IOTA
$4 million in IOTA stolen in phishing scam. Screengrab via iota.org

Investors in IOTA—a cryptocurrency for the Internet of Things—had nearly $4 million stolen from them by a single hacker who carried out his heist through a nearly six-month long phishing scam.

The hacker, identified online as Norbertvdberg, began collecting private keys for IOTA wallets in August 2017 and finally decided to capitalize on the months long scheme on Jan. 19, when he stole an estimated $3.94 million worth of IOTA from his victims.

Norbertvdberg, who exercised a considerable amount of patience to execute his scheme, collected private keys—also called seeds—used as a password to authenticate the identity of a wallet’s owner. The keys are a random string of alphanumeric characters that must be 81 characters long.

Because the keys are so long, IOTA investors often use online tools to generate the key. Norbertvdberg took advantage of that by creating a domain called iotaseed.io. He advertised the site as an online key or seed generator that investors in IOTA could use to create a secure key to login to their account.

In actuality, the service was not as secure as Norbertvdberg claimed. While he linked the site to a GitHub repository that supposedly housed the code used to generate the random key—a move that was intended to create the appearance of transparency and establish trust with users—the website itself operated in a different way.

Instead of creating a truly random key for the user, iotaseed.io would use a primarily fixed number with predictable variable changes. As a result, the keys generated through iotaseed.io were easy for Norbertvdberg to predict and were logged in a way that would allow him to easily retrieve and use the key to break into a victim’s account.

While the number of victims in the hack are unknown, iotaseed.io had a considerable user base. Norbertvdberg promoted the website through advertising services and at a point it was the top result on Google for search queries for “IOTA seed generator” and related terms.

After operating the scheme for nearly six full months, Norbertvdberg took the private keys he collected and began extracting IOTA from the wallets of investors.

The scheme was carried out unfettered, in part thanks to a distributed denial of service (DDoS) attack that was carried out against the IOTA network at the same time that kept IOTA developers from investigating or preventing the unauthorized transactions. The founder of IOTA has thus far insisted that the DDoS attack is unrelated to the phishing scam.

Since carrying out the attack, Norbertvdberg has entirely disappeared from the internet. Once an active user on GitHub, Reddit and Quora—often regularly answering questions and offering support for IOTA investors—his accounts have all disappeared.

The website iotaseed.io no longer offers its private key generator service. Instead, the site contains a message in plaintext that reads, “Taken down. Apologies.”

The value of IOTA has gone largely unchanged in the days since the scam was carried out. It is currently valued at about $2.55 and has a market capitalization of about $7 billion in fiat currency invested in the cryptocurrency.