A startup attempting to raise money through an initial coin offering has been hacked, and about $7 million worth of Ethereum tokens invested by customers has been stolen in the process.

CoinDash, a company that was aiming to build a “blockchain asset social trading platform,” was attempting to raise the equivalent of $12 million from its ICO that opened on Monday. But either before and shortly after the ICO went live, a hacker accessed the site of the company and changed the Ethereum wallet address investors sent money to. As a result, investors who thought that they were sending money to CoinDash were instead sending their Ethereum tokens directly to the hacker.

How the hack took place isn’t clear at this stage, but given its nature, it would appear to be a simple website hack with one minor change. In this case it was a change in the wallet address that was not picked up by those running the ICO.

CoinDash has now suspended the ICO and has promised to offer investors their promised CoinDash tokens if they can show proof that they made a payment, even if it was to the hacker. According to CNBC, the ICO involved 2,130 transactions, because investors may have made multiple transactions.

“CoinDash is responsible to all of its contributors and will send CDTs reflective of each contribution,” the company said in a statement on its website. “Contributors that sent ETH to the fraudulent Ethereum address, which was maliciously placed on our website, and sent ETH to the CoinDash.io official address will receive their CDT tokens accordingly.”

Although the company conceded that “this was a damaging event to both our contributors and our company,” it said it is “surely not the end of our project. We are looking into the security breach and will update you all as soon as possible about the findings.”

The increasing interest in ICOs is described fairly by some as a bubble thanks to the massive number of new offerings entering the market and producing tulipmania style returns. That means it was always going to attract the interest of hackers, particularly given that Ethereum, the cryptocurrency used to acquire the acquire the tokens, has followed in the steps of bitcoin and gone through the roof in value this year.

That the first major hack of an ICO came about through a traditional website hack and change-of-address versus something more complicated is somewhat ironic given the murkiness surrounded some ICOs. But it does highlight a growing concern in relation to security and risk in the ICO market, which remains nearly free of government regulation, allowing anyone to offer coins with little to no checks and balances.

Image: CoinDash/Web Archive