A few prospective investors were still sending ether to an ethereum address compromised in an initial coin offering (ICO) held by a startup called CoinDash yesterday, inadvertently bringing the total lost in the theft up to around $10m.

As reported on July 17, $7m was initially stolen by a hacker who altered the contract address of the ICO project. CoinDash said in an updated statement today that 2,000 investors have now sent a total of 37,000 ethers to the fake address after the open sale started.

While only a small number of transactions have been seen since the hack was revealed, one investor sent 50 ethers to the fake address, according to Etherscan.io.

At publication, around 43,500 ether had been sent to the address in total, bringing the value of the theft to just under $10.3m, amid the cryptocurrency market rebound over the last day.

While CoinDash has yet to disclose how the breach occurred, others are beginning to speculate on what caused the issue.

Wu Guanggeng, the COO of China’s mining pool Bixin, for example, posited on Weibo that the breach may have actually been made via the domain name server provider. When reached out to by CoinDesk, Wu indicated his source for the information was a WeChat official account that publishes cryptocurrency news for subscribers.

One post from the social messaging account claimed that CoinDash support staff said the hacker first cloned an almost identical website to CoinDash.io, while using a fake contact address.

The imposter then contacted the CoinDash’s DNS provider using the registered email to request a redirection of traffic to the false site. Wu suspected the CoinDash email account was also compromised.

While CoinDash has previously stated that investors who have been affected by the hack will receive ICO tokens as compensation, those who made transactions after the website was shut down will not be compensated.

CoinDash did not confirm the cut-off time for the website closure. However, the company tweeted on 10:39 a.m. EST, July 17, that the token sale was over and asked investors not to send “any ETH to any address.”

This was followed by another Tweet on 12:47 p.m. that linked to its statement, and another soon after pointing to a form for those who had been affected.

So far the fake contract address has not made any outgoing transactions.

Sink drain image via Shutterstock; fake account details image via Etherscan.io