Malicious Online IOTA Seed Generators Allow Hackers to Steal a Massive Haul of Tokens
Originally published on: BTCMANAGER
Read the original article
January 23, 2018
Hackers have hit IOTA online seed generator websites. Approximately $4 million worth of IOTA tokens has been stolen by hackers, through malicious online seed generators.
According to FinanceMagnates, hackers have succeeded in moving IOTA users’ funds to their wallets via seeds they got from iotaseed.io. The process of generating seeds for a new IOTA wallet is quite a herculean task. A user is required to provide a string of 81 characters that acts as a key to access the wallet.There are many other ways to generate the character strings via offline resources, like creating a key using Linux or Mac terminals. However, the process is quite complicated to follow.
These complexities have made IOTA holders to use online seed generator websites that quite quickly does the job of generating the string of characters usable as seeds for IOTA wallets.
There are several online seed generator sites for IOTA holders, but the top site responsible for generating the malicious seeds is iotaseed.io. The site has now gone offline leaving a message for its heartbroken users that reads, “Taken down. Apologies.” When the site was still functional, users only needed to move their mouse around randomly then it will generate a seed that meets the requirements of an IOTA wallet. Besides, it also gives the user a version of the seed encoded as a mnemonic phrase.
After the incident, a member of the IOTA Evangelist Network, Ralf Rottmann, took to Medium to explain that the seed generator site might have been the target of a DDoS attack and it’s most likely that it’s not the owners of the website that stole people’s funds. In his words:
“From what I’ve heard, many users who lost their funds created their seeds at iotaseed.io. chances are, the folks behind this and potentially other seed generators have sat tight for a while, collecting piles of seeds, though the actual numbers of users affected are not known, the fact, that iotaseed.io is still online at the time of this writing might suggest that the site got compromised itself, and it’s not the folks behind the service who ran the attack.”
The IOTA community has always warned IOTA users to be wary of generating seeds through online generators, and if they must do so, then they should change some elements of the seed to prevent vulnerabilities. With regards to the latest loss of funds experienced by investors in the altcoin, the community has stressed that the situation has nothing to do with IOTA’s technology.
“The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter. And once again: do not use online seed generators. Generating an IOTA seed in a secure, completely offline fashion is the best protection you can get,” Rottman said.
The IOTA project has experienced a lot of ups and downs in recent times. From the issue of software vulnerabilities to deceptive marketing and now to users losing funds through malicious online seed generators; will the IOTA drama ever come to an end?