Hackers reportedly used seeds collected through iotaseed.io to move funds into their own wallets.
Malicious online seed generators are responsible for the theft of $4 million worth of IOTA tokens, according to a report by online news source CCN.
In order to create a new IOTA wallet, a user must provide a string of 81 characters that can be used to access the wallet. Although there are several methods of generating such a string using offline resources, the process can be a bit complicated. Therefore, some IOTA holders turn to online seed generators, websites that can be used to easily generate strings of characters that can be used as seeds for IOTA wallets.
The site responsible for the generation of malicious seeds, iotaseed.io, has ceased operations. Now, the site displays the simple message: “Taken down. Apologies.” The fact that the site was shut down with “apologies” may be indicative of the fact that the site had been temporarily compromised by hackers, and that the original operators discontinued the site once control was regained.
Ralf Rottman, founder of Grand Centrix, originally described the attack in a Medium post on January 20, saying that attackers who appeared to have been collecting “piles of seeds” for some time began moving funds from the affected users’ wallets into their own wallets en masse on January 19.
A Simultaneous DDoS Attack Prevented Affected Users from Recovering Funds
At the same time, wrote Rottman, attackers launched a DDoS (distributed denial of service) attack against some of the IOTA network’s known fullnodes, which thwarted users’ efforts to recover their funds. Rottman added that the fact that community-run nodes were the ones affected was significant; none of his company’s privately-run nodes (located at iota.fm) were compromised.
Although the situation is certainly awful, and the DDoS attack did ultimately play a part in the loss of the funds, the IOTA network itself was not hacked–the DDoS attack on its own would not have resulted in the loss of anyone’s funds. The theft was the product of the use of malicious seed generator.
This isn’t the first time that IOTA users have made their funds vulnerable to attack due to unhygienic practices with private keys. IOTA co-founder Dominik Schiener wrote that during a separate attack on the IOTA network that took place in October of 2017, some IOTA tokens were “found to be at risk of theft due to users re-using their private keys.” The IOTA team temporarily took the vulnerable funds into custody until they could be secured.
The IOTA Foundation is reportedly working on developing a more user-friendly “UCL” wallet that will hopefully simplify the process of securing tokens, leading to a more secure ecosystem overall.
Unfortunately, users who lost their funds as a result of this shady seed-generating scheme are unlikely to regain their losses. Instead, we can all view this regrettable incident as a learning experience with an important takeaway: don’t participate in any sort of behavior that might expose your coins’ private addresses or seeds to any third party–keep seed generation and private keys as offline as possible, always.