IOTA wallets were hacked, they stole Millions. Individuals have been left with emptied wallets due to malicious websites providing users with a new wallet seed.
Two days ago, many users reported having their funds in their IOTA wallets stolen from an unknown source. The cause? Online seed generators. The damage is estimated on around $4million. Online seed generators for IOTA are websites that provide users with a quick solution to generate a new seed for their IOTA wallet.
When you create your IOTA wallet you have to create 81-character seed rather than generation being baked-in. There are workarounds as outlined by the HelloIOTA website. It includes using an IPFS seed generator or creating a key using either the Mac or Linux terminal.
The top hit for online seed generation for IOTA wallets has since taken down its website. It left a message simply stating “Taken down. Apologies.”. The generator would require viewers to move their mouse around to “generate randomness,” and then provide a seed that fit the requirements of an IOTA wallet. It also provided a version of the seed encoded as a mnemonic phrase as well.
According to a blog post from a Network member – Ralf Rottmann, the attackers deployed a DDoS attack against popular IOTA fullnodes. They left victims of the hack unable to rescue any of their funds:
The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future.
The IOTA community has been quite clear about online seed generators. They encouraged users to change elements of the seed in order to prevent any vulnerabilities. They have also been repeatedly pointing to the fact that the vulnerability has nothing to do with IOTA’s technology and rather just seed generating services.
IOTA has gone through a bit of drama in a past few months. Especially with their Microsoft partnership clarification after a botched press cycle and patched vulnerabilities found back in the fall. In October, the IOTA team also took custody of at-risk funds due to another vulnerability with the use of a snapshot.
Although quite ambitious, the tangle seems to always be tangled up in controversy.