Ursprünglich erschienen auf: https://www.reddit.com/r/CryptoCurrency/comments/f5bw6c/attempt_at_an_unbiased_summary_of_the_iota_attack/
On February 12th the IOTA Foundation (IF) posted a status update:
February 12th 2020 – 08:55
After receiving several reports of fund theft that looked out of the ordinary in a short timeframe we decided to warn about this in Discord and on Twitter. As a precaution we ask you to keep your Trinity wallet closed for now.
25 minutes later they decide to shut down the "coordinator", blocking all "value" transactions.
February 12th 2020 – 09:20
After initial investigation we decided to turn off the Coordinator to make sure no further theft can occur until we find out the root cause of these thefts. Further investigation taking place from here on.
They then spend 5 days investigating the theft.
After about 24 hours, only about 10 people reported that they had been stolen from.
February 13th 2020 – 07:45
We've shifted the complete focus of all relevant resources of the IOTA Foundation to this investigation last night and we have been working in teams to investigate impact and cause together with the identified victims. The conclusions so far are:
– Most evidence is pointing towards seed theft, cause still unknown and under investigation
– Victims (around 10 that identified with the IOTA Foundation so far) all seem to have recently used Trinity
However, it seems by examining at the transactions that they knew were associated with the theft and were able to identify some new thefts.
February 14th 2020 – 05:45
The investigation has yielded absolutely no indication that there has been a core protocol breach of any kind. Rather, all evidence so far points to a problem with a dependency of the Trinity wallet.
The attack pattern analysis showed that the halt of the coordinator interrupted the attacker's attempts to liquidate funds on exchanges. The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges' KYC limits in mind. We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated. Our current assumption is that the perpetrator targeted high value accounts first, before moving on to smaller accounts and then being interrupted early by the halt of the coordinator. (Again: Hardware wallet users are not affected.)
To me, the details sound like the perpetrator was experienced and knew how to convert the tokens to a less-centralized cryptocurency without KYC/AML. It wasn't simply a crime of opportunity, but rather there was some planning.
There was a lot of speculation over whether or not the hacker was "sophisticated". Of course, he did manage to pwn IOTA's official wallet. However, the "Chairman of the Board" of IOTA wrote "Let's just say theres a lot of traces. The attacker does not seem to have been too sophisticated", on discord. link
On February 16th, IF released a new version of their wallet.
– Update: Remove exchange support (#2565)
– Update: Adjust update alerts and disable auto update (#2566)
– Fix: Allow wallet entry when nodes are not in sync (#2563)
– Update: New Crowdin translations (#2553) – Fix: Endless loading cycle (#2568)
Two interesting changes are they removed exchange support and they disabled auto updates. IF had recently integrated "Moonpay"in their wallet, which allows users to buy IOTA with their credit cards for a 4.5% fee. Moonpay appears to be affiliated with Roger Ver and Bitcoin.com but I didn't look into this too much. Purely speculation, but it seems that Moonpay may be involved in the key theft.
Fast forward to today, IF released their remediation plan.
Basically, if you used their official wallet since December 17th, 2019 then your seed might be compromised. However, they say that the attack didn't really start until January 25th, so the Dec 17th date is out of an abundance of caution.
Here's the IF remediation plan from status.iota.org:
February 17th 2020 – 05:47
Here is a short overview of the attack remediation plan and the next steps going forward. Essentially the remediation plan involves three steps:
STEP 1: INSTALL UPDATED VERSION OF TRINITY
As announced yesterday, we have released an updated version of Trinity which allows you to check your balance and transactions. Please download this newest version of Trinity here and install it over your old version: https://github.com/iotaledger/trinity-wallet/releases/tag/desktop-1.4.1
When you download the new version, MAKE SURE TO CHANGE YOUR PASSWORD AND STORE IT IN A PASSWORD MANAGER. If you have used the same password also for other services or websites, we strongly recommend you change it there, too, as a precaution.
By upgrading to this new version of Trinity, you will remove the vulnerability from your wallet and render the hacker incapable of accessing your wallet if s/he has not already done so.
STEP 2: MIGRATE YOUR TOKENS TO SAFE SEEDS
In the upcoming days, we will release a seed migration tool that will allow users to transfer their tokens to a safe seed. We strongly recommend that ALL users who have opened any version of Trinity (Desktop or Mobile) since the 17th of December 2019 utilize the tool and migrate their tokens to a new, safe seed during the soon-to-be-announced migration period BEFORE the coordinator is re-started. More information on the tool and how to use it will be provided when the tool is published.
By migrating your tokens to new, safe seeds prior to the re-start of the coordinator, you will render the attacker incapable of making unauthorized transfers of your tokens if s/he has not already done so.
*Note: our current information indicates that the hack started on or around 25 January 2020 and that only Trinity Desktop users’ seeds were potentially compromised. However, out of an abundance of caution, we are nevertheless recommending that ALL users (not only desktop users) who are concerned about possible token loss should migrate their tokens to a new seed.
*Note: Ledger Nano users do not need to use the migration tool but a password change is still strongly recommended.
STEP 3: RECLAIM YOUR STOLEN TOKENS IF NECESSARY
Our current information indicates that only a limited number of bundles were successfully transferred by the attacker out of the true owners’ wallets. We have notified all exchanges of all compromised bundles we are aware of so as to prevent any further movement of any stolen tokens. We therefore anticipate that in the majority of cases, Steps 1 and 2 will be sufficient to protect most users’ tokens.
To address the minority of cases in which unauthorized token transfers were made out of users’ wallets, a third step is needed. We will perform a global snapshot of the network that will, pending community validation, enable us to bring stolen tokens back to the affected users. More information on the process as well as the consequences for all affected users will be provided soon.
Assuming the snapshot is successfully validated by the IOTA community (node operators), we will implement a KYC procedure involving a third party that will enable all users who had their tokens stolen to reclaim them. The same procedure will also be required for certain cases in which the migration tool is used fraudulently or incorrectly. More information on this process will follow shortly.
After the migration process, we will restart the coordinator and resume normal operations on the network. An update on the timeline will be released in the upcoming days.
We will publish detailed instructions on the steps users should take as soon as the remediation tools and processes are ready. For now, please make sure to download the new Trinity version to change your password and check your balance.
We would also like to ask any affected users from the United States to come forward and DM our team, as your cooperation could assist us with ongoing law enforcement investigations.
Thank you all for your patience. We will continue to update you on all important steps along the way and will do our best to make the transition as easy and smooth as possible.
So yea, if you got your tokens stolen, they will return them to you after you submit KYC/AML to the IOTA Foundation, assuming that "node operators" agree to roll back the theft.
Hopefully users didn't reuse the same seed for another cryptocurrency because they won't be able to roll those back.
It sounds like they're working with the FBI (or US law enforcement) on this which is a bit surprising. I'm skeptical that they have really identified the perpetrator — a common attack is to steal developer Github credentials which could be what happened here. But again, that's purely speculation.
Please don't repost this on your for-profit crypto news site without attributing to me 😉