Let Me Create Your Crypto Wallet For You …

Let Me Create Your Crypto Wallet For You …

Would you trust someone who appeared, uninvited, on your doorstep, to change the locks in your home?

And would you trust any old site to create your crypto wallet for you?

Recently it was found that around $4 million — small money compared to the Coincheck hack (which is likely to be over $500 million) — was taken from IOTA wallets.

For this, intruders created a fake Web site to trick users into the creation of wallets, and where they had crafted their site so that it appeared at the top of all searches for the IOTA seed generator (the creator of wallets).

IOTA is a fairly strong cryptocurrency and has a market capitalisation of nearly $7 billion. It currently sits at No 11 in the crypto currency ranking for capitalisation (just one below NEM, and which was the focus for the Coincheck hack):

Overall IOTA has increased in value since Dec 2017, and has followed the trend of many other cryptocurrencies:

In order to improve security, the IOTA wallet needs a seed of 81 (preferably randomly) characters. For this users can use an on-line tool to create the random see in the correct format. The intruders thus created a tool at iotaseed.io and which generated the seed for the wallet. With the Wayback Engine, we can look back at the site (it was last updated on 3 January 2018):

While the site generated the random seed, it also stored all the details associated with the wallet. This meant that the intruders simply waited until the wallet was topped-up and then transferred the money out. The site has since been closed down:

The address for donations defines two crypto addresses:

The GitHub logo seems to give the page a bit of legitimacy, but the Bitcoin account shows little sign of activity — with just one donation:

For the related GitHub repository, the code has since been taken down, but here is the code listing as it was before the hack:

Conclusions

Watch where you create your wallets, and only do it with trustworthy sites.