Fraudsters just stole $7 million by hacking a cryptocoin offering

Key Points
  • More than $7 million worth of ethereum was stolen in about half an hour.
  • CoinDash said it will provide tokens to buyers except those who invested after its site was shut down.
AndreyPopov | Getty Images

Around 9 a.m. eastern time on Monday, Shawn Van de Vyver, a dentist in Michigan, went to CoinDash's website to check out the project's initial coin offering — a new way that cryptocurrency start-ups are raising money.

Van de Vyver has been building computers and websites for 20 years and started studying bitcoin when it was trading in the single digits (it's now priced at more than $2,000). He also invested a couple thousand dollars in digital currency ethereum, he told CNBC.

CoinDash is sometimes described as the E-Trade for blockchain and Van de Vyver was interested in tracking the project, even if he wasn't yet ready to invest.

Shortly after 9, Van de Vyver got a text from a dentist friend telling him that the site had been hacked.

Visitors to the site had been told to send their ethereum to another address in order to participate in the ICO.

People who followed those instructions had their money stolen, according to the website. Over the course of about a half an hour, more than $7 million was routed to the hacker. According to Etherscan, which tracks the movement of ethereum, some 2,130 transactions took place.

"I could've been hoodwinked," said Van de Vyver, 37, in an interview Monday morning. "These are not sophisticated investors trying to invest in a company."

Welcome to the lawless world of ICOs. Start-ups building on blockchain are raising millions of dollars in exchange for tokens that give buyers future access to their network once it's up and running. The tokens also rise and fall in value and can be bought and sold, giving them characteristics of unregulated securities.

The SEC has yet to weigh in on the new market, meaning that buyers have little to no legal recourse if their money gets stolen.

CoinDash said in a statement on its website that it will provide tokens (CDTs) to people who sent ethereum to the fraudulent address prior to the CoinDash site being closed down. But transactions that took place after the site was shut "will not be compensated," the company said.

Here comes the ICO, a wild new way for cryptocurrency start-ups to raise money
Here comes the ICO, a wild new way for cryptocurrency start-ups to raise money

"This was a damaging event to both our contributors and our company but it is surely not the end of our project," CoinDash said. "We are looking into the security breach and will update you all as soon as possible about the findings."

A CoinDash spokesperson had no further comment, but referred CNBC to the website.

To assist the investigation, the company tweeted out a form for people to fill out if they tried to purchase coins.

CoinDash was aiming to raise about $12 million, and the company said that the sale secured $6.4 million from early contributors. That's relatively small compared with some recent offerings. Tezos, EOS and Bancor raised a total of more than $540 million since mid-June, more than five times the amount raised in ICOs in all of 2016, according to Smith + Crown, a blockchain research, data and consulting group.

Even with the risks, Van de Vyver said he'll still look at investing in ICOs because he expects blockchain technologies to create plenty of future value.

"It's a huge gold rush," he said. "But you've got to know what you're doing."