IOTA is a revolutionary new technology that aims to be the backbone of the internet-of-things.
The blockless distributed ledger makes it possible to transfer value without any fees - for the first time ever.
IOTA has been around since 2015, and the promising technology has many supporters and investors.
Today, some breaking news emerged:
Countless IOTA holders who used an Online Seed Generator had their funds stolen!
Users suddenly had outgoing transactions in their wallets, not confirmed by them.
It seems like they used some malicious online software generating software, whose owners then decided to rob all of their victim's funds.
These seeds were setup without any password protection, so it was an easy game for the hackers.
What is better to use than the online Seed Generator?
There are several ways to safely generate a seed.
You can use an IPFS seed generator, KeePass or command line.
Detailed instructions can be found here.
So what to do if you were affected by the attack ?
First, users have to visit their wallets and check whether the unauthorized transaction is still "pending" or not.
- If the stolen transaction is still pending (it'll say "Pending" underneath the transaction in your wallet history), URGENTLY send your entire balance to an address in a different seed. You might need to use the CLI wallet in order to make this new transaction so that you can bypass the double spending prevention mechanism that's built into the GUI wallet. You need to get your new transaction confirmed before the stolen transaction is confirmed.
CLI Wallet -
https://github.com/MichaelSchwab/iota-commandline-wallet
https://github.com/TimSamshuijzen/iotaproxy
CLI Wallet Instructions:
https://www.reddit.com/r/Iota/comments/7rlvx5/how_to_how_to_maybe_rescue_your_funds_before_the/
-- or -- https://forum.helloiota.com/post/8584For those who need urgent real-time assistance, join the IOTA Discord channel and ask for help immediately:
https://discord.gg/fNGZXvh
If the transaction is already "confirmed", unfortunately this means that your IOTA have already been sent to the malicious acccount.
- If the stolen transaction is confirmed (it'll say "Confirmed" underneath the transaction in your wallet history), unfortunately that IOTA is now gone forever. This is a terrible situation, but hopefully we can use this experience to inculcate safe seed generation practices. Please see the "Legal Action" addendum below for details on legal recourse.
The golden rule is to change 10 characters from whatever string of characters the seed generator gives you. Preferably, avoid online seed generators altogether. Here are the currently recognized best practices of seed generation by the IOTA community:
https://helloiota.com/generate-seed.html
Since this is such an important topic to millions of IOTA users around the world, I decided to write this quick post about it, to get the information out there.
Please let every IOTA holder know of this issue!
Some might still be able to send their funds to a safer wallet!
© Sirwinchester