How a malicious seed generation website stole $4 million

January 28, 2018

Update 1/29/2018: the QR code is generated by a Web Worker rather than a Service Worker as initially stated (thanks to foodblogger on Hacker News for catching this!), the publish date was corrected, and as suggested on Reddit, the article was updated to clarify how the created seeds were varied for different users, but still known to the operator of the website. You can see the original version here.

Recently, Ars Technica posted an article describing how a malicious seed generator, (now offline), was able to steal almost $4 million (!) worth of IOTA from its users’ wallets. The way they describe this is that the website “stored data about each seed generated along with information about the wallet it was associated with, allowing whoever was running the site (or whoever hijacked it) to simply wait until wallets were filled and then cash them out.” This made me curious, so I decided to look into the technical details of how the scam was pulled off.

read more... →