MyAlgo Warns Users to Withdraw Assets After $9M Exploit

Users of MyAlgo, a crypto wallet provider for the Algorand blockchain, have been warned to withdraw their funds from mnemonic wallets amid an ongoing exploit, the platform said via Twitter on 27 February.

According to the announcement, over the past week there had been a targeted attack carried out against a group of “high-profile MyAlgo accounts”. All of the affected users were using mnemonic wallets — a wallet that typically uses between 12 and 24 words to generate a private key — with the key stored in their browsers. Individuals who use such MyAlgo wallets have been encouraged to “take precautionary measures” and move their assets to a third party wallet to protect their assets.

Although the cause of these attacks is still unknown, Algorand Foundation CTO John Woods claimed that the exploit was “not the result of an underlying issue with the Algorand protocol” or the software development kit (SDK), and noted that around 25 accounts have been affected by these attacks. MyAlgo is currently in communication with the victims of the attack in order to identify the root cause of the problem, with Woods noting that he would post an explanation video once the investigation has concluded.

While the extent of the exploit was not revealed by MyAlgo, self-proclaimed “on-chain sleuth” ZachXBT outlined on Twitter that it is suspected the attackers were able to steal around 19.5 million ALGO and 3.5 million USDC worth around $9 million. He also noted that centralized crypto exchange ChangeNow was able to freeze around $1.5 million worth of these tokens.

D13.co, an Algorand-focused developer collective, has also released a report on the incident, eliminating several possible exploit vectors such as malware and OS vulnerability. According to them, the “most probable” conclusions were that either users’ seed phrases were compromised through phishing attacks, or that the MyAlgo website was hacked.