A high-impact hack recently targeted MyAlgo, a web-based Algorand wallet, affecting thousands of users. Our team at Coinspect has voluntarily collaborated with the wallet provider in a good-faith effort to identify the root cause. We are proud to say we identified one particular attack that matches the incidents reported. Our collaboration aimed to support their investigation and provide valuable insights.
As we await the official announcement from the wallet provider, we want to address some rumors and help alleviate concerns in the crypto community. Based on the analysis of the attack identified:
- Attackers are using seeds they previously collected.
- The attackers exploited no application bugs or vulnerabilities in software dependencies.
- Browser bugs or features, such as autofill, were not abused during the attack.
- The incident was not due to user negligence or phishing attempts.
- The seed encryption algorithm used by MyAlgo is robust.
- Attackers did not use or need Brute-force attacks on passwords.
- Malware played no role in the attack.
- Applications that utilize open-source components from the MyAlgo project remain unaffected by this incident.
The issue did not arise from the way the software implemented encryption. The attackers managed to decrypt the user’s seed because they obtained the password, not due to any weakness in the encryption itself.
We advise all affected users to take the following precautions in addition to protecting funds:
Change your wallet password immediately and never use it again anywhere.
Be cautious with any communications claiming to be from the wallet provider, as phishing campaigns are active right now. Always verify the source before sharing any sensitive information.
What is next
We empathize with the concerns and frustrations of the affected users. As a dedicated team of information security professionals, we are committed to supporting the community by offering our expertise to help alleviate the ongoing challenges and enhance the ecosystem’s security. Stay tuned for updates as we continue our efforts to make a positive impact. Finally, we wish you all a peaceful weekend.
The information provided in this report is based on the data and analysis available at the time of writing and is the result of a good-faith collaboration between Coinspect and Randlabs. Coinspect initiated this research on its own motivation and was not engaged or hired by any of the parties involved. The investigation is still on-going, and this report should not be considered as a perfect representation of the events.
Coinspect has made every effort to ensure the accuracy and completeness of the information presented. However, Coinspect cannot guarantee that there are no errors, omissions, or inaccuracies. This report is provided for informational purposes only and should not be considered as legal, financial, or technical advice.
Coinspect is not responsible for any actions taken, or decisions made, based on the contents of this report. Users of the information contained in this report assume all responsibility for their actions and decisions. Coinspect shall not be held liable for any loss, damage, or consequences arising from the use or interpretation of the information presented in this report.