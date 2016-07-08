Stories
IOTA Wallets Emptied; $4 Million Stolen

posted by janrinok on Thursday February 01, @02:37AM   Printer-friendly
from the handy-piece-of-code dept.
Security Software

bradley13 writes:

My old physics teacher always said: "It's the dumb criminals who get caught; you never catch the smart ones." He was a really smart guy, and he did live a nice lifestyle, hmmm...

Anyway, so IOTA. As with any digital currency, you need some random information - a passphrase typically - that is used when you create your wallet. In the case of IOTA, which is supposed to be IOT friendly, this means a string of 81 random characters, the generation of which could be pretty easily automated.

That's great, and the OSS world being full of helpful people, someone wrote a handy generator, put the code for all to see on GitHub, and put their generator onto a website where you could easily make use of it. Nice.

Actually, diabolical. The code on the website really was identical to the code on GitHub, except for one tiny, almost insignificant change: at some point, the owner swapped out the random seed to a value that he knew. Not even constant - that would have been too obvious - but known nonetheless.

And for many months, many people used his friendly little service. Until January 19th, when he emptied their IOTA wallets, erased his presence from the Interwebs, and quietly disappeared. $4 million or so richer.

This one won't be caught.

tl;dr for anyone who doesn't get it: The point of having a secret password, secret passphrase, or secret key is that it's secret. Which means that you don't have it generated for you by a public web service.

Original Submission


  • (Score: 2) by frojack on Thursday February 01, @02:51AM

    by frojack (1554) Subscriber Badge on Thursday February 01, @02:51AM (#631308) Journal

    So is it cash somewhere already?

    Because if not, who is going to convert that much iota to any usable form of money?
    Isn't this a blockchain? Don't block chains record details in the chain?

    Sounds to me that this guy just bought himself a 4 million dollar never ending vacation.

  • (Score: 2) by jmorris on Thursday February 01, @03:29AM

    by jmorris (4844) Subscriber Badge <{jmorris} {at} {beau.org}> on Thursday February 01, @03:29AM (#631323)

    And here we see the wisdom in "it is immoral to let a sucker keep his money."

    These fools have learned a valuable lesson in the only way most of them are capable of learning, by pain. And while the losers think they lost something valuable, it was just play money they lost so it is all good.

  • (Score: 0) by Anonymous Coward on Thursday February 01, @03:39AM

    by Anonymous Coward on Thursday February 01, @03:39AM (#631327)

    A fool and his money are soon invited (super secret) places.

  • (Score: 2) by requerdanos on Thursday February 01, @03:41AM (1 child)

    by requerdanos (5997) Subscriber Badge on Thursday February 01, @03:41AM (#631329) Journal

    frojack: So is it cash somewhere already?... who is going to convert that much iota to any usable form of money?

    jmorris:it was just play money they lost so it is all good.

    Um. Not rocket science.

    Step 1. Convert IOTA to Bitcoin or Litecoin (something easily exchangeable for traditional currency). This can be done at sites like bitfinex [bitfinex.com].

    Step 2. Sell your Bitcoins/Litecoins. They are easily exchangeable for, for example, US Dollars. This can be done at sites like Coinbase [coinbase.com], Kraken [kraken.com], Bitstamp [bitstamp.net], or Poloniex [poloniex.com].

    Step 3. Whatever you want to do with the money. Maybe buy some of what the "play money"-thinking people are smoking; it must be good.

    • (Score: 0) by Anonymous Coward on Thursday February 01, @04:09AM

      by Anonymous Coward on Thursday February 01, @04:09AM (#631338)

      If there exists a person who will for some reason hand you real money for play money - it still is play money.

