Earlier this week, reports emerged of IOTA tokens mysteriously disappearing from some users’ wallets. The culprit? A malicious IOTA wallet seed generator that had been quietly collecting seeds for an unknown period of time.
While the exact number of users affected and the amount of money stolen is unknown, some estimates chock the missing funds up to $4 million.
At the same time that IOTA tokens were being drained from the wallets of affected users, a DDoS attack was reportedly enacted on some of the IOTA network fullnodes.
The site that is allegedly responsible for the larceny, iotaseed.io, has been taken offline.
This week, Finance Magnates sat down with IOTA founder David Sønstebø to discuss the theft and the security of the IOTA network.
Finance Magnates: Earlier this week, there was news of users losing their funds to hackers who were able to access their accounts using malicious seed generators. By some reports, as much as $4 million was stolen through those hacks. At the same time, it was also reported that a Distributed Denial of Service attack was enacted on some of the IOTA network full nodes. Can you clarify whether or not the IOTA network was compromised?
David Sønstebø: The IOTA network itself, the IOTA technology, nothing was compromised. No one was actually hacked, because of course hacking means that someone was able to go into your system through some means, like forcing through a loophole, or finds a bug in your coding. That did not happen. There was no actual hacking. It’s just important not to use that kind of terminology, even though that is what’s being thrown around. People like the word “hack”.
What actually happened was a lot of unfortunate users were generating their unique seed (which is what you derive your password from) from a false website, a phishing website. It was meticulously crafted in such a way that it ended up being at the top of a google search for IOTA seed generator, it was the first thing listed in the ads.
So, this malicious actor essentially had people go there, and he/she created a website that looked very legitimate to new users. Therefore, they trusted it, and generated a seed there. That essentially means that they gave away their private key to a thief. It’s equivalent to giving your keys to someone as you go into a store, and then coming back out to find that your car is gone.
That is what happened. They didn’t have to break into the car–they didn’t have to do anything. They just fooled the people through social engineering. It’s a very important situation for the people who have lost their funds. That is always a tragedy.
Sadly, this is something that is so prevalent–and has been prevalent ever since 2012–since I have been in the space full-time. This is a consequence of the huge influx of new users, who have yet to understand the fundamentals of the technology.
One of the things that people tend to forget about crypto, is that yes, it gives you the right to be your own bank; you are the sole controller of your own funds–but with that comes great responsibility. That literally means that you have to protect your private key–you have to protect all of this–on your own. You are the sole responsible actor.
I completely sympathize with the people that have lost their funds. We are doing everything we can in order to gather information to track down whoever this scumbag is, but of course, that is not easy, and we’ve seen before that it is borderline impossible.
But, if we are able to dig up any kind of information that will lead to something, we will, of course, hand that over to the police and assist with any kind of investigation that will happen in order to try to help these poor people that have lost their funds.
Since this is an interview, I want to emphasize to everyone listening that you have to take security seriously. If you’re going to be in crypto, you have to do the basic research on how you manage your private keys. That is kind of the fundamental rule of crypto. It’s just important that people realize this, because there are a lot of people out there that are looking to screw you over.
Was IOTA aware of the existence of this website before it became a big problem?
At least not the IOTA foundation. We had no knowledge of it. We haven’t linked to it. I know that some community members linked to it, because this website was crafted in such a way that regular users had no reason to be paranoid, even though you sadly have to be paranoid in this space. To the best of my knowledge, absolutely no one in the IOTA foundation had linked to it.
I know a few community members who had, and they, of course, feel terrible for that, but they are not responsible for that. The only responsible party here is that person who actually stole it, and set it up as a scam.
What kind of actions is IOTA taking to help affected users?
What we’re doing right now is gathering all the intel we can, we’re looking through all of the different leads that we have. In such situations, the community starts doing their own investigations, become the detectives out looking for clues–looking for IP addresses, seeing if this person has been in the community for a long time, if there is any correlation between these things.
We are trying to get an overview because it’s all very chaotic, and this is still ongoing, but that’s pretty much all we can do. All we can do is look through all of the information that is available to us, and of course report it to the registered domains, see if we can find some IP addresses.
But (as we’ve seen before in history) when this happens, it happens to virtually to every project all the time. The sad thing is that it’s very hard to track down these people, because if you are perpetrating the scam, the first thing you have to do is cover your own tracks. If you’re able to conduct this kind of attack, than you are most likely able to cover your tracks. If we find this guy, we will make sure he pays… to the legal system.
Thinking about the future of IOTA and IOTA users, what steps, if any, is IOTA taking to prevent similar things from happening in the future? What about DDoS attacks?
Let me first address the DDoS aspect. To our knowledge, there was absolutely no correlation between any DDoS attack ongoing with the phishing site. We have not been able to find corroborating evidence of that. Of course, every network is under DDoS attacks from time to time. This is just one of the ways that people try to screw up the network, or influence the price, by creating this FUD–fear, uncertainty, and doubt.
From what we know right now, it has not affected the network at all. In terms of we are doing concretely, the steps we are taking, the first is better education. This goes for all of the crypto spaces. We’ve already released a very expansive blog post that kind of addresses the best practices. Again, it’s all dependent on people to do the basic research, to reach these articles and read them, understand the concepts. The second thing we’re doing is we’re putting stronger warnings out.
Soon there will be a much more user-friendly wallet. This is also something I want to talk about a little bit, because IOTA as a project began with a focus on creating an all-new architecture for the distributed ledger. Then, the goal was the machine economy, this machine to machine IoT space. We always stated that the graphical user face was an afterthought.
That was not something that we were prioritizing. Speculators are not the target audience for IOTA–we are working in the real world. As the community grew, and as we’ve grown exponentially, as we’re now talking about a multi-billion-dollar market cap, we are improving the official graphical user interface. It will include random seed generators. At the same time UCL has been developing a wallet, and has been developing for several months, which is in early beta now.
This will hopefully prevent people from being scammed (at least in this way) again. But again, you can very easily create a very similar site, or set up a very similar wallet that has a backdoor. These are the things that people have to be wary of. You have to do basic research, you have to make sure that things are authentic, that they come from the IOTA foundation or one of its affiliates, not some random scammer.
These are the things that we are doing right now to ensure that this hopefully never happens again. It’s all about education. In the last six to twelve months the crypto space has had such an influx of users that primarily care about getting rich, or they find the technology interesting, just because it has become mainstream. That also comes with the territory, that they are very unsure of how this space operates.
They’re unsure of how many rules exist out there, and how much responsibility comes with being your own bank. It sounds very good when you just say, ”hey I’m in control of my funds,” but then people often forget that means they are the sole responsible party for their own funds. It’s all about education, essentially, and doing our best to make the user experience as easy as possible, and as accessible as possible.
If I’m going to buy some IOTA tokens today and I’m doing some research, how can I know for sure that a website I’m visiting is from IOTA, the real deal?
If you went to one of the exchanges and bought some tokens, and you now want to transfer them to your wallet, you would then go to IOTA.org, and then scroll down and find the official wallet. That wallet would not be compromised, of course, and then you would generate your own seed. We have several instructions.
That’s one of the things that is so sad about the story, that there are so many warnings and so many instructions on how to safely and securely generate your own seed. I don’t want to blame the victims here, because the only person that is responsible here is the person who actually did it, but people tend to become a little bit complacent.
They think that it’s just a click-click-click, and then you’re done with it. In crypto, there’s always these other factors. You have to take into consideration that IOTA–as well as all these other projects–are still very young projects. There’s no perfect solution. You can’t just close your eyes and then click-click-click, everything is secure. You have to do a little more work.
That is just a payoff of being apart of something that is on the cutting edge. That’s always the case. It’s like if you’re the first person with a Tesla that has autopilot, you probably shouldn’t lay back and go to sleep. You should probably keep your hands close to the wheel, in case something isn’t going the way that it hopefully will in the future. It just comes with the territory of new technology, you have to be on guard.