Disclaimers first: I am not a member of the IOTA Foundation and I am not a computer forensics expert. Everything I write here, is my very own interpretation of the events. I am @ralf on Twitter if you want to get in touch.
On January 19th, 2018, some IOTA users lost their funds to an unknown attacker. The good news: The IOTA technology is secure. The attacker did not leverage any vulnerability.
The root cause so this could happen was for users to rely on online generators to create their seeds. If you take only one thing away from this: Never, ever use online tools to generate your seeds. Here is a brief overview how to securely create an IOTA seed.
The IOTA Foundation has been emphasising the importance of keeping your seed ultra secure from the very beginning.
But still, users apparently got tricked into using shady online generators.
From what I’ve heard, many users who lost their funds created their seeds at iotaseed.io (not linked here for obvious reasons). Chances are, the folks behind this and potentially other seed generators have sat tight for a while, collecting piles of seeds, though the actual numbers of users affected are not known to me. The fact, that iotaseed.io is still online at the time of this writing might suggest that the site got compromised itself, and its not the folks behind the service who ran the attack.
Yesterday night, the thieves started moving funds from the stolen seeds to their own.
In parallel, they orchestrated a distributed denial of service (DDoS) attack against many of the publicly known and popular IOTA fullnodes. In doing so, they prevented the victims from rescuing their funds. At times, you couldn’t find a single public node, to successfully log into and move your funds before the attackers could do so.
Over at IOTA.FM we run six of the most popular fullnodes. We openly publish their addresses on sites like iota.dance for users to connect with their light wallets. All of our nodes got attacked. The attackers seem to have scraped node addresses from many sources and ran a concentrated effort.
While I won’t go into the exact details of how the nodes were taken down, let me make a few remarks: The attackers did not leverage anything IOTA specific! This is super important. Because people who lost their funds might tell their friends, that IOTA is not secure, which couldn’t be more wrong.
The attack leveraged the fact, that in these early stages many of the publicly exposed nodes are operated by community members and are not yet protected against threads, which every server publicly available on the Internet — including your average web server — faces.
Besides the public “community” nodes, my company also runs private IOTA nodes for our corporate customers and IOTA proof of concept products. None of those nodes were affected. A great testament to IOTA’s ability to support subtangles in isolation and one of its core strength.
Over at Discord, the official IOTA community, node operators including myself spent the entire night, to use our private nodes to help potential victims. It was at times “heartbreaking” to see how the community stands together and fought against this awful event.
You might wonder, wether the IOTA Foundation can’t just move the funds back to their legitimate owners. IOTA is, at its core, a truly decentralized, distributed ledger technology. The ledger is not controlled or owned by the IOTA Foundation. The victims literally shared the keys to their wallets with the attackers by using the attackers website. In essence, from a purely technical and security perspective, all transfers that happened under this attack, are legitimate transactions.
The attackers knew the seeds. You invited them into your wallet, by handing them your keys on a silver platter.
The community of fullnode operators is discussing various strategies to better protect public community nodes from this specific and similar DDoS attacks in the future.
IOTA is not a consumer level mainstream user technology, yet.
If you’re primarily looking into IOTA for it being a cryptocurrency and plan to put your own money into it, I highly recommend to join the #help channel over at the Discord IOTA community and get a solid understanding of what it means to keep your wallet secure.
And once again: Do not use online seed generators. Generating an IOTA seed in a secure, completely offline fashion is the best protection you can get.