IOTA has shut down its network in order to deal with an ongoing attack against its Trinity wallet, according to an announcement published on Thursday, Feb. 13.
Currently, #IOTA is working with law enforcement and cybersecurity experts to investigate a coordinated attack, resulting in stolen funds. To protect users, we have paused the Coordinator and advise users not to open Trinity until further notice. Updates: https://t.co/ME3Cvki3k9
— IOTA (@iotatoken) February 13, 2020
It is not clear how long the network outage will last. When IOTA first announced the attack on Feb. 12, it merely advised users not to open or use the Trinity wallet. The fact that the team is suddenly taking more drastic action suggests that the issue may not be resolved quickly.
In addition to shutting down the network, IOTA has been investigating the situation with law enforcement and cybersecurity experts. It has also used KYC information to reach out to victims.
Details of the Attack
This attack only affects Trinity, which was first released in July 2019 as a user-friendly wallet.
Though Trinity was audited by two cybersecurity firms, it seems likely that the software’s short lifespan caused researchers to overlook vulnerabilities. The team has suggested that early versions of Trinity may be to blame for the attack—though this has not yet been confirmed.
Naturally, IOTA has revealed very few details about the attack in order to prevent other attackers from carrying out the same exploit. So far, IOTA has only suggested that attackers stole seeds, allowing them to recover wallets that Trinity users have already created.
IOTA has also revealed the scale of the attack. About ten victims are currently in contact with the team, and those victims likely account for half of all affected users.
Although very few wallets have been compromised, a large amount of money has been stolen. The team predicts that $300,000 to $1.2 million worth of IOTA has been stolen so far.
Interestingly, the protocol’s zero-fee approach provides a benefit: it is still possible to make data transactions during the network’s downtime, even though transactions with financial value are impossible.
Other IOTA Controversies
IOTA’s security has been the topic of discussion before. Most famously, potential vulnerabilities in IOTA became a topic of debate in 2018, when IOTA developers and MIT’s DCI team began to dispute the security of IOTA’s hash function.
In an unrelated event, an attacker stole $11 million of IOTA in a phishing attack in 2018. The attacker essentially set up a fake website that distributed his own addresses as new addresses—a simple line of attack that is also common on address generators for Bitcoin and other cryptocurrencies.
IOTA’s availability is also a recurring issue: its network briefly shut down for 15 hours in December, though this shutdown was due to technical issues rather than a security threat.
With such a wide variation of issues, it is not clear if IOTA is more or less secure than other blockchain projects—but the fact that one of its flagship apps was attacked this week is not a good look.