A number of DADI ICO investors are complaining on Reddit and Twitter that they are getting phishing e-mails after the startup was unable to protect their names and e-mails.
The fraudulent e-mail is asking the users to sign up for a malicious copy of the widely used cryptocurrency digital wallet MyEtherWallet which is designed to steal private keys and other private information.
The hack relies on punycode technique that allows any fake website to be displayed as the original. In this case, the hackers used a phony email address (email@example.com) which looks exactly like the original DADI email (firstname.lastname@example.org). Due to the close resemblance, a lot of people have easily fallen prey to the attack letting the hackers run away with $1 million worth of Ethereum.
The “email in question is a phishing scam, but it is not a new compromise,” said DADI community manager Bolaji Oyewole while speaking to TNW.
“Rather a new attempt to defraud our community using data from the mailing list hack at the end of the Crowdsale period,” he added.
DADI also cautioned its investors of the scam on Twitter instructing them to ignore such emails.
An external email system used by DADI for marketing communications was compromised this evening. DADI will never send contract or wallet addresses via email. Please ignore any emails from email@example.com https://t.co/TCT1lS0EdV
— DADI (@dadi) 1 February 2018
“This attack was investigated at the time and appropriate steps taken to mitigate the impact (which includes reporting matters to the appropriate authorities, issuing community alerts etc.),” said Bolaji (commonly known as @Bjay on Telegram and Discord). “We also stopped using the system in question.”
Rick Camp who is also a DADI community representative backed Bjay’s statement and provided the answer to how the emails got leaked in the first place.
“Back in January one of our third-party email marketing vendors was compromised which we dealt with at the time,” he wrote on Telegram. “No KYC information was compromised and DADI was not hacked. This is simply a re-attempt to engage those emails. Kindly report the email as spam and delete. It’s a blatant scam attempt.”
The startup continued to claim that their system had not been hacked. It is also providing users the option to ask DADI to delete all their data.
“Phishing emails will come. Be safe, delete them and report,” warned Bjay. “We are aware and we take down the sites as fast as we can. We keep your data offline in one of the most secure locations in the UK.”
“If you want your profile deleted from the website, send a request to firstname.lastname@example.org,” he finished.
This is not the first time that DADI had been surrounded by controversies. Earlier this year the startup was accused of plagiarizing pieces from its blockchain-powered rival SONM’s whitepaper. However, DADI addressed the issue in a Medium post saying it was just a mistake that they forgot to fix.