IOTA Foundation expects to reactivate network by March 2 following $2M user wallet attack

Quick Take

  • The IOTA Foundation will resume its mainnet by March 2, after it paused the network last week after a hack
  • The team estimated that around $2 million worth of IOTA tokens were stolen due to the hack
  • The hacker exploited an vulnerability in MoonPay, a fiat on-ramp platform integrated with IOTA’s Trinity wallet software, and then distributed malicious SDK packages to users.

The IOTA Foundation said Thursday that it would reactivate the IOTA network by March 2, following an abrupt shutdown last week in the wake of an attack that resulted in some users of the Trinity wallet software having their funds stolen.

The nonprofit organization said today that it is developing transition tools for users to transfer their funds from their existing accounts to new ones. After the transition is complete, the Foundation will bring the network online. The Foundation paused the network in the wake of the attack, as reported previously by The Block.

Since that time, the Foundation has been working with law enforcement agencies – including the German Center for Cybercrime and the U.S. Federal Bureau of Investigation – to identify the cause, according to IOTA Foundation co-founder Dominik Schiener and the Foundation's website. 

The total loss resulting from the hack is around $2 million, and some of the funds have already been transferred to exchanges, Schiener told The Block.

As such, the Foundation is working on a remediation plan to refund victims of the attack, although specific details won't be available until next week, said Schiener. 

In a post-mortem report, the Foundation said that the hack resulted from a vulnerability via MoonPay, a fiat-to-crypto onramp platform that's integrated with Trinity. Trinity is a wallet solution developed by the Foundation to support the IOTA network's token. 

The hacker was able to take over MoonPay's content distribution network and infiltrated the Trinity Wallet through the integration. They were then able to distribute malicious Software Development Kits (SDKs) to Trinity users and steal funds stored in their wallets. 

"The biggest fault that we have made was to not integrate the NPM package and properly security auditing the integration. Human error and the pressure to release a new version ASAP ultimately lead to this mistake," said Schiener, referring to the software package that can accept SDK as a static file, thus preempting the reception of a malicious SDK. 


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy