Emptied IOTA Wallets: Hackers Steal Millions Using Malicious Seed Generators
The IOTA community has recently been hit with a bit of drama, as some individuals have been left with their wallets drained due to malicious websites providing users with a new wallet seed.
Just two days ago, many users reported having their funds (an estimated $4 million) in their IOTA wallets stolen from an unknown source. The cause? Online seed generators.
Online seed generators for IOTA are websites that provide users with a quick solution to generate a new seed for their IOTA wallet.
When creating a new IOTA wallet, users are tasked with creating an 81-character seed rather than generation being baked-in. There are workarounds as outlined by the HelloIOTA website, which includes using an IPFS seed generator, or creating a key using either the Mac or Linux terminal. However, neither of which is as user-friendly as other wallets – possibly leaving new users turning toward these online generators.
The top hit for online seed generation for IOTA wallets has since taken down its website, leaving a message simply stating “Taken down. Apologies.” The generator would require viewers to move their mouse around to “generate randomness,” and then provide a seed that fit the requirements of an IOTA wallet. It also provided a version of the seed encoded as a mnemonic phrase as well.
According to a blog post from IOTA Evangelist Network member Ralf Rottmann, the attackers deployed a DDoS attack against popular IOTA fullnodes, leaving victims of the robbery unable to rescue any of their funds.
The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future.
The IOTA community has been quite clear about online seed generators, encouraging users to change elements of the seed in order to prevent any vulnerabilities. They have also been repeatedly pointing to the fact that the vulnerability has nothing to do with IOTA’s technology, and rather just seed generating services.
IOTA has gone through a bit of drama in recent times with their Microsoft partnership clarification after a botched press cycle, and patched vulnerabilities found back in the fall. In October, the IOTA team also took custody of at-risk funds due to another vulnerability with the use of a snapshot.
Although quite ambitious, the tangle seems to always be tangled up in controversy.