The Trinity hack: IOTA users lose millions

IOTA is hailing trouble: a hacker used an addon to the Trinity wallet to sneak malware into the wallets, stealing the seed and with it more than 2 million euros worth of IOTA. Now the Tangle is at a standstill, and the IOTA Foundation is doing everything humanly possible to mitigate the damage. In doing so, it is demonstrating a claim to control that should not really exist in a cryptocurrency. The loss of trust in the cryptocurrency, which is especially popular in Germany, is likely to be enormous.

To be clear, IOTA is still one of the best cryptocurrencies and if you haven`t bought it you should consider it. There are tons of coupons [1] out there, make sure to check them out, before you open an account at an exchange.

Sometimes it is said that cryptocurrencies are money without trust. From a very theoretical level, this is correct, as cryptocurrency users do not in themselves need a middleman to receive and send money. However, on a practical level, the trust condenses with the developers who create the wallets that users use to interact with cryptocurrency networks.

In recent weeks, numerous users of the cryptocurrency IOTA [2] have felt just how deceptive this trust can be. It is true that IOTA is only in 24th place in the ranking of cryptocurrencies, and thus basically hardly relevant. However, due to the diligent work of the Berlin-based IOTA Foundation and numerous industry partnerships in Germany, IOTA enjoys an attention in this country that is far above that of many top 10 cryptocurrencies.

But even otherwise, what happened from February 11 is exciting. For it is an incident unprecedented in the crypto space, and one that is more likely than any other to shake the foundations of the mantra of being one’s own bank through cryptocurrencies.

The anatomy of a €2 million hack

hackedA common software to use IOTA is the Trinity wallet. This wallet was developed by the IOTA Foundation and was released just last year. Starting on February 11, many users suddenly noticed what you absolutely don’t want to notice with a wallet: Their balances had dropped to zero, and the coins that had been sitting in their wallets had been transferred to other addresses without their permission. On February 12, the IOTA Foundation became aware of the problem. The first thing it did was shut down the central coordinator, which caused the Tangle – which is IOTA’s blockchain – to grind to a halt and stop processing transactions. There are advantages to not being decentralized when problems arise.

The Foundation then began to investigate the extent and cause of the hack. Pretty soon, it was clear that the culprit was MoonPay’s integration with the Trinity wallet. MoonPay is an exchange service that allowed users of Trinity Wallet to use credit cards to buy IOTA tokens directly in the wallet since December 2019. MoonPay was integrated into Trinity through a content delivery network (CDN), which means that the code for it was not supplied by Trinity Wallet itself, but by a third-party provider. The hacker had now managed to replace the code with his own, which spied on the private keys in the wallet.

An inspection of the log files of MoonPay’s DNS provider, Cloudflare, finally yielded the insight that the hack had been planned long in advance and executed professionally. MoonPay’s integration with Trinity began in September 2019, with the first closed beta tests available starting in November and quickly becoming known through leaks. On November 26, the IOTA Foundation released the code for MoonPay via GitHub. A day later, on November 27, the hacker was able to use a Cloudflare API key to manipulate the endpoint of the MoonPay API and intercept all data. After some testing in December – which the logs also show – the hacker began the attack on Trinity Wallets on January 25 by delivering the tampered software through the CDN.

Over the next two weeks, the attacker honed his code and technology to secretly spy on the private keys. This process continued until February 10, without anyone noticing until now. On that day, MoonPay finally discovered that unauthorized routing was taking place and deleted the API key in question, but without informing the IOTA Foundation. When the hacker realized he was busted, he had no choice but to reap the fruits of his labor. He began executing transactions using the extracted private keys on February 11. According to the IOTA Foundation’s estimate, 50 users were affected, losing a total of 8.55 TeraIOTA tokens, currently equivalent to just over 2 million euros.

Analysis and damage limitation

The IOTA Foundation admits to having made a mistake. It was aware that CDNs carry risks despite their widespread use on the network. Therefore, they had requested an NPM (Node Package Manager) module in advance to increase security, which MoonPay later put in place. However, “pressure to release, as well as human error, led to the Foundation not switching to the more secure NPM package before launch.” The mistake could have been avoided “if the Foundation had followed the release of the software through a more intensive and cross-team review process.”

Without speculating too far, I also wonder why the MoonPay plugin for the wallet had access to the private keys in the first place. Basically, it just needs the public keys to send IOTA tokens to them. It should be possible to separate the public keys from the private keys and only give a plugin the right to sift through the public keys. Could the hack have been prevented by greater security awareness in wallet development?

But it is what it is, and the only thing left for the IOTA Foundation to do is admit mistakes and try to limit the damage. Shutting down the coordinator at least prevents the hacker from transferring more tokens. But what now?

First, the Foundation has released a new version of Trinity that is no longer vulnerable. Anyone who has not opened his Trinity wallet since January 25 should have a good chance that his keys are not yet in the hands of the hacker. He can install the new wallet version and should then be safe. Mobile users should also install a new version that no longer includes the MoonPay plugin.

Subsequently, the Foundation started to locate the stolen IOTA tokens through blockchain or tangle analysis. To do so, they enlisted the help of several security experts and cyber forensic specialists and reported the incident to the police in Germany, the UK, and Malta, as well as the FBI. The intention here is likely to be to gain access to major exchanges such as (Germany) and Binance (Malta) where IOTA is traded. The Foundation has also informed all relevant exchanges to work with them to find out where the stolen tokens were transferred to and asked them to freeze them if necessary.

However, one core problem remains: the IOTA Foundation does not know how many users have been affected. Like a virus epidemic, it does know how many users have had something break out – that’s the 50 wallets from which funds have been siphoned – but the Foundation doesn’t know how many wallets the hacker has the private keys of without having used them yet, which is like someone being infected but not showing symptoms (yet). No matter what the Foundation does now, no matter how many security holes it closes in Trinity – it can’t rule out that users will lose their coins when it turns the tangle back on.

The only thing it can do now is to ask users to migrate their tokens securely to other private keys. For this purpose, it will provide a migration tool. Through this, users can make a claim to the coins in their wallet, which the Foundation will verify. If there is any doubt about the legitimacy of this claim, the Foundation will do a KYC check, i.e. validate the user’s identity. This process is supposed to take a maximum of ten days and be concluded with the Foundation starting the tangle again.

So far, however, it does not seem clear when the migration Took will be available. Probably at the beginning of March. It is also unfavorable that probably not every user will succeed in making their claim in the appropriate time frame, and that it is not clear how the Foundation will handle this.