MyAlgo, a popular wallet provider for the Algorand (ALGO) network, has issued a warning to its users amid an ongoing exploit that has resulted in the theft of an estimated $9.2 million worth of funds. The company has advised users to withdraw funds from any wallets created with a seed phrase due to the vulnerability of such wallets to the exploit. While the company is uncertain about the cause of the recent wallet hacks, it has encouraged everyone to take precautionary measures to protect their assets.
According to a tweet by MyAlgo, a targeted attack was carried out against a group of high-profile MyAlgo accounts, which has seemingly been conducted over the past week. The self-titled “on-chain sleuth,” ZachXBT, has outlined in a tweet that the exploit has pilfered over $9.2 million, with crypto exchange ChangeNOW able to freeze around $1.5 million worth of funds.
The exploit primarily affects users who had mnemonic wallets with the key stored in an internet browser, according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key. The vulnerability of such wallets to the exploit has been highlighted by the Algorand-focused developer collective D13.co, which released a report that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities. The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leading to the “targeted exfiltration of unencrypted private keys.”
John Wood, chief technology officer at the Algorand Foundation, has confirmed that around 25 accounts were affected by the exploit. He added that the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.
MyAlgo has stated that it will continue to work with authorities and conduct a thorough investigation to determine the root cause of the attack. The company has advised its users to take precautionary measures and to withdraw funds from wallets created with a seed phrase.
In conclusion, the ongoing exploit has resulted in the theft of millions of dollars worth of funds from the Algorand network. The vulnerability of mnemonic wallets with the key stored in an internet browser has been highlighted, and users are advised to take precautionary measures to protect their assets. MyAlgo and other relevant authorities are working to investigate the attack and determine its root cause to prevent future incidents.