The social engineering hack used phishing emails to induce recipients to sign up for a fake, infected mirror of popular cryptocurrency wallet MyEtherWallet, to enable the hackers to steal the information and access keys of their victims.
The hack applied punycode techniques to mislead their victims into freely providing all of their information, something that is raising eyebrows in the industry. To further lull the unsuspecting victims, the hackers used a familiar looking email address which very closely resembled the real address (firstname.lastname@example.org).
It is reported that DADI community manager, Bolaji Oyewole stated that although the email was a phishing scam, it was nothing new. The only new aspect, he stated, was the fact that the hackers used mailing lists stolen at the end of the so-called ‘Crowdsdale’ period. Oyewole pointed to a tweet dated February 2018, in which DADI informed investors of the compromise of the marketing communications email system. In this tweet, DADI explicitly states that “they will never send contract or wallet addresses via email.”
According to Oyewole, the email compromise was fully dealt with. The details were appropriately informed, the affected investors were alerted, and DADI immediately stopped using the compromised system. It is, he stated, the responsibility of the public to protect themselves and to be meticulous about security updates after this incident. Oyewole was supported in this by his colleague, Rick Kamp.
According to his version, a third party email vendor was compromised, an incident which was fully dealt with at the time. The most recent phishing attempt was just an attempt to exploit this exploit. He referred to the recent attempt as “spam” to be deleted. “Just delete it”, he stated.
In the wake of what DADI insists, was not a compromise of their system, they issued a warning to investors to delete any emails purporting to be from DADI if it did not come from the one and only DADI email address, email@example.com.
Of course, Oyewole claimed, users are free to demand that DADI delete all their data, by just requesting the same from firstname.lastname@example.org. Phishing scams will happen but can be decisively dealt with by just deleting and reporting it. Users data, he reaffirmed, are kept in one of the most secure offline locations in the United Kingdom.
DADI has been in “hot water” before. Apart from the above, DADI was accused of plagiarism. The accusation was that the company used entire segments of a white paper published by their competitors, SONM. DADI admitted their guilt, claiming that it was a copying mistake missed by management.
DADI is not alone in its infamy, however. Airbnb competitor, Bee Token also blockchain driven, made the news in a similar fashion last month, when they lost the US $ 1 million worth of Ethereum.