Seed generators reportedly blamed for phishing scam with reported losses of $4 million
The IOTA project apparently has somehow allowed scammers to run a phishing scheme to steal around $4 million from many unsuspecting users. Hackers reportedly used seeds collected through iotaseed.io to move funds into their own wallets.
Attackers also used a distributed-denial-of-service (DDoS) attack against some of the most popular IOTA full nodes, effectively preventing the victims from recovering their money.
There has been no compromise on IOTA, and the distributed ledger technology itself remains secure.
“Some users had the misfortune of using the wrong online seed generators, and were burned,”tweeted crypto expert Nic Carter. “In the end, at least $3.94m worth of IOTA was stolen.”
IOTA, the network behind the 11th most valuable cryptocurrency in the world by market cap (MIOTA), is coming under an attack on social media and community forums.
This is not the first time IOTA has come under attack. Back in December the project received a lot of public scorn for allegedly over hyping a “partnership” with Microsoft.
The IOTA wallet requires users independently generate their own seeds (private keys). Many users have relied on online key generators to do this, such as iotaseed.io.
According to a Medium post by IOTA evangelist Ralf Rottman:
“On January 19th, 2018, some IOTA users lost their funds to an unknown attacker. The good news: The IOTA technology is secure. The attacker did not leverage any vulnerability.
The root cause so this could happen was for users to rely on online generators to create their seeds. If you take only one thing away from this: Never, ever use online tools to generate your seeds.”
All cryptocurrency wallets have a public – private key pair, and anyone in possession of a private key has control over the funds. Given how private keys are obviously difficult to memorize, wallets support the use of seed phrases or mnemonic recovery phrases to allow easy access.
Just like a private key, a seed phrase, if stolen, can result in an attacker having complete access to your cryptocurrency funds, and that is what happened to IOTA users who used an online seed generation website (particularly iotaseed.io, which has been taken down).
While IOTA supporters explain that this is not a bug in the technology itself, which they say is still perfectly secure, critics aren’t buying it. For them depending on end users to generate the seeds is seen as an easy attack vector for troublemakers, just asking to be exploited.