If your malicious client downloads a modified DAG from hackers-server, where the DAG says hacker-has so much bytes, any transactions coming from it to the real network will just be trashed as spam, signatures would be invalid, by the rest of the full nodes and witnesses.
Maybe, we have checkpoints in bitcoin code just in case someone with huge computer power will rewrite chain from the start. So, if wallets (nodes) resinc they will not accept non legit blockchain (at least not rewrited from place before checkpoint). Byteball don't have POW, so probably checkpoints or something should be made, since crashed wallet can resinc from SyBill nodes (malicious hacker wallets) and lost legit one DAG forever.
Nobody looses legit one DAG forever even in such a scenario.
As described earlier, such an attack can be mounted on bitcoin users too, just change the checkpoints in the modified client too to match what the hacker-generated database has.
In both cases, to protect yourself, since this is an attack on the user and not on the network/technology, ensure you are on the right network, and the way to do that is to check with various trusted sources, use several smartphones with different ISPs, check your balance on explorers etc.
But, Byteball has something more clever than the above. Multi-signatures, just pair your wallet with another device and setup "requires 2 of 2 signatures" to transact or setup 2 of 3 devices. Simple.
