Swaths of concerned DADI ICO investors are rushing to Reddit and Telegram to report they are now being targeted in a co-ordinated phishing attack after the fledgling cryptocurrency startup failed to protect their credentials, including names and email addresses.
The fraudulent phishing emails ask recipients to sign up for a malicious version of popular cryptocurrency wallet MyEtherWallet, designed to steal your data and private keys. What makes the attack particularly sinister is that it relies on punycode techniques to trick users into submitting their information.
In addition to that, the hackers used an email (firstname.lastname@example.org) which closely resembles the authentic DADI address (email@example.com).
Here is a copy of the fake email as shared by affected DADI users:
TNW has since spoken to DADI community manager Bolaji Oyewole (more commonly known as @Bjay on Telegram and Discord) who told us that the “email in question is a phishing scam, but it is not a new compromise.”
“Rather a new attempt to defraud our community using data from the mailing list hack at the end of the Crowdsale period,” Oyewole added, linking to the following tweet:
An external email system used by DADI for marketing communications was compromised this evening. DADI will never send contract or wallet addresses via email. Please ignore any emails from firstname.lastname@example.org https://t.co/TCT1lS0EdV
— DADI (@dadi) February 1, 2018
“This attack was investigated at the time and appropriate steps taken to mitigate the impact (which includes reporting matters to the appropriate authorities, issuing community alerts etc.),” the community manager further said. “We also stopped using the system in question.”
“We would remind your readers to take appropriate steps to protect themselves,” he added. “A security update from the end of the Public sale can be seen here.”
Another DADI community rep who goes by the name Rick Kamp seconded Oyewole’s claims.
“Back in January one of our third party email marketing vendors was compromised which we dealt with at the time,” he wrote on Telegram. “No KYC information was compromised and DADI was not hacked. This is simply a re-attempt to engage those emails. Kindly report the email as spam and delete. It’s a blatant scam attempt.”
While the startup continues to insist their system has not been compromised, it is advising users to ignore any emails that do not originate from their official email address email@example.com.
Here is the full message:
Oyewole has further clarified that users can request to have their data deleted by DADI.
“Phishing emails will come. Be safe, delete them and report,” he warned on Telegram. “We are aware and we take down the sites as fast as we can. We keep your data offline in one of the most secure locations in the UK.”
“If you want your profile deleted from the website, send a request to firstname.lastname@example.org,” he finished.
For the record, this is not the first time DADI has dealt with controversy.
In addition to the email list breach which took place in January, the company got busted blatantly plagiarizing segments from the white paper of blockchain-powered competitor SONM. DADI eventually responded to the accusations in a Medium post, claiming the copied text was a “mistake” someone forgot to fix.
The cryptocurrency space is no stranger to this sort of mishaps, unfortunately.
Indeed, blockchain-powered Airbnb competitor, Bee Token, was involved in a similar accident last month. It remains unclear how widespread the DADI phishing attack is, but the Bee Token hackers ultimately managed to walk away with more than $1 million worth of Ethereum.