Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Allegedly Steals $7.4 Million In Ethereum After Hijacking ICO (vice.com)

Posted by msmash on from the big-setback dept.

An anonymous reader writes: An unknown hacker allegedly took over the website of an ethereum startup called Coindash, directing investors to send money to his or her own ethereum digital wallet, instead of the one controlled by Coindash. While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

42 of 64 comments (clear)

  1. Can it be invalidated? by kaka.mala.vachva · · Score: 1

    I don't know much about cryptocurrencies, but since this isn't physical tender, can't hacked currency be invalidated?

    1. Re:Can it be invalidated? by xxxJonBoyxxx · · Score: 2

      It can but it's a PITA and threatens to devalue currencies. See:
      http://www.coindesk.com/ethereum-classic-explained-blockchain/

    2. Re:Can it be invalidated? by mysidia · · Score: 2

      Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

      If that is their intention, they should announce it immediately to help mitigate damage (Make sure the hacker doesn't spend further and leave other people holding the bag).

    3. Re:Can it be invalidated? by cunina · · Score: 4, Insightful

      Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

    4. Re:Can it be invalidated? by Luthair · · Score: 1

      Even if Ethereum doesn't split the currency, couldn't the coins and derivatives be blacklisted in the "legitimate" sphere making them relatively worthless? They're technically stolen property so dealing with them could be illegal in many jurisdictions.

    5. Re:Can it be invalidated? by Cyberax · · Score: 1

      No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash.

      Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

    6. Re:Can it be invalidated? by Anonymous Coward · · Score: 1

      No. Neither Etherum, nor Bitcoin offer ways to blacklist certain wallets. Once your money is gone, it's gone - just like stolen cash

      Etherum already undid some transactions that people didn't like. This lead to a fork of the block chain and the creation of Etherum Classic.

      Some alternative cryptocurrencies support wallet invalidation feature where a wallet maybe destroyed if enough miners agree on it for a certain time.

      All cryptocurrencies can revert transactions if enough people agree to it. Defeats part of the attraction to them, but it can still happen.

    7. Re:Can it be invalidated? by Kjella · · Score: 2

      Of course you could. Technically it's not even a problem, create some kind of master key that clients will accept the signature of instead of the user's key and it'll be the almighty god of that crypto-currency. And who would you like to have sitting on that key? What makes them trustworthy, what standard of proof, what appeals process in what jurisdiction against having your assets seized? The Internet Court of public opinion and loose allegations? What happens if the hacker manages to spend the money first, do you take the money away from an innocent third party effectively creating a counterfeiting problem?

      By the time you're done with the dispute process you'll basically have poorly re-invented banks and credit cards. And what would happen if a hacker got hands of the key and started randomly moving money around? There would be total chaos. The lack of any kind of centralized control is the headline feature. As a consequence done is done and there's no undoing it, a crowd-sourced blacklist would be useless. All that would happen is that a lot of people would get stuck with "tainted" money that would be randomly rejected, they'd get pissed from being scammed and the currency would collapse.

      --
      Live today, because you never know what tomorrow brings
    8. Re:Can it be invalidated? by Anonymous Coward · · Score: 1

      There was no hacking. The people behind the contract wrote it horribly and someone took advantage of that fact. They didn't like it, because they and their friends lost some money, so they decided to fork it, and illegally invalidate the contract.

    9. Re:Can it be invalidated? by cunina · · Score: 1

      I would argue that Ethereum became less valuable as a result of the fork.

    10. Re:Can it be invalidated? by Khashishi · · Score: 1

      AFAIK, if enough miners (>50%?) want to invalidate the transactions, they can do it. Simply fork the blockchain, removing any transactions they don't want. Of course, they will have to collectively identify which transactions should be invalidated.

    11. Re:Can it be invalidated? by fuzzyfuzzyfungus · · Score: 1

      Yes, in the sense that it's scarcer. "Not so much", in the sense that you've just told everyone that you can, and will, disappear chunks of their invisible internet money that you find suspicious.

      When your value depends mostly on confidence, that's a risky move.

    12. Re:Can it be invalidated? by r0kk3rz · · Score: 1

      Sure, but the precedent is very un-cryptocurrency. Reverting the transfer means that a central authority has the ability to invalidate transactions they don't like. Today it may be theft, but tomorrow it could be political contributions or purchases of "bad" items. It seems like that kind of thing would undermine the value of having a cryptocurrency in the first place.

      Not quite, some central authority might suggest its a good idea but it's ultimately up to the miners to decide to follow through. This is what happened with TheDAO and not everyone agreed and so now we have Ethereum Classic fork as well.

      This is ultimately how blockchains work, its up to the miners to agree what the 'current state' of the chain is and they can change their mind at any time.

    13. Re:Can it be invalidated? by kyrsjo · · Score: 1

      > So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

      So basically Bitcoin?

    14. Re:Can it be invalidated? by Applehu+Akbar · · Score: 1

      Ethereum has done it before in a previous hacking. They could write a patch, in theory, to do a fork and invalidate all transactions to the Hacker's address.

      If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

    15. Re:Can it be invalidated? by gnick · · Score: 1

      So what you want is a traceable untraceable currency, so that you can make anonymous registered purchases and receive anonymous fully recorded payments.

      Who said anything about untraceable? I thought these transactions were entirely traceable. Anonymous maybe, but not untraceable.

      --
      He's getting rather old, but he's a good mouse.
    16. Re:Can it be invalidated? by mysidia · · Score: 1

      If cryptocurrencies want to go legit as a legal tender, they need to do the same to ransomware addresses.

      I guess what needs to be done is introduce trusted "Blacklisting" authorities that all users, and possibly all nodes will honor.

      If an address is BLACKLISTED, then all services and bitcoin nodes check the path coins have taken, and the coins that passed through a blacklisted address cannot be spent anywhere further, they are tainted: Both transaction/payment providers/exchanges/retailers or other business running nodes and Miners/Network nodes will consume the blacklist and boycott their requested transactions.

      Some centralized agreed-upon "Coin seizure arbitration authority" could be entrusted to sign WHITELISTED addresses, and Blacklisted coins can be spent to a WHITELISTED transaction by the trusted authority and clears the taint.

      This would allow criminals to "self-forfeit" their stolen assets in exchange, for, probably some minor consideration such as reduced jail time, or freeing up other tainted coins they own which were not involved in the activity.

    17. Re:Can it be invalidated? by CaptainDork · · Score: 1

      Internet packets are not affected by blunt force trauma.

      --
      It little behooves the best of us to comment on the rest of us.
  2. Why didn't I think of that... by __aaclcg7560 · · Score: 4, Funny

    How do I hijack an icon file (*.ICO) to get $7.4M?

    1. Re:Why didn't I think of that... by OzPeter · · Score: 3, Funny

      How do I hijack an icon file (*.ICO) to get $7.4M?

      I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Why didn't I think of that... by HumanWiki · · Score: 1

      How do I hijack an icon file (*.ICO) to get $7.4M?

      I don't know about that, but after that MySpace story today I'm now worried about my ICQ account!

      UH-OH!

    3. Re:Why didn't I think of that... by TheRealMindChild · · Score: 1

      https://www.exploit-db.com/exp...

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    4. Re:Why didn't I think of that... by DontBeAMoran · · Score: 2

      You big dumbass. They're not talking about icon files, they're talking about ICO.

      --
      #DeleteFacebook
    5. Re:Why didn't I think of that... by AmiMoJo · · Score: 1

      How did the Information Commissioner's Office even have $7m lying around to be stolen?!

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Why didn't I think of that... by DontBeAMoran · · Score: 1

      Maybe they reported the number wrong and it was 0.07400000 ETH, valued at USD$14.

      --
      #DeleteFacebook
    7. Re:Why didn't I think of that... by AmiMoJo · · Score: 1

      Maybe it was 7 millidollars, i.e. $0.007. Or at least it will be by next week.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:Why didn't I think of that... by CaptainDork · · Score: 1

      Fuck that.

      What about my goddam Compuserve one?

      --
      It little behooves the best of us to comment on the rest of us.
  3. Re:First! by HumanWiki · · Score: 1

    ...and nothing of real value was lost.

    As opposed to other invented forms of currency that only exist as long as the collective organizations that invented them exist?

  4. PGP Signed Message. by 0100010001010011 · · Score: 2

    No different than a hacker changing a mailing address to amass money sent to an address.

    Why the hell did they not sign it with a PGP key to authenticate that they were who they said they were?

    1. Re:PGP Signed Message. by fuzzyfuzzyfungus · · Score: 1

      Some people just make dumb mistakes. Others read the (admittedly pretty cool) descriptions of the mathematical properties of cryptocurrencies and foolishly assume that those properties somehow rub off on the decidedly less elegant infrastructure on which basically everything done with the cryptocurrencies depends.

      I'm not sure what the exact breakdown is; but it's practically a business model for the 'exchanges': Get people to hand you the mathematically validated cryptographic stuff in exchange for IOUs denominated in whatever coin is trendy; then people are all surprised when those IOUs have no special properties whatsoever; and can be changed just as easily as anything else on a poorly secured web server.

  5. ethereum by Osgeld · · Score: 1

    a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

    or some shitty bitcoin thing, or both .... moving on

  6. No wonder ethereum is so popular by The+Grim+Reefer · · Score: 1

    While Coindash noticed the hack almost immediately, the damage was done, and the hacker amassed more than $7 million in stolen cryptocurrency.

    Wow, I had no idea you could mine over $7million "almost immediately". No wonder Ethereum is so popular. Must have been using one of those out of stock NVidia or AMD video cards for that.

  7. Meh by thegarbz · · Score: 2

    Will only be worth $3.5million in 2 weeks anyway the way these currencies are going.

    1. Re:Meh by DontBeAMoran · · Score: 2

      He could always convert his ETH into Dogecoins just to be sure.

      --
      #DeleteFacebook
  8. Crypto-money - what did you expect? by GerryGilmore · · Score: 2

    Some of my buddies were bemoaning not having bought some Bitcoin after one of its runups in price. I told them they'd be better off in Vegas. At least there you get free drinks while watching your money disappear.

    1. Re:Crypto-money - what did you expect? by twistofsin · · Score: 1

      I just bought a new motorcycle with the money I made selling some of my Bitcoin.

      If you invested any money in Bitcoin in the past and suffered a loss you are definitely doing it wrong.

    2. Re:Crypto-money - what did you expect? by Anonymous Coward · · Score: 1

      Couldn't the same be said for investors of Bernard L. Madoff Investment Securities LLC until it all came crashing down?

    3. Re:Crypto-money - what did you expect? by kyrsjo · · Score: 1

      I think this XKCD is pretty applicable:
      https://xkcd.com/1827/

  9. Beware of Cryptofeit currrency too! by theendlessnow · · Score: 1

    Vendors are urged to examine the data directly. Repeating numbers like 111111111... or numbers like 55378008.... or even 1234567... these need to be examined closely. Right now vendors aren't even looking at cryptocurrency, so it's easy to pass off fakes.

  10. When is an investment lost... by redengin · · Score: 1

    The investors sent their money to the wrong address. Coindash will do its best to make good by still issuing tokens (shares) to investors. Now it's up to Coindash to tighten their budget and make a go with a $7M liability. Either way, the investors knew that their investments were always at the risk of Coindash failing. This setback just happened very early in the ICO lifecycle.

  11. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  12. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion