$9 600 000 USD

FEBRUARY 2023

GLOBAL

MYALGO WEB WALLET

DESCRIPTION OF EVENTS

"MyAlgo, a native wallet for the Algorand blockchain network, has advised users to withdraw funds after it was struck by an exploit last week."

 

"Blockchain sleuth ZachXBT said that 19.5 million ALGO and 3.5 million USDC worth $9.6 million have been stolen and that centralized exchange ChangeNow has frozen $1.5 million."

 

"We strongly advise all users to withdraw any funds from Mnemonic wallets that were stored in MyAlgo," MyAlgo confirmed in a tweet.

 

John Woods, chief technology officer of the Algorand Foundation, said that 25 wallets have been affected and that the exploit is "not the result of an underlying issue with the Algorand protocol or SDK (software development kit)."

 

"I haven’t seen many posts about this on CT yet but it’s suspected over $9.2m (19.5M ALGO, 3.5m USDC, etc) has been stolen on Algorand as a result of this attack from Feb 19th to 21st."

 

"Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

 

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leadin to the “targeted exfiltration of unencrypted private keys.”

 

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”"

 

"I know this is not much to most of you but I put a good amount of my savings in ALGO because I love the tech behind it and believed it is the future.

 

Now I know it was a third-party wallet that was hacked but the lack of information around the cause of hack and how it was performed does not instill confidence at all in the algorand community and team.

 

It reeks of incompetence when I read the cause of the hack is still unknown. This has shaken up my confidence in Algorand and crypto in general."

 

"As I have been very active on this sub during most of the bear market, I obviously also saw what kind of advices were the most present on this sub from us bear market survivors. While “DCA“ may take the inevitable crone there also were calls to basically just buy your Crypto (or even DCA) and then completely forget about it to come back during a bull run for inevitable gains, right?

 

Now I know why this is seen as a pretty popular theory as many people from the past basically did that. Someone from 2012 bought Bitcoin and then forgot about it until 2021 to become a millionaire. The problem here is that times have completely changed."

 

"Attackers abused the CDN, to inject malicious code through a man-in-the-middle attack between the actual http://wallet(.)myalgo(.)com webapp and the user."

 

"It's unclear how the CDN API key was obtained.

 

- No evidence of exploitation or vulnerability was found in MyAlgo codebase

 

-No evidence that the CDN user account was compromised."

 

"The audit logs cover 18 months, while the impacted account is 19 months old. Interestingly the account was never used until October 2022 (6 months ago). This raises the unlikely possibility that either logs are missing or the API key was obtained 19 months ago, evading the logs"

 

"The malicious worker (which targeted a specific version of MyAlgo) was uploaded on January 21st, and the attack continued until mid-February when a new version of MyAlgo was released."

 

"It is important to note that law enforcement and security/forensics professionals will continue investigating, gathering more information that will help shed light on the details of the attack."

Web-based wallet MyAlgo users found that their assets were being removed from their wallets starting in February 2023. The exploit remained unknown until April 2023, at which time it was revealed that malicious JavaScript code must have been injected on January 21st. The total losses have been estimated at $9.6m and investigation remains ongoing.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.