$4m of IOTA stolen: Why to never use an online seed generator
You can only protect a password if it was created securely.
$4 million worth of IOTA was stolen in a hack attack. This particular theft is all down to user negligence of the kind that many people have been guilty of – the use of a supposedly reputable seed generator.
- Seed – An 81 character password used to access IOTA wallets.
- Seed generator – A tool for creating seeds, if someone doesn't want to try writing out a random string of 81 characters themselves.
- Online seed generator – A seed generator accessed through a website.
The robbery is believed to have taken place through the https://iotaseed.io/ online seed generator, which has since been taken down.
Initially, it wasn't clear whether the seed generator website had itself been hacked and had a record of the seeds generated stolen, or whether it was a bad actor creating seeds with the intention of breaking into wallets later.
According to Koen Maris, IOTA cybersecurity advisor, it's the latter.
"By using a well-crafted phishing website that appeared to be a legitimate IOTA seed generator, they were able to collect a large number of seeds over a long period of time. They preyed upon the trust of the community, and spent time carefully optimizing the page to appear higher in search engine results, further legitimising their scam in the eyes of unsuspecting community members." he writes.
" ...do not create your seed on a website simply because it appears high up on a list of search results. Better yet, do not use an online seed generator, period." Maris advises.
The seed generator had been widely used and carefully cultivated to climb up the search engine ranks and take in as many seeds as possible. And the operators had clearly been planning the heist for a while. The theft coincided with DDoS attacks on most IOTA full nodes at the same time, essentially slowing down the network to prevent countermeasures, and help the thieves escape with as much money as possible.
Worryingly, it also raises the possibility of other widely-used services being scams. This seed generator was active for a long time and had built its reputation and trust in the community, and it seems likely that there are others like it which have yet to pull off their planned heists. The safest route might be to assume that any potential vulnerability is a problem.
- Know the weak points – Anything that's connected to the internet is potentially vulnerable. This might be a text document on an internet-connected computer, an online wallet, a public computer, an online seed generator or anything else.
- Don't use online seed generators – Your wallet seed is the key to your money. It's not worth compromising its security for a little bit of ease. If any of your current passwords or seeds were generated online, now is a good time to change them.
- It all starts with seed creation – You could have the world's best security, but it wouldn't matter if your seed was compromised on creation. It all starts at the beginning. "Following best practices for maintaining your seed will not do you any good if your seed was stolen at the moment it was created. All of your security measures – your password database, your passphrase, your bank vault – were obsolete before you even set them up." writes Maris.