Just weeks after a digital wallet provider for Stellar Lumens was hacked another altcoin wallet has been hit. This time Iota users found their wallets emptied by hackers using malicious online seed generators. It was estimated that $4 million in Iota tokens was stolen in the digital heist.
According to the IB Times the attackers used spurious websites to generate password details for the fintech network. The hackers also used DDoS attacks during the incursion and succeeded in moving IOTA users’ assets to their wallets via seeds they got from a compromised website.
Stolen seeds
Seed generation is a process whereby an 81 character string is created to open or protect an Iota wallet. It is the equivalent of a username and password, or a digital key. Online seed generating websites can perform this task which is quite complex. It can also be carried out offline however requires some technical expertise.
The website exploited was iotaseed.io which generated the string by users moving their mouse randomly on the screen. The site has since gone offline leaving the unceremonious message “Taken down. Apologies.” It was the top result in the search pages for online seed generators – possibly an advert for a phishing site that had paid Google to be at the top.
IOTA secure
The Iota distributed ledger remains secure and only the wallets accessed with compromised seeds suffered losses. IOTA Evangelist Network member, Ralf Rottmann, took to Medium to explain the situation.
“From what I’ve heard, many users who lost their funds created their seeds at iotaseed.io. Chances are, the folks behind this and potentially other seed generators have sat tight for a while, collecting piles of seeds, though the actual numbers of users affected are not known to me. The fact, that iotaseed.io is still online at the time of this writing might suggest that the site got compromised itself, and its not the folks behind the service who ran the attack.”
Rottmann went on to state;
“The victims literally shared the keys to their wallets with the attackers by using the attackers’ website. In essence, from a purely technical and security perspective, all transfers that happened under this attack, are legitimate transactions. The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. The attackers did not leverage anything IOTA specific! This is super important.”
Some observers commented that the situation could have been avoided if Iota ran and maintained its own seed generator. However Iota co-founder, David Sønstebø, had little sympathy and said users should be responsible for their own security, he went on to add;
“Some inexperienced users went to a website that was listed in Google Ads to generate a password i.e a phishing site. As a consequence, they essentially gave their password to this nefarious operator. IOTA the technology has not been affected at all.”
The attack comes just a week after $450,000 of XLM was lifted a from compromised third party Stellar Lumens digital wallet provider.