The hacker executed his scheme on January 19, when he used the information he gathered —private keys for IOTA wallets— to steal money from users’ accounts. The damage was estimated at around USD 3.94 million worth of IOTA, at the time of the hack.
In order to keep their IOTA cryptocurrency funds, users need to create a wallet. When users create a IOTA wallet, they are required to enter a seed of 81 characters long. There are various ways to generate this random string, but one way is to use an online seed generator.
In August 2017, the hacker registered the domain iotaseed.io and advertised it as an IOTA seed online generator. Since most cryptocurrency users are suspicious of random sites, the hacker linked the iotaseed.io website to a GitHub repository, alleging the website was running the very same code.
In reality, people visiting the iotaseed.io website received predictable seeds, which the hacker had secretly logged. Then he/she used advertising to promote the website as the top result in Google results for “IOTA seed generator” search queries, driving massive amounts of traffic to the site.
On January 19, the hacker utilized the collected logs over a six month period to access IOTA accounts with the seeds (private keys) he collected and started transferring funds out of owners’ wallets. Moreover, IOTA network nodes suffered a DDoS attack at the same time, keeping IOTA developers busy instead of investigating the mysterious transactions, and possibly stopping their origin.
Currently, the iotaseed.io website now features a message that reads: “Taken down. Apologies”, the online publication concludes.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. If you see a comment that you believe is inappropriate to the discussion, you can bring it to our attention by using the report abuse links. As the comments are written and submitted by visitors of the The Paypers website, they in no way represent the opinion of The Paypers.