MyAlgo Warns Users to Withdraw Assets After $9M Exploit

  • The Algorand wallet provider has warned users to withdraw their assets from mnemonic wallets after an attacker targeted a group of “high-profile MyAlgo accounts”.
  • The root cause of the attacks remains unknown, with MyAlgo still investigating the issue, but reports have indicated that close to $9M were stolen so far.
hackers

Shutterstock

Users of MyAlgo, a crypto wallet provider for the Algorand blockchain, have been warned to withdraw their funds from mnemonic wallets amid an ongoing exploit, the platform said via Twitter on 27 February.

According to the announcement, over the past week there had been a targeted attack carried out against a group of “high-profile MyAlgo accounts”. All of the affected users were using mnemonic wallets — a wallet that typically uses between 12 and 24 words to generate a private key — with the key stored in their browsers. Individuals who use such MyAlgo wallets have been encouraged to “take precautionary measures” and move their assets to a third party wallet to protect their assets.

Although the cause of these attacks is still unknown, Algorand Foundation CTO John Woods claimed that the exploit was “not the result of an underlying issue with the Algorand protocol” or the software development kit (SDK), and noted that around 25 accounts have been affected by these attacks. MyAlgo is currently in communication with the victims of the attack in order to identify the root cause of the problem, with Woods noting that he would post an explanation video once the investigation has concluded.

While the extent of the exploit was not revealed by MyAlgo, self-proclaimed “on-chain sleuth” ZachXBT outlined on Twitter that it is suspected the attackers were able to steal around 19.5 million ALGO and 3.5 million USDC worth around $9 million. He also noted that centralized crypto exchange ChangeNow was able to freeze around $1.5 million worth of these tokens.

D13.co, an Algorand-focused developer collective, has also released a report on the incident, eliminating several possible exploit vectors such as malware and OS vulnerability. According to them, the “most probable” conclusions were that either users’ seed phrases were compromised through phishing attacks, or that the MyAlgo website was hacked.

Discussion
Related Coverage
Binance to Suspend GBP Transactions in May
  • Binance’s fiat banking partner, Skrill Limited, informed the exchange that it will no longer provide GBP on- and off-ramp to its customers starting 22 May.
  • The owner of Skrill, Paysafe, said it decided to stop offering its embedded wallet solution to Binance due to the “challenging” regulatory environment in the U.K..
a day ago
binance

Shutterstock

Euler Finance Exploited for $197M in Flash Loan Attack
  • The attacker carried out multiple transactions to steal 85,818 staked ether (stETH), 34.5 million USDC, 849 wrapped Bitcoin (WBTC), and 8.9 million DAI.
  • Euler Finance is now working with security professionals and law enforcement trying to rectify the situation, and will provide more information in the near future.
DeFi Protocol Tender.fi Exploited by Alleged White Hat Hacker
  • DeFi lender Tender.fi has paused all borrowing while investigating an exploit which saw an attacker borrow $1.6 million worth of assets using only 1 GMX token.
  • The attacker, however, appears to be a white hat hacker who the platform has already contacted in order to remedy the situation.