The IOTA community suffered a major setback over the weekend as several users lost an estimated total of $4 million worth of tokens in a widespread theft.
Over the weekend, several IOTA users had their wallets compromised, and consequently emptied, as unknown actors loaded with seed phrases decided to make off with almost $4 million worth of the digital currency.
According to a Medium post by IOTA evangelist Ralf Rottman:
“On January 19th, 2018, some IOTA users lost their funds to an unknown attacker. The good news: The IOTA technology is secure. The attacker did not leverage any vulnerability.
The root cause so this could happen was for users to rely on online generators to create their seeds. If you take only one thing away from this: Never, ever use online tools to generate your seeds.”
All cryptocurrency wallets have a public – private key pair, and anyone in possession of a private key has control over the funds. Given how private keys are obviously difficult to memorize, wallets support the use of seed phrases or mnemonic recovery phrases to allow easy access.
Just like a private key, a seed phrase, if stolen, can result in an attacker having complete access to your cryptocurrency funds, and that is what happened to IOTA users who used an online seed generation website (particularly iotaseed.io, which has been taken down).
While most cryptocurrency wallets have seed generation baked in, the IOTA wallet did not have this feature, prompting users to generate their own seeds.
It is believed that these one or more of these online seed generators was either compromised, or the people behind them were holding on to the generated seeds and saw an opportune time to attack.
The IOTA theft was accompanied by DDoS attacks on several IOTA fullnodes, effectively preventing users who found out about the ongoing theft, from accessing their funds and moving them.
While the attack is known, and victims have legitimate losses, given the decentralized nature of a distributed ledger, these transactions cannot be reversed.