Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Allegedly Steals $7.4 Million In Ethereum After Hijacking ICO (vice.com)

Posted by msmash on from the big-setback dept.

An anonymous reader writes: An unknown hacker allegedly took over the website of an ethereum startup called Coindash, directing investors to send money to his or her own ethereum digital wallet, instead of the one controlled by Coindash. While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

64 comments

  1. Can it be invalidated? by kaka.mala.vachva · · Score: 1

    I don't know much about cryptocurrencies, but since this isn't physical tender, can't hacked currency be invalidated?

    1. Re:Can it be invalidated? by xxxJonBoyxxx · · Score: 2

      It can but it's a PITA and threatens to devalue currencies. See:
      http://www.coindesk.com/ethereum-classic-explained-blockchain/

    2. Re:Can it be invalidated? by Anonymous Coward · · Score: 0

      Wouldn't taking currency out of the market make it more valuable?

    3. Re: Can it be invalidated? by Anonymous Coward · · Score: 0

      They have already forked the chain once to protect their buddies investments why not do it again?

    4. Re:Can it be invalidated? by mysidia · · Score: 2

      Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

      If that is their intention, they should announce it immediately to help mitigate damage (Make sure the hacker doesn't spend further and leave other people holding the bag).

    5. Re:Can it be invalidated? by cunina · · Score: 4, Insightful

      Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

    6. Re:Can it be invalidated? by Luthair · · Score: 1

      Even if Ethereum doesn't split the currency, couldn't the coins and derivatives be blacklisted in the "legitimate" sphere making them relatively worthless? They're technically stolen property so dealing with them could be illegal in many jurisdictions.

    7. Re:Can it be invalidated? by Cyberax · · Score: 1

      No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash.

      Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

    8. Re:Can it be invalidated? by Anonymous Coward · · Score: 1

      No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash

      Etherum already undid some transactions that people didn't like. This lead to a fork of the block chain and the creation of Etherum Classic.

      Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

      All cryptocurrencies can revert transactions if enough people agree to it. Defeats part of the attraction to them, but it can still happen.

    9. Re:Can it be invalidated? by Kjella · · Score: 2

      Of course you could. Technically it's not even a problem, create some kind of master key that clients will accept the signature of instead of the user's key and it'll be the almighty god of that crypto-currency. And who would you like to have sitting on that key? What makes them trustworthy, what standard of proof, what appeals process in what jurisdiction against having your assets seized? The Internet Court of public opinion and loose allegations? What happens if the hacker manages to spend the money first, do you take the money away from an innocent third party effectively creating a counterfeiting problem?

      By the time you're done with the dispute process you'll basically have poorly re-invented banks and credit cards. And what would happen if a hacker got hands of the key and started randomly moving money around? There would be total chaos. The lack of any kind of centralized control is the headline feature. As a consequence done is done and there's no undoing it, a crowd-sourced blacklist would be useless. All that would happen is that a lot of people would get stuck with "tainted" money that would be randomly rejected, they'd get pissed from being scammed and the currency would collapse.

      --
      Live today, because you never know what tomorrow brings
    10. Re:Can it be invalidated? by Anonymous Coward · · Score: 1

      There was no hacking. The people behind the contract wrote it horribly and someone took advantage of that fact. They didn't like it, because they and their friends lost some money, so they decided to fork it, and illegally invalidate the contract.

    11. Re:Can it be invalidated? by Anonymous Coward · · Score: 0

      They've already done it before, though. Why is Ethereum valuable?

    12. Re:Can it be invalidated? by cunina · · Score: 1

      I would argue that Ethereum became less valuable as a result of the fork.

    13. Re:Can it be invalidated? by Khashishi · · Score: 1

      AFAIK, if enough miners (>50%?) want to invalidate the transactions, they can do it. Simply fork the blockchain, removing any transactions they don't want. Of course, they will have to collectively identify which transactions should be invalidated.

    14. Re:Can it be invalidated? by Anonymous Coward · · Score: 0

      Invalidated? Baseball bat to the knee ... bullet to the brain. Indeed yes it can be invalidated.

    15. Re:Can it be invalidated? by Anonymous Coward · · Score: 0

      Spoken like a true ETC backer.

    16. Re:Can it be invalidated? by fuzzyfuzzyfungus · · Score: 1

      Yes, in the sense that it's scarcer. "Not so much", in the sense that you've just told everyone that you can, and will, disappear chunks of their invisible internet money that you find suspicious.

      When your value depends mostly on confidence, that's a risky move.

    17. Re:Can it be invalidated? by rtb61 · · Score: 0

      So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments. So that all transfers can be tracked but kept secret because you at the core, want to do two things, cheat the tax man participating in criminal payments, whilst also participating in the who gets in early wins in the ponzi scheme coin mining scam. I'll bet you want digital currency to work when the power is out. You are not one of those survivalists with a hoard of bit coin so they will have spending money with society collapses and the power goes out. You know they will eventually ban it, because oh my, will the cheaters squirm, what can they do to get real money back (money backed by governments and entire populations plus assets of entire countries, even continents in the case of Australia, not as secure as a block chain, wow, super duper ultra block chain more secure than an entire continent of capital asset security).

      --
      Chaos - everything, everywhere, everywhen
    18. Re:Can it be invalidated? by r0kk3rz · · Score: 1

      Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

      Not quite, some central authority might suggest its a good idea but it's ultimately up to the miners to decide to follow through. This is what happened with TheDAO and not everyone agreed and so now we have Ethereum Classic fork as well.

      This is ultimately how blockchains work, its up to the miners to agree what the 'current state' of the chain is and they can change their mind at any time.

    19. Re:Can it be invalidated? by kyrsjo · · Score: 1

      > So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

      So basically Bitcoin?

    20. Re:Can it be invalidated? by Applehu+Akbar · · Score: 1

      Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

      If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

    21. Re:Can it be invalidated? by gnick · · Score: 1

      So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

      Who said anything about untraceable? I thought these transactions were entirely traceable. Anonymous maybe, but not untraceable.

      --
      He's getting rather old, but he's a good mouse.
    22. Re: Can it be invalidated? by Anonymous Coward · · Score: 0

      All currencies depends on confidence. So your point doesn't make sense.

      It's just that you have more confidence in your government being prudent with maintaining it's value than your trust in internet security (not just cryptography).

    23. Re:Can it be invalidated? by mysidia · · Score: 1

      If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

      I guess what needs to be done is introduce trusted "Blacklisting" authorities that all users, and possibly all nodes will honor.

      If an address is BLACKLISTED, then all services and bitcoin nodes check the path coins have taken, and the coins that passed through a blacklisted address cannot be spent anywhere further, they are tainted: Both transaction/payment providers/exchanges/retailers or other business running nodes and Miners/Network nodes will consume the blacklist and boycott their requested transactions.

      Some centralized agreed-upon "Coin seizure arbitration authority" could be entrusted to sign WHITELISTED addresses, and Blacklisted coins can be spent to a WHITELISTED transaction by the trusted authority and clears the taint.

      This would allow criminals to "self-forfeit" their stolen assets in exchange, for, probably some minor consideration such as reduced jail time, or freeing up other tainted coins they own which were not involved in the activity.

    24. Re:Can it be invalidated? by CaptainDork · · Score: 1

      Internet packets are not affected by blunt force trauma.

      --
      It little behooves the best of us to comment on the rest of us.
  2. First! by Anonymous Coward · · Score: 0

    ...and nothing of real value was lost.

    1. Re:First! by HumanWiki · · Score: 1

      ...and nothing of real value was lost.

      As opposed to other invented forms of currency that only exist as long as the collective organizations that invented them exist?

  3. Why didn't I think of that... by __aaclcg7560 · · Score: 4, Funny

    How do I hijack an icon file (*.ICO) to get $7.4M?

    1. Re:Why didn't I think of that... by OzPeter · · Score: 3, Funny

      How do I hijack an icon file (*.ICO) to get $7.4M?

      I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Why didn't I think of that... by HumanWiki · · Score: 1

      How do I hijack an icon file (*.ICO) to get $7.4M?

      I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

      UH-OH!

    3. Re:Why didn't I think of that... by TheRealMindChild · · Score: 1

      https://www.exploit-db.com/exp...

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    4. Re:Why didn't I think of that... by DontBeAMoran · · Score: 2

      You big dumbass. They're not talking about icon files, they're talking about ICO.

      --
      #DeleteFacebook
    5. Re:Why didn't I think of that... by AmiMoJo · · Score: 1

      How did the Information Commissioner's Office even have $7m lying around to be stolen?!

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Why didn't I think of that... by DontBeAMoran · · Score: 1

      Maybe they reported the number wrong and it was 0.07400000 ETH, valued at USD$14.

      --
      #DeleteFacebook
    7. Re:Why didn't I think of that... by AmiMoJo · · Score: 1

      Maybe it was 7 millidollars, i.e. $0.007. Or at least it will be by next week.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Why didn't I think of that... by CaptainDork · · Score: 1

      Fuck that.

      What about my goddam Compuserve one?

      --
      It little behooves the best of us to comment on the rest of us.
  4. PGP Signed Message. by 0100010001010011 · · Score: 2

    No different than a hacker changing a mailing address to amass money sent to an address.

    Why the hell did they not sign it with a PGP key to authenticate that they were who they said they were?

    1. Re:PGP Signed Message. by fuzzyfuzzyfungus · · Score: 1

      Some people just make dumb mistakes. Others read the (admittedly pretty cool) descriptions of the mathematical properties of cryptocurrencies and foolishly assume that those properties somehow rub off on the decidedly less elegant infrastructure on which basically everything done with the cryptocurrencies depends.

      I'm not sure what the exact breakdown is; but it's practically a business model for the 'exchanges': Get people to hand you the mathematically validated cryptographic stuff in exchange for IOUs denominated in whatever coin is trendy; then people are all surprised when those IOUs have no special properties whatsoever; and can be changed just as easily as anything else on a poorly secured web server.

  5. ethereum by Osgeld · · Score: 1

    a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

    or some shitty bitcoin thing, or both .... moving on

  6. No wonder ethereum is so popular by The+Grim+Reefer · · Score: 1

    While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

    Wow, I had no idea you could mine over $7million "almost immediately". No wonder Ethereum is so popular. Must have been using one of those out of stock NVidia or AMD video cards for that.

    1. Re: No wonder ethereum is so popular by Anonymous Coward · · Score: 0

      WTF?
      You can't be serious.

    2. Re: No wonder ethereum is so popular by Anonymous Coward · · Score: 0

      Take it easy, I think based on his name he's probably stoned out of his gourd.

  7. Meh by thegarbz · · Score: 2

    Will only be worth $3.5million in 2 weeks anyway the way these currencies are going.

    1. Re:Meh by Anonymous Coward · · Score: 0

      Still a pretty successful heist by any measure.

    2. Re:Meh by DontBeAMoran · · Score: 2

      He could always convert his ETH into Dogecoins just to be sure.

      --
      #DeleteFacebook
  8. CALL THE BANK! by Anonymous Coward · · Score: 0

    And tell it of the fraud. Get your money back right away! Oh, right, you sell on the black market, and can just steal someone else's money. Never mind. Keep Calm! Carry On! KRIM!

  9. Crypto-money - what did you expect? by GerryGilmore · · Score: 2

    Some of my buddies were bemoaning not having bought some Bitcoin after one of its runups in price. I told them they'd be better off in Vegas. At least there you get free drinks while watching your money disappear.

    1. Re:Crypto-money - what did you expect? by twistofsin · · Score: 1

      I just bought a new motorcycle with the money I made selling some of my Bitcoin.

      If you invested any money in Bitcoin in the past and suffered a loss you are definitely doing it wrong.

    2. Re:Crypto-money - what did you expect? by Anonymous Coward · · Score: 0

      Some of my buddies were bemoaning not having bought some Bitcoin after one of its runups in price. I told them they'd be better off in Vegas. At least there you get free drinks while watching your money disappear.

      Your assertion is contrary to the demonstrable history of bitcoin. Holders have seen huge returns year after year.

    3. Re:Crypto-money - what did you expect? by Anonymous Coward · · Score: 1

      Couldn't the same be said for investors of Bernard L. Madoff Investment Securities LLC until it all came crashing down?

    4. Re:Crypto-money - what did you expect? by kyrsjo · · Score: 1

      I think this XKCD is pretty applicable:
      https://xkcd.com/1827/

  10. Beware of Cryptofeit currrency too! by theendlessnow · · Score: 1

    Vendors are urged to examine the data directly. Repeating numbers like 111111111... or numbers like 55378008.... or even 1234567... these need to be examined closely. Right now vendors aren't even looking at cryptocurrency, so it's easy to pass off fakes.

  11. All you gotta do: by Anonymous Coward · · Score: 0

    Hack the thing. And remain unknown. So you will be the unknown hacker that hacked the thing with the hacks. Clear?

  12. Re: Good stuff! by Anonymous Coward · · Score: 0

    Please send a few hundred bitcoins to 17Yvsma9tfiuqVP7QhsFE2VmsFpTEMy17P.

    Thank you.

  13. When is an investment lost... by redengin · · Score: 1

    The investors sent their money to the wrong address. Coindash will do its best to make good by still issuing tokens (shares) to investors. Now it's up to Coindash to tighten their budget and make a go with a $7M liability. Either way, the investors knew that their investments were always at the risk of Coindash failing. This setback just happened very early in the ICO lifecycle.

  14. Wish I had by Anonymous Coward · · Score: 0

    Thought of it.

  15. Ceme Keliling by Anonymous Coward · · Score: 0

    maybe the hacker invicible on the rule but we must know. how ever hacker hack the program we just staying on line - http://dewakartu168.com/index.php

  16. Ethereum Classic by Anonymous Coward · · Score: 0

    Everyone in the know, knows the future is Ethereum Classic...

  17. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  18. Re: Good stuff! by Anonymous Coward · · Score: 0

    For every winner there are several losers.

  19. Re:Stealing Monopoly Money by Anonymous Coward · · Score: 0

    > make believe things we associate with value

    What, like US Federal Reserve Notes?

    At least "work" is done on a blockchain when more are issued, vs "the economy looks down, print $30B/month plz."

  20. Re:Stealing Monopoly Money by Anonymous Coward · · Score: 0

    I feel like I'm reading the writing of someone totally jelly. It's not too late, you know, knucklehead.

  21. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion