IOTA Foundation publishes plan
As the IOTA Foundation describes, on 12 February 2020, around 3 pm CET, it became aware of unauthorised outgoing transactions on previously positively balanced accounts, which forced the IOTA Foundation to make a prompt decision. Within the first four hours of the attack becoming known, the leadership made the decision to stop the Coordinator and thus bring the for value transactions to a standstill. What happened subsequently has already been in great detail.
Now the IOTA Foundation has also commented on the actual course of events of the hack. It states that the integration of MoonPay was relatively quickly identified as the root cause. It was delivered as bundled code, as a so-called CDN (Content Delivery Network). Aware of the vulnerability of the CDN technology, the IOTA Foundation demanded a so-called NPM (Node Package Manager) from MoonPay. However, this was delivered late by MoonPay after much of the development work had already been done, which is why the integration did not take place before the launch of the Trinity Wallet (freely translated):
When we analyzed these logs with our Tangle analytics toolsets we, unfortunately, found that several addresses were owned by an exchange. We requested the exchange again to immediately lock the accounts, and are currently in further correspondence with them to assess the full picture of the amount of tokens the attacker was able to convert and transfer out of the exchange. […]
The next revelation came with the release of the log files to the IOTA Foundation on the 15th of February from the DNS provider contracted by Moonpay: Cloudflare. […] The attacker started on November 27th, 2019 with a DNS-interception Proof of Concept that used a Cloudflare API key to rewrite the api.moonpay.io endpoints, capturing all data going to api.moonpay.io for potential analysis or exfiltration.Another longer-running Proof of Concept was evaluated by the attacker one month later, on December 22nd, 2019. On January 25th, 2020, the active attack on Trinity began, where the attacker started shipping illicit code via Moonpay’s DNS provider at Cloudflare.
Currently, the IOTA Foundation is aware of 50 seeds that were stolen during the attack. A total of 8.55 Ti (8,550,000,000,000 IOTA), approximately 2.37 million US dollars, were stolen. However, due to the nature of the attack, it is currently not possible to identify the exact number of users affected, so all Trinity wallet users are encouraged to check for themselves whether they are affected.
Author : Jake Simmons