· 5 min read

What We May Learn From Widespread Theft of IOTA

This form of theft will continue in the future Not only IOTA is a target There are three ways to stay safe

The increasingly popular cryptocurrency known as IOTA has seen a large sum of money stolen almost overnight. This was not the result of a flaw in the network or wallet, but instead was the result of social engineering. In order to create an IOTA wallet, one must first generate an 81-character so-called “seed”. Typically, users rely on easily accessible websites to quickly generate the seed. In this case, the thief was able to compromise a seed generating website, and collected many hundreds or even thousands of seeds. Starting on sometime around January 19th, the seeds were emptied of their value en masse.

Understanding IOTA seeds

In order to not fall victim to this type of scam, we need to understand what an IOTA seed is, how it is made, and then of course how to avoid using a bad seed.

Users of other cryptocurrencies and wallets will most likely be familiar with the concept of 12-word seed phrase. This phrase is used to secure the wallet, and anyone who has access to it has access to everything in the wallet. Typically, most wallet programs will generate a new phrase for you. When people started to use IOTA, many were confused about how the seed phrases in IOTA worked.

Instead of relying on 12 random English words, IOTA relies on an 81-character string of capitalized letters and the number nine. The standard IOTA wallet does not generate this for you, and so users need to generate it themselves. This is where the problem likely springs from. Most people just want to start using their wallets, and don't want to put a lot of thought into security.

In order to assist new users with generating IOTA seeds, a number of open-source and transparent websites have been created by the community to help people make seeds quickly.

There are also downloadable tools that produce the same result. These types of seed generating tools, be it online or downloadable, have become an indispensable resource for the IOTA community. That is partly why this theft was so insidious and effective.

Avoiding the scam

It's quite conceivable that an attack like this will happen again in the future. Fortunately, it's very easy to defend yourself from it.

Ideally, there are three main ways that you could generate IOTA seeds securely.

The easiest way to do that is to use an online seed generator as normal. However, instead of using the seed exactly as provided, you go in and manually change some of the letters and numbers in different parts of the seed. For instance, if your seed starts with “ABCEF9”, you can change some of letters to something like this “DBCG9F”. Repeat this in a few different sections of the seed for added security. This way, even if the website is hacked or was designed to save the seeds it generates, they will still end up with nothing as the seed you are using is different.

The next way to generate a secure status to simply do it completely by yourself. This means typing in a string of letters and numbers on your keyboard and counting up to 81 characters. While this method may be the most time-consuming, it is arguably the most random, and therefore the most secure. For those who need to generate a large number of individual addresses, however, it would probably not be ideal due to the amount of work involved.

Finally, the most secure method to generate a large number of seeds quickly is to use a shell script, or to run a very simple Python program which anyone can create through cutting and pasting a few lines of code. This one does require a little bit of technical skill, so do keep that in mind. Searching online, we found two such programs that generate the seed securely and without meaning to touch the Internet at all. As these programs are so short, they are extremely easy to verify their security. For your convenience, we are posting them below with credit to their original creators.

from random import SystemRandom
generator = SystemRandom()
print(u''.join(generator.choice(alphabet) for _ in range(81)))
(code by phx)

Windows batch (.bat) file:
@PowerShell.exe -ExecutionPolicy RemoteSigned -Command "Invoke-Expression -Command ((Get-Content -Path '%~f0' | Select-Object -Skip 2) -join [environment]::NewLine)"&&pause
@exit /b %Errorlevel%
# script goes here and below....

param( [int] $len = 81, [string] $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ9")
$bytes = new-object "System.Byte[]" $len
$rnd = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$result = ""
for( $i=0; $i -lt $len; $i++ ){ $result += $chars[ $bytes[$i] % $chars.Length ] }
(code by 5mincoffee)

How these miniature programs work (the Python version, at least) is simply assigning the possible set of characters to a variable, then telling the your computer to use a randomizer function to choose any one individual times from the available pool. Again, these are completely secure because they do not rely on anything besides your own computer.

Not only IOTA is a target

This form of seed theft will continue in the future, and it will not only target IOTA. In this case, IOTA is particularly weak to this kind of attack due to the nature of how it's wallets are designed to not provide seeds.

Recently, someone bought a hardware wallet on eBay, and was provided with a new seed phrase for the wallet to use straight out-of-the-box. What was done here, is that the seller had pre-set up the device with the seed phrase, kept a copy of it, and then sold the device to an unsuspecting buyer.

Once the buyer had loaded up the device with cryptocurrency, the nefarious seller used the 24 for word phrase to initialize another device, and then had full access to all assets on the device. In total, about USD 30,000 worth of cryptocurrency was stolen.

Conclusions and thoughts on safety

One of the most difficult things to understand for people new to cryptocurrency is that ensuring the safety of your assets is entirely up to you, the holder. If your assets are lost, there is no bank, law enforcement agency, or other central authority that can help you get them back. Once they are taken, they are gone forever.

Therefore, it is your duty to ensure that you fully understand the basic concepts of the technology, such as heresy phrases and private keys work, before investing large sums of money. It's unfortunate however that humans by nature are quite lazy and always want the quickest and easiest solution.

It is this group of people that thieves and hackers will gleefully target for as long as they exist.