Analysis and Security Recommendations for the IOTA Major Theft Incident by SlowMist

·

Recent security incidents in the crypto world have surged, with the well-known DAG project IOTA losing over 8 million tokens. SlowMist provides insights and actionable advice.

Authored by SlowMist Security Team

Days ago, we noticed IOTA temporarily halted its mainnet. While we were aware of earlier thefts targeting IOTA users, the decision to suspend the mainnet for investigation underscored the severity. On February 19, 2020, we analyzed clues from status.iota.org and launched an independent probe into this critical security breach.

Key Findings

  1. Trinity Wallet Vulnerability:

    • The official IOTA Trinity wallet’s desktop version, built on Electron, removed the third-party component MoonPay in its latest GitHub update.
    • Our investigation revealed a critical risk: A compromised JavaScript link could fully compromise the wallet.
    SlowMist’s Initial Hypothesis:
    The attacker likely exploited MoonPay’s Cloudflare API key for DNS interception, injecting malicious code to hijack user credentials and seeds.

  2. Attack Timeline:

    • November 27, 2019: Proof-of-concept via DNS interception.
    • January 25, 2020: Active attack commenced, deploying malicious code via MoonPay’s Cloudflare.
    • Estimated Loss: 8.55 Ti (8.55 million MIOTA ≈ $2.28M at $0.267/MIOTA).

Security Recommendations

  1. Third-Party Risks:

    • Audit all dependencies (e.g., NPM packages) rigorously.
    • Example: The historic event-stream hack (Zhihu Discussion).

  2. Cloudflare/CDN Management:

    • Secure API keys to prevent man-in-the-middle attacks.

  3. Wallet Security:

    • Chain security is incomplete without securing off-chain components (e.g., wallets).

  4. User Actions:

    • Follow IOTA’s guidance: Upgrade Trinity, change passwords, migrate seeds.

FAQs

Q1: Was the IOTA protocol itself compromised?
A: No. The breach stemmed from Trinity Wallet’s implementation, not the IOTA blockchain.

Q2: How did SlowMist identify the issue?
A: Code-diff analysis flagged MoonPay’s removal and potential JS injection risks.

👉 Secure Your Crypto Assets Today

Q3: What’s the broader lesson?
A: Projects must balance innovation with zero-trust security practices for third-party integrations.

Official IOTA Updates:

👉 Explore Advanced Security Measures