Some users of MyAlgo, a top provider of cryptocurrency wallets for the Algorand network, have experienced a loss of around $9.2 million as a result of an attack that occurred between February 19 and February 21, 2023.
Users lost 9.5 million ALGO coins, 3.5 million USDC stablecoins, and numerous other cryptocurrency tokens, according to information provided by the well-known, self-proclaimed on-chain sleuth ZachXBT. Meanwhile, they said that the ChangeNow cryptocurrency exchange was able to freeze $1.5 million in stolen assets.
I haven’t seen many posts about this on CT yet but it’s suspected over $9.2m (19.5M ALGO, 3.5m USDC, etc) has been stolen on Algorand as a result of this attack from Feb 19th to 21st.
ChangeNow shared they were able to freeze $1.5m. https://t.co/BPCXTUD57n pic.twitter.com/A3t7Ss0e83
— ZachXBT (@zachxbt) February 28, 2023
MyAlgo wallet insisted that a number of “high-profile” MyAlgo accounts were the victims of the “targeted attack.” They claimed to have been in contact with the victims of the attack since it occurred in order to determine the root cause.
Users who had mnemonic wallets with the key kept in an internet browser were particularly vulnerable to the hack, according to MyAlgo. A mnemonic wallet typically generates a private key from 12 to 24 words.
MyAlgo Wallet Urged Users to Withdraw Funds
The Algorand-based wallet, however, instructed its users to withdraw funds from any wallet configured with a seed phrase. The platform tweeted the warning on February 27, saying it was still unsure of what caused the most recent wallet attacks and urging everyone to take precautions to safeguard their funds.
It stated,
“Do not rush things, and make sure you are transferring funds or rekeying accounts in a safe manner.”
According to their statements, the attacks took place more than a week ago, and since then, there have been no new movements.
A further update on the attack was also shared on Twitter by John Woods, the CTO of the Algo Foundation, who put the number of victim accounts at around 25. He asserts that no underlying problem with the Algorand protocol or software development kit (SDK) was the cause of the attack.
1/n Update on the exploit impacting ~25 accounts: from our investigation, this is not the result of an underlying issue with the Algorand protocol or SDK.
— John Woods (@JohnAlanWoods) February 27, 2023
As a “precautionary measure,” he advised users of a hot wallet with MyAlgo to rekey to a ledger or other third-party wallet.
D13.co, an Algorand-focused developer collective, also published a report on Feb. 27 that ruled out many potential exploit vectors, including malware and operating system vulnerabilities. According to the analysis, there is a non-zero likelihood that the theft was caused by a hack of the MyAlgo wallet software.
MyAlgo reaffirmed its commitment to cooperating with law enforcement and carrying out a thorough investigation to ascertain the attack’s underlying causes.