MyAlgo, a provider of wallets for the Algorand network, has advised its customers to withdraw money from any wallets made with a seed phrase due to an ongoing exploit that has resulted in the theft of money estimated to be worth $9.2 million.
On February 27, MyAlgo tweeted the recommendation along with the statement that it is still unsure of what caused the most recent wallet breaches and urged “everyone to take cautious steps to secure their money.”The team posted an alert earlier on February 27 about a “targeted assault […] carried out against a bunch of high-profile MyAlgo accounts” that seemed to have taken place during the previous week.
ZachXBT, the self-described “on-chain detective,” said in a tweet on February 27 that it is believed the hack has stolen approximately $9.2 million, and the cryptocurrency exchange ChangeNOW was able to freeze over $1.5 million in cash.
According to MyAlgo, individuals who had mnemonic wallets with the key kept in an internet browser were particularly vulnerable to the hack. A private key is often generated via aÂ
mnemonic wallet using between 12 and 24 words.
On February 27, John Wood, the Algorand Foundation’s chief technical officer, tweeted that the attack had impacted around 25 accounts.The attack, he said, “is not the outcome of an inherent problem with the Algorand protocol” or its software development kit.
On February 27, the developer collective D13.co, which focuses on Algorand, published a paper that ruled out a number of potential attack routes including malware and operating system flaws.
According to the research, the “most plausible” scenarios included either targeted exfiltration of unencrypted private keys from MyAlgo’s website or socially engineered phishing attempts that compromised the affected individuals’ seed phrases.According to MyAlgo, it would keep collaborating with law enforcement and carry out a “thorough investigation to ascertain the underlying cause of the assault.”
