The IOTA Foundation said that it is working on a plan to reimburse the victims of the attack. A hacker was able to take over MoonPay’s content distribution network.
The IOTA Foundation already resolved the vulnerability that allowed the hackers to steal around USD 2 million in MIOTA tokens. The former plans to reactivate its network next March 2nd, which would result in a 17-day interruption until then. The organization wrote a long article in which it provided details of the attack on February 12th, which affected about 10 users of the Trinity wallet.
In the document, the Foundation indicated that the theft was caused by a vulnerability detected in MoonPay’s software development kit (SDK). This is a gateway application that was integrated into the Trinity wallet last November to allow the exchange of MIOTA for a fiat currency. According to statements by IOTA Foundation’s co-founder Dominik Schiener, the IOTA mainnet will resume its operations next March 2nd, following a 17-day interruption.
The investigation conducted jointly with the German Center for Cybercrime and the US Federal Bureau of Investigation (FBI) revealed that the hacker took over the distribution of MoonPay’s content, infiltrating the portfolio, to then distribute malicious SDK packages to users and thus seize their funds.
The IOTA Foundation said that the pressure for the launch, along with the human error, led them not to audit the most secure NPM package before integrating it. It should be highlighted that this was the weakness that the hacker exploited, which the Foundation could have resolved by conducting a more extensive review process.
The NPM (Node Package Manager) is a package manager that allows having any library available through only one code line, such as a static file, thus avoiding the reception of a malicious SDK. The report describes that the malicious code was loaded into the local Trinity instance. After unlocking the user’s wallet, it decrypted the seed and sent it to a server controlled by the attacker. Before transferring the tokens, the hacker waited for the launch of a new version of Trinity, which would overwrite the caché files in the wallet and thus eliminate the traces of the attack.
The IOTA network has been inactive for approximately 11 days. The organization announced last February 14th that it would disconnect the “Coordinating” node that validates transactions on this network until it is reactivated on March 2nd.
The non-profit organization also explained that it is developing transition tools for users to transfer their funds from their existing accounts to new ones. After the transition is complete, the Foundation will put the network online and provide details of the plan that will be activated to reimburse the funds to the victims of the attack.
Some days after the attack, the upgraded version of the Trinity wallet was released. Users must install this new version of the wallet so that they can check their balance and most recent transactions. Likewise, they must change their password and store it in a password manager to reinforce the security of their tokens.
By Willmen Blanco