An estimated $4 million has been taken from IOTA users whose wallets have been hacked. What do they have in common? They all used online seed generators for their IOTA wallets.
Unlike for many other cryptocurrency wallets, IOTA requires you to create your own seed. Rather than come up with their own 81 long collection of characters, many people use seed generators; in fact, according to cryptocurrency expert Nic Carter, they were encouraged to do so. “Many users, at the suggestion of IOTA devs, used online seed generators (some were linked in the sub sidebar)”, he said on Twitter.
Unfortunately, it appears that some of those online seed generators were not as trustworthy — or as secure — as their users had hoped. Over the weekend, funds started being transferred without their owners’ knowledge. This was combined with a Distributed Denial of Service (DDoS) attack on IOTA fullnodes to prevent anyone who might have noticed what was happening from stopping the transfers before it was too late.
The IOTA ledger is not controlled by the IOTA foundation, or any other party, so the money cannot simply be transferred back to its true owners. As Ralf Rottmann, member of the IOTA Evangelist Network, has written, these transfers, unfortunately, are “legitimate transactions”.
Rottmann continued that the online seed generators had essentially issued an invitation for others to take the money.
The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter.”
The theft was first announced on social networking site, Reddit, with numerous users reporting the loss of their IOTA holdings. One user stated that, “I had all my IOTA stolen. 11.3 Gi. Everything I had. Can anyone help?”. That user later confirmed that he or she had used an online seed generator, had “planned to hold for years and years”, but was now “wiped out by it [the attack].”
There are other ways of securely generating seeds. Most recommend that at the very least you work offline on your suggested seed, changing some of the characters so no one else can gain exposure to it.
