This weekend, an estimated $4 million worth of IOTA tokens was stolen from directly from its users’ wallets, though the company claims its technology was not responsible for the incident.
The attack by a group of unknown actors occurred on 19th January 2018, as the hackers used seed phrases to compromise, access, and ultimately empty the digital wallets of a number of the altcoin’s users.
Ralf Rottman, an IOTA evangelist, confirmed the attack via a post on Medium, but was quick to steer blame for the incident away from IOTA itself. “The IOTA technology,” he said, “is secure.”
Rottman went on to say that the attackers were not able to leverage any form of vulnerability in the digital currency’s technology or blockchain, and that the only reason the attack was successful at all was because users were relying on online seed generators to keep their wallets secure.
All altcoin wallets have both a public key (for receiving funds) and a private key (for sending them). With private keys being lengthy and difficult to recall, many wallets allow you to utilise a seed phrase that will allow you easy access to your wallet and key. Of course, should a hacker know your seed phrase, that’s as good as him owning your private key.
Unlike most altcoin wallets, the IOTA wallet does not have seed generation included in its setup, requiring users to generate their own. It seems likely that one or more of the popular seed generation sites was either compromised by hackers or that the people behind the site used the seed phrases themselves to attack.
In his post on Medium, Rottmann was quick to lay the blame at the users, rather than IOTA’s security measures, saying that the victims of this online attack invited the attackers into their wallets by handing them their private keys on a platter, in the form of seed phrases that only the user should have known.
Rottman concluded by advising that IOTA users should never, ever generate their seeds using an online generator.