Malicious websites used to generate password details for the fintech network IOTA are reportedly to blame for the theft of nearly $4m (£2.9m) from users' digital wallets.
Speculation gathered on Reddit last Friday (19 January), as users of IOTA – an open-source distributed ledger for the internet of things (IoT) – complained that funds were missing.
Attackers also used a distributed-denial-of-service (DDoS) attack against the platform, it emerged.
Reports now indicate that the hackers, who remain unknown, ran a phishing scheme using third-party "seed generators" in order to hijack credentials.
These are websites that make the random 81-character string needed to protect IOTA wallets. The seed is the equivalent of a username/password.
There has been no compromise on IOTA, and the distributed ledger technology itself remains secure.
"Some users had the misfortune of using the wrong online seed generators, and were burned," tweeted crypto expert Nic Carter. "In the end, at least $3.94m worth of IOTA was stolen."
The top Google result for an online seed generator – a website called iotaseed.io – was offline at the time of writing. A short message left behind read: "Taken down. Apologies."
A blog post published Saturday (20 January) by Ralf Rottmann, an IOTA evangelist network member, said the attackers did not "leverage any vulnerability" in the heist. He said the reason for the DDoS was to ensure that users could not access the network to reclaim lost funds.
"The victims literally shared the keys to their wallets with the attackers by using the attackers' website," Rottmann explained.
"In essence, from a purely technical and security perspective, all transfers that happened under this attack, are legitimate transactions. The attackers knew the seeds.
"You invited them into your wallet, by handing them your keys on a silver platter. The attackers did not leverage anything IOTA specific! This is super important.
"Because people who lost their funds might tell their friends, that IOTA is not secure, which couldn't be more wrong."
On a dedicated Reddit page, a moderator published a notice that warned users of the IOTA network to never use online seed generators unaffiliated with the platform.
"There has been no hacking at all," David Sønstebø, the co-founder of IOTA, stressed when reached Monday via email by IBTimes UK.
He added: "Some inexperienced users went to a website that was listed in Google Ads to generate a password i.e a phishing site. As a consequence, they essentially gave their password to this nefarious operator. IOTA the technology has not been affected at all."
Commenters on Reddit have since argued that the situation could have been avoided if IOTA created and maintained its own seed generator – a service it does not offer for wallets. "Why such basic feature is still missing?" user "wojciechm" complained on Monday.
When asked, Sønstebø said: "We believe that users should be entirely in charge of their own security and thus responsible for creating their own password and storing it however they see fit."
Users are now taking to the official IOTA website forum to discuss the next steps. One post is discussing the "pursuit of legal action against the thief" – if they are ever successfully identified.