it was in the middle of its initial coin offering, or ICO. It's the first known breach of an ICO, this season's hottest fundraising method.
CoinDash, an Israeli startup, planned to raise capital by selling its own digital tokens in exchange for the cryptocurrency Ethereum, which is similar to Bitcoin. But just 13 minutes into the token sale, which began at 9 a.m. ET Monday, an "unknown perpetrator" hacked CoinDash's website and changed the address for sending investments to a fake one, the company later announced on its website. That diverted millions of dollars in contributions to the attacker.
While the CoinDash ICO still managed to raise $6.4 million from early investors, the hacker stole $7 million worth of Ethereum before the company was forced to pull the plug on the token sale. Despite the losses, CoinDash promised to dole out its tokens accordingly to everyone who participated in the ICO before it was shut down, whether or not they sent funds to the correct address.
"Reminder: We are still under attack. Please do not send any [Ethereum] to any address, as the Token Sale has been terminated," CoinDash said in the statement.
The incident is likely to put a damper on the enthusiasm surrounding ICOs. The offerings are similar to stock market initial public offerings, or IPOs. But there are two key differences: ICO investors receive cryptocurrency instead of equity, and the offerings face far less regulation.
ICOs have had a banner year. In 2017 alone, such token sales have raised at least $540 million, my colleague Jeff John Roberts reported in a recent Fortune Magazine story, "Why Tech Investors Love ICOs—and Lawyers Don’t." A month ago, a single ICO raised as much as $147 million; another raised $35 million in just 30 seconds.
The CoinDash hack is reminiscent of another large-scale Ethereum heist last year, when attackers breached a blockchain organization called the DAO and stole more than $50 million that had been raised in an ICO a month earlier. But the DAO hack occurred after the token sale had already ended.
To CoinDash, which hyped its ICO with modified promotional imagery for HBO's Game of Thrones, the breach is a blow both financially and in terms of its relationship with customers, some of whom suggested on social media that the attack could have been an inside job.
For its part, CoinDash pledged to investigate the breach and move on. "This was a damaging event to both our contributors and our company but it is surely not the end of our project," the company said in its statement.