In response to the recent $4 million theft of IOTA tokens, investors may have responded with a predictable onslaught of hasty backtracking: withdrawing tokens, closing accounts, changing details in an inhuman frenzy. Any conscientious, rational individual would immediately seek to avoid as much damage as possible, through any means necessary. In this case, however, the threat did not originate from an outside source.
In this case, the danger lingered within: a canker which sought to spread its feelers across every “iota” (pardon the pun) of users’ accounts, unobtrusively collecting seeds for an undetermined period of time before it was finally noticed, and swiftly dragged into the light. We have all grown vigilant in response to false ICOs, presenting fraudulent pitches almost dripping with falsehood; we have learnt to dismiss these with scorn, believing that we can differentiate between the whales, the shills and their legitimate counterparts.
And now, we learn this: that was only half the battle. In the words of IOTA’s founder, David Sønstebø: “Nobody was actually hacked.” The word “hacking” implies that an external force was present, forcing its way in like a burglar wielding an inept crowbar. Not this time. Users’ accounts were compromised internally: unsuspecting users were generating their seeds (passwords) from a malicious, phishing site, which through successful manipulation, appeared at the head of Google searches, within the first Ad. Lesson number one: do not be fooled by adept search engine optimisation. Users clicked onto the website, fooled by its apparent legitimacy, and left with fraudulent seed generators: parasitic growths at the centre of their carefully-guarded wallets.
As seasoned citizens of the Internet, most of us can spot phishing websites within the first five seconds. Those who are accustomed to using seed generators will undoubtedly be aware of the pitfalls: malicious plugins, the possible presence of key-loggers, the importance of using an offline system. However, despite these precautions, the danger cannot be fully avoided. Users have resorted to the failsafe method of rolling a dice for each value, and removing the need for trust altogether. Redditors have expressed increasing concern upon the subject of online seed generators, long before this theft was announced: however, a majority of users remained unaware, and did not respond promptly enough to regain their funds. Through swift action, certain funds could have been reclaimed.
When choosing to invest in cryptocurrencies, research is paramount. Of course, not every investor is able to comb through every Reddit thread, or join every Telegram group in order to obtain consistent access to information. Users of online seed generators cannot be labelled as simply naive; it is an established practice, designed to protect private keys, and a majority of recommended generators are entirely secure. Users should not be afraid of placing their trust in online wallets: many are now transferring their funds back to online exchanges, which seems, to me, absurd and impractical. Exchanges are a focal point of attack for hackers: within an authorised, secure wallet, your funds will largely remain impenetrable.
IOTA seems to be one of the strongest cryptocurrencies on the horizon for 2018: and regardless of this incident, it remains so. The technology itself, underpinning the network, remains unsullied. We can proceed confidently in the knowledge that the Tangle retains a higher degree of security, due to its efficient usage of self-verification, despite the urge to automatically declare otherwise.
The lines are not drawn. Within this atmosphere of burgeoning freshness, with ICOs sprouting like redwoods across a desert landscape, we’ve got to be vigilant, whilst retaining a positive outlook. Remember this: as an independent investor, it is your responsibility to be aware of every possible threat.