
How a malicious seed generation website stole $4M - ageitgey
https://thatoddmailbox.github.io/2017/01/28/iotaseed.html
======
0wing
IOTA has been notoriously famous for rolling their own flawed hash function
which allowed researches to develop a working PoC for hash collision attacks.

[https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

The CEO of IOTA David Sonstebo tells his users it's not his problem if they
lose money using IOTA because they're too dumb to understand the design flaws:
[https://np.reddit.com/r/CryptoCurrency/comments/7gwl38/hello...](https://np.reddit.com/r/CryptoCurrency/comments/7gwl38/hello_guys_i_have_lost_30k_in_iota_and_i_would/dqmpcb2/)

Yikes.

IOTA also relies on a centralized sever owned and operated by David Sonstebo
which takes periodic snapshots so transactions can be rolled back if the IOTA
devs ever feel the want to. [https://domschiener.gitbooks.io/iota-
guide/content/chapter1/...](https://domschiener.gitbooks.io/iota-
guide/content/chapter1/current-role-of-the-coordinator.html)

Further reading:

Nick Johnson: Why I Find IOTA Deeply Alarming [https://hackernoon.com/why-i-
find-iota-deeply-alarming-934f1...](https://hackernoon.com/why-i-find-iota-
deeply-alarming-934f1908194b)

Daniel Rice: Why I Also Find IOTA Deeply Alarming
[https://medium.com/@thedrbits/why-i-also-find-iota-deeply-
al...](https://medium.com/@thedrbits/why-i-also-find-iota-deeply-
alarming-99d4f2da3282)

Eric Wall: IOTA Is Centralized [https://medium.com/@ercwl/iota-is-
centralized-6289246e7b4d](https://medium.com/@ercwl/iota-is-
centralized-6289246e7b4d)

Sidenote the founding developer of IOTA, Sergey Ivancheglo claims to have
built a time machine [http://come-from-beyond.com/about-me/](http://come-from-
beyond.com/about-me/)

~~~
Pyxl101
Why in the world would they design a custom hash function?! How amateurish. As
Bruce Scneier said:

> In 2017, leaving your crypto algorithm vulnerable to differential
> cryptanalysis is a rookie mistake. It says that no one of any calibre
> analyzed their system, and that the odds that their fix makes the system
> secure is low — Bruce Schneier (about IOTA)

OK, it looks like the answer is they designed a custom hash function because
their system is built with ternary logic (?!?):

[https://hackernoon.com/why-i-find-iota-deeply-
alarming-934f1...](https://hackernoon.com/why-i-find-iota-deeply-
alarming-934f1908194b)

... because "Ternary is the optimal radix" according to their cofounder:

> Ternary is the optimal radix, actually Base E (2.71....) is, but you can't
> make processors like that. So it comes down to Base Binary (2) vs Base
> Ternary (3). 3 is closer to the universal optimum 2.71 than is 2. That is
> the absolute most simple elevator pitch for ternary.

[https://iota.stackexchange.com/questions/8/why-does-iota-
use...](https://iota.stackexchange.com/questions/8/why-does-iota-use-a-
ternary-number-system)

Reading about the design of this system, I feel like I just entered the
twilight zone, or maybe the website for Time Cube. Urbit makes more sense than
this. (The _design_ of Urbit makes fine sense, it's just the implementation is
extremely obscure.)

~~~
nerdponx
Plus, if e is in fact the optimal radix, then there's no way to say that 3 is
"more optimal" than 2. That's making all kinds of assumptions about the
optimality curve. Assuming such a curve even exists...

------
jondubois
I bought some IOTA a while ago and after doing a Google search on how to
generate a wallet seed, it sent me to iotaseed.io. Thankfully though I didn't
feel comfortable about a third party website potentially knowing my seed
(which cannot be changed later) so I searched for alternatives and found a
simple Linux command to do it. That probably saved me some money.

It's still surprising that it was a fraud, it looked like a legit website. It
seems almost too blatant a crime given that the Github repo, IPs and the
domain name of the site can probably be traced to someone.

~~~
Aardwolf
What was the command? Did you have to run IOTA software from github to run it
or did the command only use things like openssl etc...?

~~~
jondubois
I can't remember the command. I think it was a native Linux command - Not
related to IOTA.

------
quickthrower2
Relevant tweet, with the unbelivable bad (but effective!) code:
[https://twitter.com/eukaryote314/status/953839632206020608](https://twitter.com/eukaryote314/status/953839632206020608)

~~~
icelancer
That code is awesome. If it looks stupid, but it works, it's not stupid.

~~~
im3w1l
But they got caught.

~~~
icelancer
Plenty of people on HN would love to get caught $4 million later.

~~~
Quarrelsome
i dont like the idea of having to look over my shoulder for the rest of my
life. Is that worth $4 million to you?

~~~
quickthrower2
No, plus it is not trivial to turn iota into cash.

------
zawerf
The article linked to a fork of the deleted github repo:
[https://github.com/eggdroid/eggseed3/blob/8b92ec0f8b251c9fe9...](https://github.com/eggdroid/eggseed3/blob/8b92ec0f8b251c9fe91cd64c86803f5b1cf0e3d3/jscript/iotaseed.js#L203)

But that piece of code should've triggered red flags even if the hacker didn't
add a payload to overwrite Math.seedrandom to always use the same seed. The
fact that
[https://github.com/davidbau/seedrandom](https://github.com/davidbau/seedrandom)
isn't cryptographically secure should've been enough to turn you away and warn
other. And if you read it a bit more you'll notice that it is mostly junk code
(unused variables like visitedHash, newindex).

Props to the hacker for the method acting. From the commit log
[https://github.com/eggdroid/eggseed3/commits/master](https://github.com/eggdroid/eggseed3/commits/master)
I would not have suspect any malicious intent and just attribute it to
incompetence (which might've worked better underhanded-c-contest style instead
of using an explicit backdoor).

------
erdemozg
I think it's a shame how IOTA users desperately seeking ways to safely
generate their wallet seeds on third party software. Souldn't it be a built-in
feature?

~~~
pedrocr
IOTA is the coin that invented their own cryptography using ternary logic.
Practicality doesn't seem to be a core value.

------
thisisit
_Using the official IOTA JavaScript library, the address that should
correspond to this seed is
PUEBLAHRQGOTIAMJHCCXXGQPXDQJS9BDFSCDSMINAYJNSILCCISDVY99GMKAEIAICYQUXMIYTNQCJYVDX,
and according to this website, that’s an empty wallet. However, other sites
designed to show information about the transaction history of an address just
give a 404 error (see here for an example), indicating that either I made an
error decoding this address or I’m misunderstanding something about how the
IOTA network works._

This for me points out the issue with cryptocurrency in general. Even someone
with technical prowess can't figure out how exactly things are supposed to
work.

~~~
icelancer
>> someone with technical prowess

The author is a high school student who has written very basic HTML/CSS and
some C projects, including one as a joke. This is not to say all HS students
can't figure out how to use Bitcoin, but you might be overselling the
experience/aptitude of the author in order to make a biased point against
cryptocurrency.

~~~
nmca
Aha, I don't care if the author is 13 or 70. The article clearly demonstrates
they are much, much more technical than the average user. Crypto UX is clearly
an issue. (And I'm a massive crypto fan!)

------
kylell
do anyone prosecute this kind of hacks? or just because is a token without
legal status is like stealing Sheldon's gear in WOW.

This kind of pre-generated seed hack is quite dangerous, a lot of mobile apps,
don't have deterministic build so you can't be sure the open source version is
the same as the one from apple store, and I bet Apple won't do such a
thoroughly search.

~~~
abusoufiyan
considering how rabidly most cryptocurrency supporters denounce the government
and the banking system and wall street and evil regulations, you would think
they would be livid at the idea of a government(!) prosecuting people for
anything related to cryptocurrency.

~~~
josephagoss
I'm a cryptocurrency supporter but I'm not anti tax or anti government. I
genuinely think that decentralized trust based systems such as blockchain have
a place in our world even alongside government.

With that said, I would like to believe that if caught, these types of seed
hacks could be prosecuted. (If viable)

~~~
vog
_> I'm a cryptocurrency supporter but I'm not anti tax or anti government._

The GNU Taler project might be interesting to you, then.

It is based on design decisions that are refreshingly different from classic
crypto currencies (who implement more an anarcho-capitalism mindset). Because
of those design differences, I'm not sure if it should be considered a crypto
currency or not. (They themselves do not.)

Website: [https://gnutaler.org/](https://gnutaler.org/)

Presentation at SHA2017:
[https://taler.net/videos/sha2017taler.webm](https://taler.net/videos/sha2017taler.webm)

~~~
paulrd
BEWARE: apparently gnutaler.org is a fake website taler.net is the correct
one! source:
[http://lists.gnu.org/archive/html/taler/2018-01/msg00009.htm...](http://lists.gnu.org/archive/html/taler/2018-01/msg00009.html)

~~~
vog
Whoops, wrong URL. Sorry for the confusion!

[https://taler.net/](https://taler.net/)

(Too bad I can't edit my original comment anymore here on HN. I find it
disgusting to have helped spread a scam website and not being able to fix that
afterwards.)

------
gwbas1c
I wish the post started with a paragraph about why someone would use this
website. 1-2 sentences is all that's needed.

I assume the seed is used to generate a public key for some kind of wallet? Is
IOTA some kind of cryptocurrency?

~~~
dmix
[https://www.androidauthority.com/what-is-
iota-824641/](https://www.androidauthority.com/what-is-iota-824641/)

The project doesn't currently come with it's own seed generator so users are
left using (sometimes) shady third-party services, such as this website.

The developers insist that it's not a currency intended for 'speculation
between users' but rather for a particular machine-to-machine usecase, which
is how they attempt to dodge lots of the criticism regarding the flaws in both
the crypto and UX.

------
perryh2
I have a feeling that MyEtherWallet could pull off the same thing.
[https://www.myetherwallet.com/](https://www.myetherwallet.com/)

~~~
Torn
Get a hardware wallet then -- the Ledger Nano S is great.

~~~
xnzakg
There might (in theory) be some kind of backdoor on the device, that could
allow the chrome app to send the private key or seed somewhere...

~~~
josephagoss
Is this just a technical possibility or is there evidence that this could be
the case?

~~~
stef25
No evidence afaik. Plenty of scenarios involving unknowingly buying a "pre
owned" wallet, hacked firmware updates etc ...

------
mcmunchkin
I was worried about this happening ages ago so I wrote my own. In case anyone
is interested, I believe this is a cryptographically secure method of seed
generation, but happy to have feedback from anyone who knows better:

[https://github.com/moustachio-
belvedere/iotaseedgen/blob/mas...](https://github.com/moustachio-
belvedere/iotaseedgen/blob/master/iotaSeedGen.py)

Edit: spelling and added words

------
foodblogger
> a Service Worker is started to generate the QR code

It's a Web Worker not a Service Worker. Just to be stubborn

------
bringtheaction
How were multiple people able to use the same wallet? I thought IOTA didn't
support address reuse. And how come people didn't notice it already had a
balance?

~~~
quickthrower2
I think previous versions of the wallet allowed address reuse (even though it
is not recommended as you leak parts of your private key).

The latest wallet doesn't allow you to send money to such an address.

------
riekus
Thanks for this post and clear explanation

------
black_puppydog
am I the only one who thinks this is neither a new kind of scam, nor in any
other way surprising, and that the whole discussion here is hardly about the
article but mostly people voicing their general opinions for/against iota?

