MyAlgo Web Wallet JavaScript CDN Exploit: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/myalgowebwalletjavascriptcdnexploit.php}} {{Unattributed Sources}} thumb|MyAlgo Wallet Homepage/LogoWeb-based wallet MyAlgo users found that their assets were being removed from their wallets starting in February 2023. The exploit remained unknown until April 2023, at which time it was revealed that malicious JavaScript code must have been injected on January 21st. The total lo...")
(No difference)

Revision as of 14:36, 18 January 2024

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MyAlgo Wallet Homepage/Logo

Web-based wallet MyAlgo users found that their assets were being removed from their wallets starting in February 2023. The exploit remained unknown until April 2023, at which time it was revealed that malicious JavaScript code must have been injected on January 21st. The total losses have been estimated at $9.6m and investigation remains ongoing.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10]

About MyAlgo Web Wallet

"MyAlgo, a native wallet for the Algorand blockchain network, has advised users to withdraw funds after it was struck by an exploit last week."

"Blockchain sleuth ZachXBT said that 19.5 million ALGO and 3.5 million USDC worth $9.6 million have been stolen and that centralized exchange ChangeNow has frozen $1.5 million."

"We strongly advise all users to withdraw any funds from Mnemonic wallets that were stored in MyAlgo," MyAlgo confirmed in a tweet.

John Woods, chief technology officer of the Algorand Foundation, said that 25 wallets have been affected and that the exploit is "not the result of an underlying issue with the Algorand protocol or SDK (software development kit)."

"I haven’t seen many posts about this on CT yet but it’s suspected over $9.2m (19.5M ALGO, 3.5m USDC, etc) has been stolen on Algorand as a result of this attack from Feb 19th to 21st."

"Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leadin to the “targeted exfiltration of unencrypted private keys.”

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”"

"I know this is not much to most of you but I put a good amount of my savings in ALGO because I love the tech behind it and believed it is the future.

Now I know it was a third-party wallet that was hacked but the lack of information around the cause of hack and how it was performed does not instill confidence at all in the algorand community and team.

It reeks of incompetence when I read the cause of the hack is still unknown. This has shaken up my confidence in Algorand and crypto in general."

"As I have been very active on this sub during most of the bear market, I obviously also saw what kind of advices were the most present on this sub from us bear market survivors. While “DCA“ may take the inevitable crone there also were calls to basically just buy your Crypto (or even DCA) and then completely forget about it to come back during a bull run for inevitable gains, right?

Now I know why this is seen as a pretty popular theory as many people from the past basically did that. Someone from 2012 bought Bitcoin and then forgot about it until 2021 to become a millionaire. The problem here is that times have completely changed."

"Attackers abused the CDN, to inject malicious code through a man-in-the-middle attack between the actual http://wallet(.)myalgo(.)com webapp and the user."

"It's unclear how the CDN API key was obtained.

- No evidence of exploitation or vulnerability was found in MyAlgo codebase

-No evidence that the CDN user account was compromised."

"The audit logs cover 18 months, while the impacted account is 19 months old. Interestingly the account was never used until October 2022 (6 months ago). This raises the unlikely possibility that either logs are missing or the API key was obtained 19 months ago, evading the logs"

"The malicious worker (which targeted a specific version of MyAlgo) was uploaded on January 21st, and the attack continued until mid-February when a new version of MyAlgo was released."

"It is important to note that law enforcement and security/forensics professionals will continue investigating, gathering more information that will help shed light on the details of the attack."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - MyAlgo Web Wallet JavaScript CDN Exploit
Date Event Description
January 21st, 2023 Malicious Worker Uploaded The apparent time when the malicious worker was uploaded to affect certain version of the MyAlgo wallet.
February 19th, 2023 First Wallet Drained The first MyAlgo wallets are drained of funds.
February 27th, 2023 5:38:00 AM MST Tweet Warning From MyAlgo MyAlgo shares a tweet to strongly advise users to withdraw any funds stored with a mnemonic generated from the MyAlgo wallet.
February 27th, 2023 6:13:00 PM MST ZachXBT Analysis ZachXBT shares his analysis of transactions and reports that he suspects the drainign of funds started on February 19th.
February 28th, 2023 5:01:00 AM MST CoinDesk Article CoinDesk reports on the MyAlgo wallet exploit.
March 6th, 2023 3:35:00 PM MST Funds Still Draining Funds are reportedly still being actively drained from MyAlgo wallets.
March 9th, 2023 11:56:33 AM MST Reddit Post A Reddit post advises against the typical strategy of buying and holding cryptocurrencies long-term, citing the MyAlgo wallet exploit as one potential pitfall with that strategy.
March 18th, 2023 9:01:42 AM MDT Reddit Thread Another Reddit thread is posted by a user concerned about the exploit still not having been determined yet. This user only lost 500 ALGO, however their faith in ALGO is permanently shaken by the experience.
March 18th, 2023 12:17:25 PM MDT Medium Post A medium post is published by CoinSpect to address several rumours and false narratives around the method of exploit.
April 21st, 2023 8:54:00 AM MDT Final Report Tweet Halborn reports on their investigation and MyAlgo shares a final tweet report about the reported exploit, which is apparently traced to a CDN exploit.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

$9.6m or $9.2m

The total amount lost has been estimated at $9,600,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://www.reddit.com/r/CryptoCurrency/comments/11n0emz/just_buying_your_crypto_and_then_forgetting_about/ (Mar 9, 2023)
  2. Algorand Wallet MyAlgo Advises Users to Withdraw Funds After $9.6M Exploit (Jan 18, 2024)
  3. https://www.reddit.com/r/AlgorandOfficial/comments/11uqqex/i_lost_around_500_algo_in_the_myalgo_wallet_hack/ (Jan 18, 2024)
  4. I lost around 500 ALGO in the myalgo wallet hack : AlgorandOfficial (Jan 18, 2024)
  5. https://cointelegraph.com/news/myalgo-users-urged-to-withdraw-as-cause-of-9-2m-hack-remains-unknown (Jan 18, 2024)
  6. @myalgo_ Twitter (Jan 18, 2024)
  7. @HalbornSecurity Twitter (Jan 18, 2024)
  8. Addressing Rumors And Recommendations Following The Myalgo Wallet Hack (Jan 18, 2024)
  9. Algorand Wallet (Jan 18, 2024)
  10. Algorand Wallet (Jan 18, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MyAlgo_Web_Wallet_JavaScript_CDN_Exploit&oldid=5395"