MyAlgo Web Wallet JavaScript CDN Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MyAlgo Wallet Homepage/Logo

Web-based wallet MyAlgo users found that their assets were being removed from their wallets starting in February 2023. The exploit remained unknown until April 2023, at which time it was revealed that malicious JavaScript code must have been injected on January 21st. The total losses have been estimated at $9.6m and investigation remains ongoing.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7]

About MyAlgo Web Wallet

MyAlgo was a native wallet for the Algorand blockchain network.

Homepage: [8][9]

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - MyAlgo Web Wallet JavaScript CDN Exploit
Date Event Description
January 21st, 2023 Malicious Worker Uploaded The apparent time when the malicious worker was uploaded to affect certain version of the MyAlgo wallet.
February 19th, 2023 First Wallet Drained The first MyAlgo wallets are drained of funds.
February 27th, 2023 5:38:00 AM MST Tweet Warning From MyAlgo MyAlgo shares a tweet to strongly advise users to withdraw any funds stored with a mnemonic generated from the MyAlgo wallet.
February 27th, 2023 6:13:00 PM MST ZachXBT Analysis ZachXBT shares his analysis of transactions and reports that he suspects the draining of funds started on February 19th.
February 28th, 2023 5:01:00 AM MST CoinDesk Article CoinDesk reports on the MyAlgo wallet exploit.
March 6th, 2023 3:35:00 PM MST Funds Still Draining Funds are reportedly still being actively drained from MyAlgo wallets.
March 9th, 2023 11:56:33 AM MST Reddit Post A Reddit post advises against the typical strategy of buying and holding cryptocurrencies long-term, citing the MyAlgo wallet exploit as one potential pitfall with that strategy.
March 9th, 2023 12:23:00 PM MST Borderless Capital Proposal Borderless Capital, a key participant in the Algorand ecosystem, expresses sympathy for the victims of the recent myAlgo security incident[10]. In response to the hack, the venture capital firm proposes the creation of a 50 million ALGO Recovery Fund, anchored with the treasury of the Algorand Foundation and open to contributions from third parties. They suggest including this proposal as a third measure to be voted on before the end of the current governance period in Q1 2023, emphasizing the urgency of community action. If approved, Borderless commits to contributing 2.5 million ALGO to the fund, and they propose allocating the current Algorand blockchain ALGO fees to the Recovery Fund until the community is fully restituted. The firm also expresses eagerness to collaborate on developing a process for the orderly distribution of funds to the victims[10].
March 9th, 2023 8:11:31 PM MST MyAlgo Recovery Fund Shot Down A Reddit post discusses the Algorand community facing a split opinion on a proposed 50 million ALGO recovery fund to assist victims of the myAlgo wallet exploit. Borderless Capital, an Algorand Venture Capital firm, suggested the fund to alleviate losses caused by the exploit[11]. However, the community is near-unanimously disapproving of the proposal due to concerns about rushing into a solution without thorough evaluation. Many community members argue that changing governance in the middle of a period sets a bad precedent and could lead to unintended consequences. Some express worries about funding attackers and suggest waiting for more information before making a decision. Overall, the community emphasizes the importance of a rational approach to address the aftermath of the exploit without exacerbating the situation[11].
March 18th, 2023 9:01:42 AM MDT Reddit Thread Another Reddit thread is posted by a user concerned about the exploit still not having been determined yet. This user only lost 500 ALGO, however their faith in ALGO is permanently shaken by the experience.
March 18th, 2023 12:17:25 PM MDT Medium Post A medium post is published by CoinSpect to address several rumours and false narratives around the method of exploit[12]. Coinspect Security has collaborated with MyAlgo, a web-based Algorand wallet, to investigate a recent high-impact hack that affected thousands of users. They identified one particular attack matching the reported incidents and aim to provide valuable insights to support the ongoing investigation. Addressing rumors, Coinspect clarified that attackers used previously collected seeds, exploited no application bugs, and did not abuse browser bugs or features like autofill. The incident was not due to user negligence or phishing, and the seed encryption algorithm used by MyAlgo is robust. Coinspect recommends affected users change their wallet password immediately and exercise caution with communications, emphasizing verification to avoid phishing. The investigation is ongoing, and Coinspect commits to supporting the community's security efforts[12].
April 21st, 2023 8:54:00 AM MDT Halborn Report Tweet Halborn reports on their investigation and MyAlgo shares a final tweet report about the reported exploit, which is apparently traced to a CDN exploit[7][13].

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

"Attackers abused the CDN, to inject malicious code through a man-in-the-middle attack between the actual http://wallet(.)myalgo(.)com webapp and the user."

"It's unclear how the CDN API key was obtained.

- No evidence of exploitation or vulnerability was found in MyAlgo codebase

-No evidence that the CDN user account was compromised."

"The audit logs cover 18 months, while the impacted account is 19 months old. Interestingly the account was never used until October 2022 (6 months ago). This raises the unlikely possibility that either logs are missing or the API key was obtained 19 months ago, evading the logs"

"The malicious worker (which targeted a specific version of MyAlgo) was uploaded on January 21st, and the attack continued until mid-February when a new version of MyAlgo was released."

Total Amount Lost

$9.6m or $9.2m

"I haven’t seen many posts about this on CT yet but it’s suspected over $9.2m (19.5M ALGO, 3.5m USDC, etc) has been stolen on Algorand as a result of this attack from Feb 19th to 21st."

"Blockchain sleuth ZachXBT said that 19.5 million ALGO and 3.5 million USDC worth $9.6 million have been stolen and that centralized exchange ChangeNow has frozen $1.5 million."

The total amount lost has been estimated at $9,600,000 USD.

Immediate Reactions

"MyAlgo, a native wallet for the Algorand blockchain network, has advised users to withdraw funds after it was struck by an exploit last week."

"Blockchain sleuth ZachXBT said that 19.5 million ALGO and 3.5 million USDC worth $9.6 million have been stolen and that centralized exchange ChangeNow has frozen $1.5 million."

"We strongly advise all users to withdraw any funds from Mnemonic wallets that were stored in MyAlgo," MyAlgo confirmed in a tweet.

John Woods, chief technology officer of the Algorand Foundation, said that 25 wallets have been affected and that the exploit is "not the result of an underlying issue with the Algorand protocol or SDK (software development kit)."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

"Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leadin to the “targeted exfiltration of unencrypted private keys.”

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”"


"I know this is not much to most of you but I put a good amount of my savings in ALGO because I love the tech behind it and believed it is the future.

Now I know it was a third-party wallet that was hacked but the lack of information around the cause of hack and how it was performed does not instill confidence at all in the algorand community and team.

It reeks of incompetence when I read the cause of the hack is still unknown. This has shaken up my confidence in Algorand and crypto in general."


"As I have been very active on this sub during most of the bear market, I obviously also saw what kind of advices were the most present on this sub from us bear market survivors. While “DCA“ may take the inevitable crone there also were calls to basically just buy your Crypto (or even DCA) and then completely forget about it to come back during a bull run for inevitable gains, right?

Now I know why this is seen as a pretty popular theory as many people from the past basically did that. Someone from 2012 bought Bitcoin and then forgot about it until 2021 to become a millionaire. The problem here is that times have completely changed."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

"Blockchain sleuth ZachXBT said that centralized exchange ChangeNow has frozen $1.5 million."

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

"It is important to note that law enforcement and security/forensics professionals will continue investigating, gathering more information that will help shed light on the details of the attack."

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. https://www.reddit.com/r/CryptoCurrency/comments/11n0emz/just_buying_your_crypto_and_then_forgetting_about/ (Mar 9, 2023)
  2. Algorand Wallet MyAlgo Advises Users to Withdraw Funds After $9.6M Exploit (Jan 18, 2024)
  3. https://www.reddit.com/r/AlgorandOfficial/comments/11uqqex/i_lost_around_500_algo_in_the_myalgo_wallet_hack/ (Jan 18, 2024)
  4. I lost around 500 ALGO in the myalgo wallet hack : AlgorandOfficial (Jan 18, 2024)
  5. https://cointelegraph.com/news/myalgo-users-urged-to-withdraw-as-cause-of-9-2m-hack-remains-unknown (Jan 18, 2024)
  6. @myalgo_ Twitter (Jan 18, 2024)
  7. 7.0 7.1 Halborn Security - "We're happy to announce that we have successfully completed our incident triage for @myalgo_" - Twitter (Jan 18, 2024)
  8. Algorand Wallet (Jan 18, 2024)
  9. Algorand Wallet Archive December 13th, 2022 4:55:14 AM MST (Jan 18, 2024)
  10. 10.0 10.1 Borderless Capital - "We would like to share with the #Algorand community a thread on the recent @myalgo_ security incident and our thoughts to support the victims during this challenging time." - Twitter (Feb 1, 2024)
  11. 11.0 11.1 Algorand community near-unanimously disapproves of a potential last-minute governance proposal for a 50M ALGO recovery fund to help offset myAlgo victims - Reddit (Jan 31, 2023)
  12. 12.0 12.1 Addressing Rumors And Recommendations Following The Myalgo Wallet Hack - CoinSpect Medium (Jan 18, 2024)
  13. RandLabs MyAlgo Wallet Executive Summary - Halborn Security (Feb 1, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MyAlgo_Web_Wallet_JavaScript_CDN_Exploit&oldid=5439"