中文版请按这里(For Chinese version press here)

Context

On July 17th, after nearly a year of operations, CoinDash performed a TGE (Token Generation Event) during which more than 100K unique users visited CoinDash website (Coindash.io).

The TGE started with a 30 minute phase in which only “whitelisted” users were invited to receive CDT (CoinDash Token) in return for sending ETH to the designated contribution address.

Following the initial 30 minutes the TGE went public, at that stage anyone could have sent eth to the TGE smart contract and receive CDT in return, the TGE contribution was limited to 80K ETH hard cap. When the public phase started, the ethereum smart contract contribution address was to be revealed on the official CoinDash website.

At the moment in which the CoinDash contract address was to be revealed to the public, a malicious attacker switched the official contribution address to a different address

“0x6a164122d5cf7c840D26e829b46dCc4ED6C0ae48”.

Due to high demand, the TGE contribution progressed at head spinning velocity, within 7 minutes, 43K eth were redirected to the malicious address until the site was shut down by our team.

An investigation was initiated privately by a Cyber forensics team hired by CoinDash and is now led by the police, Israel’s Counter Cyber Crimes unit, as well as other international agencies.

As the attack is a criminal offense we were constrained from sharing the investigation details during earlier stages.

Findings

Note: not all findings could be made public, some remain confidential for the purpose of the investigation.

Following the attack, a thorough investigation of CoinDash WordPress site was ordered.

Investigators performed a diff review between the original code and the code found on the attacked server.

The 404.php file was modified from its original content. A malicious Webshell code, base64 encoded, was planted in the 404.php file.

This webshell allows remote code execution, file upload, Dir listing, file reading and more.

The malicious Webshell was originally published in an underground polish IT website called devilteam.pl, an IT security website in which people publish exploits, vulnerabilities, information about companies getting hacked and other cyber security related topics.

The malicious webshell (called “HAURU SHELL”) was first uploaded by user named — Kacper

The malicious code publication by Kacper

Genuine 404.php code:

Malicious 404.php code

According to Cyber security experts; the details of the attack and implemented exploit methods indicate this is not the act of a single person or an after thought. The attack in question was most likely carried out by a highly sophisticated group of people.

The 404.php metadata indicates that it was last modified at 03:23, examining the logs we discovered 3 different IP addresses in session (probably SSH).

We also saw indications for uploading the malicious webshell using WordPress theme editor.

Final note

As the investigation is still underway and new findings come to light on a weekly basis, we are prevented from disclosing further details regarding the attacker’s IP address, missteps and method of communication.

Both public and undercover means are being deployed to retrace the attacker’s steps leading to the hack execution.

International and local law enforcement agencies refer to the attack as a severe criminal act and are committed, together with CoinDash, to track down the stolen ETH and the attacker’s identity.

More details will be disclosed once the circumstances will allow it.

As the attacker returned 10K ETH to the company’s ETH account, we encourage the attacker to send back the rest of the stolen ETH to mitigate the damage to CoinDash and TGE participants. CoinDash and the leading investigating authorities will respond favorably towards such actions.

If anyone can offer any information about the incident you are encouraged to reach out to our team in the following email address: contact@coindash.io

Further reading - The way forward

As indicated immediately after the attack, CoinDash vision, company and product are intact. We have managed to secure 49,000 ETH and most importantly the support of our contributors and user base. All of the people who fell victim to the hack received their CDT in full and the misfortunate event is now a thing of the past.

Security remains a challenge in the Blockchain space with notable attacks occurring to a growing number of companies (Veritaseum, Enigma, Etherparty, Parity etc.). Yet, it is important to note that the Blockchain industry is relatively young and lessons are being learned and implemented on a daily basis.

CoinDash Team.