Holders of IOTA reported that they had been thieved for about $4 million of cryptocurrency from their wallets. This was caused by malicious online generators of seed-phrases. The identity of the attackers could not be established.
When users create a new wallet for IOTA, they need to enter a secret phrase consisting of 81 characters. According to the HelloIOTA site, there are several workarounds that simplify this task. In particular, users can use a seed generator based on IPFS or create a key using a Mac or Linux terminal. However, none of these methods can be called simple, so beginners who do not have the necessary knowledge and skills to use them, are forced to resort to alternative solutions, among which are online generators of seed-phrases.
One of the most popular sites in this segment, iotaseed.io, has now stopped working, and when you try to access it, the following message is displayed: "Closed. Excuse us".
To create a secret code, this generator offered users to move the mouse to "generate randomness," and then provide a seed-phrase that meets the requirements of the IOTA wallet.
As the member of the IOTA Evangelist Network Ralph Rottmann reports, the attackers carried out a DDoS attack on the known full IOTA nodes to prevent the victims of this fraudulent scheme from recovering their funds.
The attackers knew the code phrases. You yourself invited them into your wallets, passing the keys on a silver platter. The community of full node operators discusses various strategies for protecting community nodes from certain similar DDoS attacks in the future.
Currently, in the community of full node operators, various approaches are being discussed to improve the protection of public nodes from this kind of DDoS attack in the future.
In the community, IOTA has repeatedly warned users that when using online seed-phrase generators, they should change parts of them to avoid losing money. The developers of the project also repeatedly pointed out that these vulnerabilities are not related to IOTA technology and are associated only with seed generators.
Recall that in December IOTA denied information about the partnership with Microsoft, which caused a wave of criticism of the project. Its creators were accused of intentionally informing the wrong information to manipulate the market, and then had to refute it.
As for the theft of users' funds, earlier this month hackers withdrew $ 400,000 from the BlackWallet crypto in Stellar Lumen (XLM). To do this, they intercepted the DNS domain record of the wallet and redirected it to their server.
Information Source: CCN