IOTA users recently got an unwelcome surprise when they logged on to check their wallets: their IOTA tokens are gone. It has been reported that an estimated $4 million in IOTA tokens have been stolen by hackers. The hackers used malicious online seed generators.
In order to understand what just happened, it’s best to understand how the IOTA wallets are protected using the ‘seed‘ system. For people creating a new IOTA wallet, they need to provide a ‘seed’ or a string of 81 characters that acts as a password for accessing the wallet. The IOTA wallet is considered to be one of the most secure wallets because of this system. However, that is if you provide the seed yourself.
Generating a seed offline is not as easy and the entire process of creating an IOTA wallet is not user-friendly at all. Therefore, many people (typically new investors) tend to turn to online seed generators which do all the complicated work for them. However, this is very risky because this way your seed can be traced by the hackers. This is exactly what happened as hackers used malicious online seed generators to wipe out a large sum of funds from multiple wallets.
iotaseed.io is allegedly the site that was responsible for the malicious seeds. It has since been taken down. According to a blog post by IOTA Evangelist Network member Ralf Rottmann, the hackers did a DDoS attack against IOTA fullnodes which saw many victims unable to get their funds back.
“The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future.”
There have also been claims that the hackers had been planning this attack for quite some time as they had been collecting seeds for a while now. Moreover, it has also been reported that the nodes that were attacked were community nodes which means that mostly the regular investor was the one that suffered losses. Private nodes were left untouched.
The attack was carefully planned out as the DDoS attack left users unable to access their wallets which allowed the hackers ample time to move the funds away from the wallets. Many people were left stunned when they logged on to see all their funds gone. IOTA started receiving a lot of criticism as they initially did not release any statement regarding the attack.
-Vulnerabilities in the code ✔
-ternary tech instead of binary ✔
-Fake Microsoft partnership debunked ✔
-Inability to demonstrate due diligence on cryptographic terms ✔
– Vulnerabilities confirmed through recent hack ✔How much more can IOTA withstand?#survivor
— ⚡Krypt0punk⚡ (@Krypt0punk) January 22, 2018
IOTA has fallen in the last 24 hours too, quite possibly because of lack of faith in the currency’s wallet security. It’s down 12.9 percent in the last 24 hours with its current price at $2.38 (as of this writing).
After a lot of tweets by confused users, Dominik Schiener, the co-founder of IOTA tweeted saying that IOTA is taking steps against the hackers.
We have actually already started filing a police report (the IOTA Foundation on behalf of the users) and are working on a bigger update blog post with some of the actions we’re taking.
— Dominik Schiener (@DomSchiener) January 21, 2018
Schiener also tweeted: “Never, ever use an online password/seed generator. Especially when financial assets are involved. You are your own bank – keep that in mind and act as such.” However, it can be argued that if IOTA’s wallet wasn’t so complicated to setup, users wouldn’t have resorted to such means in the first place.
IOTA can be blamed for not going the extra mile for their users’ security or the fact that it didn’t try to improve its wallet system. However, IOTA is reportedly working on a better wallet that will be user-friendly. That might help prevent such cases in the future.
Only a miracle might get the victims their funds back. However, it’s a major lesson learned for those who lost their digital tokens. It’s best to go through the official process/ the correct way of doing things rather than taking a shortcut otherwise there’s a chance you may suffer.