IOTA crypto users lose USD 4 million in phishing attack

The hacker executed his scheme on January 19, when he used the information he gathered —private keys for IOTA wallets— to steal money from users’ accounts. The damage was estimated at around USD 3.94 million worth of IOTA, at the time of the hack.

In order to keep their IOTA cryptocurrency funds, users need to create a wallet. When users create a IOTA wallet, they are required to enter a seed of 81 characters long. There are various ways to generate this random string, but one way is to use an online seed generator.

In August 2017, the hacker registered the domain iotaseed.io and advertised it as an IOTA seed online generator. Since most cryptocurrency users are suspicious of random sites, the hacker linked the iotaseed.io website to a GitHub repository, alleging the website was running the very same code.

In reality, people visiting the iotaseed.io website received predictable seeds, which the hacker had secretly logged. Then he/she used advertising to promote the website as the top result in Google results for “IOTA seed generator” search queries, driving massive amounts of traffic to the site.

On January 19, the hacker utilized the collected logs over a six month period to access IOTA accounts with the seeds (private keys) he collected and started transferring funds out of owners’ wallets. Moreover, IOTA network nodes suffered a DDoS attack at the same time, keeping IOTA developers busy instead of investigating the mysterious transactions, and possibly stopping their origin.

Currently, the iotaseed.io website now features a message that reads: “Taken down. Apologies”, the online publication concludes.