$4m of IOTA stolen: Why to never use an online seed generator

Andrew Munro 24 January 2018

shutterstock password computer 738x410

You can only protect a password if it was created securely.

$4 million worth of IOTA was stolen in a hack attack. This particular theft is all down to user negligence of the kind that many people have been guilty of – the use of a supposedly reputable seed generator.

  • Seed – An 81 character password used to access IOTA wallets.
  • Seed generator – A tool for creating seeds, if someone doesn't want to try writing out a random string of 81 characters themselves.
  • Online seed generator – A seed generator accessed through a website.

The robbery is believed to have taken place through the https://iotaseed.io/ online seed generator, which has since been taken down.

Initially, it wasn't clear whether the seed generator website had itself been hacked and had a record of the seeds generated stolen, or whether it was a bad actor creating seeds with the intention of breaking into wallets later.

According to Koen Maris, IOTA cybersecurity advisor, it's the latter.

"By using a well-crafted phishing website that appeared to be a legitimate IOTA seed generator, they were able to collect a large number of seeds over a long period of time. They preyed upon the trust of the community, and spent time carefully optimizing the page to appear higher in search engine results, further legitimising their scam in the eyes of unsuspecting community members." he writes.

" ...do not create your seed on a website simply because it appears high up on a list of search results. Better yet, do not use an online seed generator, period." Maris advises.

The seed generator had been widely used and carefully cultivated to climb up the search engine ranks and take in as many seeds as possible. And the operators had clearly been planning the heist for a while. The theft coincided with DDoS attacks on most IOTA full nodes at the same time, essentially slowing down the network to prevent countermeasures, and help the thieves escape with as much money as possible.

Theft and other scams are a relatively common part of cryptocurrency, but this robbery might be one of the more sophisticated and long-planned attacks.

Worryingly, it also raises the possibility of other widely-used services being scams. This seed generator was active for a long time and had built its reputation and trust in the community, and it seems likely that there are others like it which have yet to pull off their planned heists. The safest route might be to assume that any potential vulnerability is a problem.

  • Know the weak points – Anything that's connected to the internet is potentially vulnerable. This might be a text document on an internet-connected computer, an online wallet, a public computer, an online seed generator or anything else.
  • Don't use online seed generators – Your wallet seed is the key to your money. It's not worth compromising its security for a little bit of ease. If any of your current passwords or seeds were generated online, now is a good time to change them.
  • It all starts with seed creation – You could have the world's best security, but it wouldn't matter if your seed was compromised on creation. It all starts at the beginning. "Following best practices for maintaining your seed will not do you any good if your seed was stolen at the moment it was created. All of your security measures – your password database, your passphrase, your bank vault – were obsolete before you even set them up." writes Maris.

See a list of potential cryptocurrency scams


This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Latest crypto guides

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, read the PDS or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.
Ask a question
Go to site