The crypto market has been extremely volatile in 2020, and there are all kinds of suppositions as o why there are so many ups and downs. What's triggering the 2020 rallies? The online publication the Daily Hodl mentions analyst Jacob Canfield who thinks that criminals from China and Korea are behind the crypto Ponzi scheme …
Digital assets are trading in the red today, and the most important coin is struggling above $9,700. At the moment of writing this article, Bitcoin is also trading in the red, amidst a high volatile crypto market. Important signal hints at an upcoming rally for ETH On the other hand, it's been just revealed that …
Ripple was in the spotlight a lot this year and only thanks to various achievements so far. The San Francisco-based company made sure to highlight the fact that its main goal for 2020 is boosting adoption for XRP. The firm has been working really hard to overcome the flaws that the traditional payments system SWIFT …
Bitcoin seems to have a bit of difficulty trying to surpass the important $10k psychological level once more – this is what more crypto holders have been waiting for these days amidst huge volatility in the crypto space. Now, a top crypto analyst, Peter Brandt, addresses the current state of the market and compares the …
The crypto market looks pretty bloody today after the other day things were looking more optimistic, and crypto enthusiasts believed that we'd witness Bitcoin surpassing the critical level of $10k once again. The crypto market has been extremely volatile, and analysts are guessing that whales are to blame. On the other hand, the high volatility …
DeFi stands for decentralized finance, and you might have definitely heard of it, as it’s one of the trendiest words in the crypto space at the moment. This term is referring to the platforms that have the ability to automize traditional financial services such as margin trading, insurance, borrowing, and lending, and it’s basically revolutionizing …
Despite still being a nascent technology, the blockchain is developing with mind-blowing speed, and 2020 is expected to be a truly important year for the Bitcoin and crypto industry. The main goal of the crypto space was and still is the mainstream adoption of digital assets and their underlying technology, the blockchain. More countries are …
Ripple just announced that the company plans to build a financial bridge between ETH and XRP. The firm launched some challenges at ETH Denver to pay coders who can connect the two coins on the Interledger Protocol (ILP). Ripple's CEO plans to kill banks' fear of crypto Ripple CEO Brad Garlinghouse seems to be on a mission …
Facebook's massive project Libra is one of the most controversial ones that the crypto industry has seen lately. It's also important to mention that the coin fasces issues with regulators, and the company is still making plans regarding its development. Also, despite the fact that Libra lost a lot of important supporters lately, it still …
The crypto market looks better today, with the most important coin trying to reach $10k once again. Bitcoin dropped in price this week, and now analysts expect to see the crypto being able to surpass the psychological level mentioned above. Fidelity is hiring and plans scaling crypto mining operations Fidelity was always seen as a …
Ripple was recently in the spotlight when the San Francisco-based company updated key stats on the amount of XRP that it holds and also addressed which firms are helping to power the network. The firm also made sure to highlight the fact that Microsoft is the most high-profile XRP Ledger validator processing transactions on the …
The crypto market looks better with most coins trading in the green and Bitcoin making significant efforts to reach $10k once again. During the past days, the crypto market has been bloody after whales sold Bitcoin, according to analysts. At the moment of writing this article, BTC is trading in the green, and the coin …
Ripple was recently in the spotlight when CEO Brad Garlinghouse compared XRP’s speed to BTC. He also admitted that the company has an interest in the success of the digital asset since Ripple owns more than half of the total supply of XRP. “XRP is extremely efficient from a technical point of view in terms …
Bitcoin struggles just above $9,600 after a recent significant drop in price that took place a few days ago. Since then, the most important coin in the market was not able to surpass $10k again, and crypto enthusiasts are keeping their fingers crossed. At the moment of writing this article, BTC is trading in the …
Mass crypto adoption has been one of the most important goals in the crypto industry in 2019, and it remains the same this year as well. All kinds of moves are being made that are massively supporting this important goal. For instance, probably the most significant move in this direction was Coinbase's move. From now …
After a 2019 that didn't bring too significant price moves for XRP, 2020 is expected to be a better year for the coin. Last year, Ripple was blamed for XRP's poor performance. The digital asset already managed to surpass $0.33 this year, and now the coin is trading in the red just like the other …
The crypto market looks pretty bloody again, as Bitcoin struggles to recover its recent losses. The huge price drop is said to have been triggered by whales, according to some analysts. At the moment of writing this article, BTC is trading in the red, and the most important coin in the market is priced at …
Summary: Trinity is a software wallet for the IOTA digital asset that has been developed for desktop and mobile operating systems. Managed by the IOTA Foundation, this open-source software project enables the user to manage their tokens over the IOTA network. On February 12, 2020 the Trinity Wallet was attacked via a third-party dependency from Moonpay, which resulted in the theft of around 8.55 Ti in IOTA tokens.
This blog post is divided into a 3 part series:
- Part 1 summarizes the series of events that led to the attack and the measures taken by the IOTA Foundation. (This blog)
- Part 2 is the seed migration plan put in place to protect users that might have been affected by the attack. You can read it here.
- Part 3 offers an overview of key learnings, takeaways and measures that the IOTA Foundation will implement to ensure the highest security standards for all of our software development. You can read it here.
The following outlines the Trinity Attack Summary and measures taken by the IOTA Foundation to protect user’s tokens.
Series of Events
On Wednesday, 12th of February 2020, around 3 PM CET, moderators on the IOTA Discord server started receiving reports from users who were observing a zero balance and/or unauthorized outgoing transactions on their previously positive-balance accounts. It became clear this was not an isolated incident, and the IOTA Foundation’s engineering teams began to work on identifying the cause.
Within the first four hours of investigation, the Foundation made the decision to halt the coordinator, which was put in place as a temporary security mechanism during the network’s maturation phase. The decision to halt the coordinator is not one taken lightly, as it suspends the confirmation of value transactions on the network. Nonetheless, to prevent the attacker from transferring further tokens, it was an essential step. As a result, the attacker was unable to successfully obtain all targeted tokens, and a number of transfers were stopped en route to the attacker.
In order to enhance transparency around this incident, the Foundation implemented a Major Incident Management plan, which included regular status updates via a dedicated website.
This allowed us to provide public updates whenever possible, but also continue to work diligently behind the scenes to investigate different scenarios, including:
- A possible breach of the IOTA core protocol;
- Malicious modification of the available Trinity installer, across all or single OS versions;
- DNS hijacking, where a modified Trinity version would be downloaded from the hacker’s server;
- Virus/trojan infection resulting from phishing attacks;
- Remote code injection, e.g. through a dependency;
- Insecure seed generation (similar to the phishing incident from early 2019);
- Organized social-engineering attack (in relation to Binance’s recently announced 50x IOTA margin trading).
Early analysis and investigations (attack patterns, in-depth scans of affected users systems, extensive code dependency scans/reviews, different types of user-comparisons), as well as process of elimination, allowed the teams to identify a likely cause: the integration of a third-party service (Moonpay), which enabled users to directly purchase IOTA tokens within Trinity. We immediately informed MoonPay about the possible exploit.
At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN (content delivery network), so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected. The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) to mitigate it. This was later published by Moonpay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch. This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases.
Over the course of the next 48 hours, the Foundation, with the support of a number of victims, collected information and obtained Trinity files from affected users. The Foundation’s internal analysis of affected Trinity caches found irrefutable proof that they had been compromised with one of several illicit versions of Moonpay’s software development kit (SDK), which was being loaded automatically from Moonpay’s servers (their content delivery network) when a user opened Trinity. The code was loaded into the local Trinity instance, and, after the user’s wallet was unlocked, decrypted the user’s seed and sent the seed and password to a server controlled by the attacker. Before transferring tokens out, the attacker awaited the release of a new Trinity version, which would overwrite Trinity’s cache files and thus remove the remaining traces of the hacker’s exploit. With this realization and code samples in hand, the IOTA Foundation immediately filed a report with the Berlin Police Cyber Division.
Through an attack analysis, performed by the IOTA Foundation, it became clear that the pattern of the attacker was consolidating multiple packs of 28 Gi. We suspect this value was chosen to keep the USD value of one pack under 10,000 USD and avoid triggering exchanges’ KYC identification procedures. We immediately contacted all exchanges with the results of the pattern analysis and asked them to lock associated exchange accounts. The first reply from nearly all exchanges was that they had not received any of the stolen token bundles. Due to the processing structure of the bundles, it was hard to shake the suspicion that the bundles had been sent to an exchange address. After escalating multiple times, we received sets of exchange deposit transaction logs. When we analyzed these logs with our Tangle analytics toolsets we, unfortunately, found that several addresses were owned by an exchange. We requested the exchange again to immediately lock the accounts, and are currently in further correspondence with them to assess the full picture of the amount of tokens the attacker was able to convert and transfer out of the exchange.
The next revelation came with the release of the log files to the IOTA Foundation on the 15th of February from the DNS provider contracted by Moonpay: Cloudflare. With the cooperation of Moonpay, we were able to get the logs of the past 18 months of their Cloudflare account. This, together with the security analysis, painted a very clear picture of the stages of an evolving attack that dates back to November 27th, 2019.
The Moonpay integration into Trinity officially began in September 2019, with the first closed beta being opened on November 11th, 2019. Through a leak in the testing period, on November 12th 2019, the upcoming integration into Trinity became well known within our community. The integration was made public on our open Github repo in the morning on the 26th of November.
The attacker started on November 27th, 2019 with a DNS-interception Proof of Concept that used a Cloudflare API key to rewrite the api.moonpay.io endpoints, capturing all data going to api.moonpay.io for potential analysis or exfiltration. Another longer-running Proof of Concept was evaluated by the attacker one month later, on December 22nd, 2019. On January 25th, 2020, the active attack on Trinity began, where the attacker started shipping illicit code via Moonpay’s DNS provider at Cloudflare.
Over the next two weeks, the attacker refined the malicious code and exfiltration techniques using code obfuscation and modification of the Moonpay API endpoints. Within this window of time, the IOTA seeds were stolen. The process of code iteration and seed theft continued until the 10th of February (although there are indications that malicious SDKs were served even until the 14th of February), at which point Moonpay became aware of illicit routes and took action to delete the API key, change login credentials and remove inactive users. Unfortunately, the IOTA Foundation was not informed of the unsanctioned API access until observing it for ourselves in the Cloudfare logs received from Moonpay on February 15th.
Without API access, the attacker was alerted to the fact that the route of attack was gone — and on the next day, the 11th of February, began executing transactions using the hijacked seeds. This theft was then ultimately interrupted when the coordinator was halted on the 12th of February. At present, the IOTA Foundation is aware of 50 independent seeds that had their tokens stolen during this attack, which amounts to a total of 8.55 Ti.
Trinity users will still need to use the forthcoming migration tool to protect their tokens from further thefts.
The nature of this attack introduced several complexities for the IOTA network to successfully resume operations without causing further potential losses to token holders who have used the Trinity wallet. As such, the Foundation has taken the extra precautionary step to develop a detailed migration plan and a dedicated tool to protect users who might have been affected by this theft and offer all Trinity users a safe way to migrate their tokens to a new seed. The exact details of this migration plan will be shared with the community in a subsequent blog post (Part 2).
Steps Taken to Address the Incident
- The Foundation set up a status update page where victims and the public could access regular updates.
- Built a new Tangle analytics toolset (utilizing our permanode) that tracks tokens in real-time. This tool will help support the ongoing criminal investigation.
- Allocated all available resources to assist with the investigation of attacked seeds and analyze the attack pattern, using the set of newly developed tools, as well as a separate parallel manual analysis and verification (to validate tooling reliability).
- Released a new version of Trinity Desktop for users to install on top of the current version with the attack vector removed, which would allow users to safely open and check their wallet balances. You can find it here.
- Released new versions of Trinity Mobile on iOS and Android with MoonPay removed. These can be downloaded via the App Store and Play Store respectively.
- Developed an attack remediation plan, which involves building a seed migration tool to move users to a safe seed.
- Brought on multiple security experts and firms to assist with the analysis and cyberforensic investigation, as well as develop the remediation plan.
- Contacted the UK, German, and Maltese police and the FBI to report the incident and provided documentation and updates as they became available.
- Collected information from affected users and developed a dedicated community discord channel for them.
- Collected and analyzed app files from both affected and non-affected users, categorized malicious code types and developed a timeline of when the malicious code was deployed.
- Contacted all relevant exchanges to gather insight into where the tokens had been transferred and to lock any unsold tokens.
- Worked together with MoonPay to investigate the cause of this hack and acquire the necessary information for the investigation.
Message to our community and users
We want to thank our extremely supportive community for offering their assistance during this crucial time period. We realize that having tokens stolen is a very stressful and emotional time for those affected, which is why we take this incident very seriously. We’ve made a lot of progress in getting to the bottom of this attack in a short time period and our engineers have been working diligently with law enforcement to analyze all events leading up to the attack and identify the culprit. We appreciate the patience of our community and users as we develop and implement tools that will assist in the recovery of stolen tokens.
Due to the ongoing cooperation and investigation by law enforcement and external security contractors, we are still analyzing specific details and events of the theft, and as such are not yet able to provide the community the complete portrayal of the incident. Hopefully, over the coming weeks and in cooperation with the involved parties, we will be able to provide everyone with detailed insight into the way in which these events unfolded.
Although some might say that a wallet-hack is a rite of passage in the crypto-industry, this in no way reduces the disappointment that the people in the IOTA Foundation feel for not meeting the standards we have set for ourselves. We fell short in fully-vetting the Trinity wallet continuously after new integrations, and apologize for letting our community down. We are currently working on a remediation plan for victims that had their tokens stolen by the malicious actor and continue to be in direct contact with them. We aim to publicly communicate a concrete plan next week. Separately from this plan, the Foundation continues to be in contact with the involved exchanges and law enforcement to hopefully find the perpetrator and recover as many of the stolen tokens as possible.
Key learnings, takeaways and measures for the Foundation’s development and security procedures will be shared in part 3 of this blog post series. We hope that the positive outcomes of this incident (namely, improved and tighter security procedures) will not only help to improve IOTA’s development but will also benefit the broader DLT ecosystem.
Please continue to Part 2 of this series for more details on the Attack Incident and Migration Plan.
Trinity Attack Incident Part 1: Summary and next steps was originally published in IOTA on Medium, where people are continuing the conversation by highlighting and responding to this story.