A clever hacker made off with nearly $4 million worth of IOTA cryptocurrency after patiently setting up an elaborate phishing site for almost half a year.
The hacker executed his scheme on January 19, when he used the information he gathered —private keys for IOTA wallets— to steal money from users’ accounts. The damage was estimated at around $3.94 million worth of IOTA, at the time of the hack.
Hacker collected private keys for IOTA wallets
To understand how the hack took place, our readers must first understand how users create an IOTA wallet where they keep funds.
Just like with any cryptocurrency, when a user wants to create a wallet he must generate a string of random alpha-numerical characters. This is the wallet’s private key, also named a seed, and is used for two things —to generate the public wallet address, and as a password to authenticate the wallet’s owner.
When users create a IOTA wallet, users are required to enter a seed of 81 characters long. There are various ways to generate this random string, but one way is to use an online seed generator.
Hacker deployed malicious site last summer
This is where the hacker figured he could make a profit. Somewhere in August 2017, the hacker registered the domain iotaseed.io and advertised it as an IOTA seed online generator.
Since most cryptocurrency users are suspicious of random sites, the hacker linked the iotaseed.io website to a GitHub repository, alleging the website was running the very same code.
In reality, it was not so. An analysis published over the weekend by Alex Studer reveals the hacker ran mostly the same code from the GitHub repository but made clever modifications to the Notifier.js library, which loaded additional code.
“This code patches the Math.seedrandom function, which is used by the [seed] generation code, to always use a fixed seed ‘4782588875512803642’ plus a counter variable that increases by one every time seedrandom is run,” Studer says.
“This has the effect of causing Math.random() to always return the same, predictable series of numbers, causing the generated IOTA wallet seeds to always be the same,” he added.
Hacker waited six months collecting private keys
In other words, people visiting the iotaseed.io website received predictable seeds, which the hacker had secretly logged.
The hacker then used advertising to promote the website as the top result in Google results for “IOTA seed generator” search queries, driving massive amounts of traffic to the site.
On January 19, the hacker utilized the six months worth of logs to access IOTA accounts with the seeds (private keys) he collected and started transferring funds out of owners’ wallets.
DDoS attack took place at the same time with the hack
Making matters worse, IOTA network nodes suffered a DDoS attack at the same time, keeping IOTA developers busy instead of investigating the mysterious transactions, and possibly stopping their origin.
In the end, at least $3.94m worth of IOTA was stolen. This was facilitated by a DDoS attack against all public nodes.
— Nic Carter (@nic__carter) January 21, 2018
“To our knowledge, there was absolutely no correlation between any DDoS attack ongoing with the phishing site. We have not been able to find corroborating evidence of that,” said IOTA founder David Sønstebø in a podcast with Finance Magnates.
As for the hacker, he used to go by the nickname of Norbertvdberg, and had profiles on GitHub, Reddit, and Quora, from which he provided support for site users and IOTA enthusiasts. They are all gone now.
Fortunately, copies of the iotaseed.io website and its malicious code have been stored on the Wayback Machine, while the GitHub repository has been forked by other users and is still available online.
Currently, the iotaseed.io website now features a message that reads: “Taken down. Apologies.”