A 36-year-old man has been arrested a year after stealing €10m ($15m) of the Internet of Things- (IoT-) focused cryptocurrency IOTA using bogus software.
European law enforcement agency Europol announced this week that the UK’s South East Regional Organised Crime Unit (SEROCU) arrested the unnamed man in Oxford on suspicion of fraud, theft and money laundering.
Going by the name Norbertvdberg, the man created a software program to generate the random 81-character seeds used to secure IOTA cryptocurrency wallets. IOTA holders use their seed to generate public addresses that they can then use to send and receive IOTA. Anyone who knows a wallet’s seed can transfer tokens, explains the IOTA site, and once sent they cannot be recalled.
Warning: Your wallet seed must be securely stored to safeguard your funds. There are no possible retrieval methods if you lose, insecurely generate or compromise your seed. Knowing the ‘seed’ is equivalent to ‘owning’ the tokens.
Iotaseed.io, the site created by the alleged thief, offered users the ability to generate seeds by moving their mouse, which purported to generate a unique sequence of mnemonic words and a receiving address.
In reality, it tricked users.
Instead of generating random seeds, it created sequential ones that incremented each time and secretly stored those seeds for later use, as this analysis shows.
Norbertvdberg continued to reel victims in with the site, even posting code on a GitHub account to give the operation an air of legitimacy.
In January 2018, when he had gathered enough seeds, he allegedly used them to send IOTA from his victims’ IOTA wallets to his own addresses. He stole from at least 85 victims, and possibly many more, said Europol.
He also used a DDoS attack on IOTA servers to distract administrators and hide transaction surges that might have alerted them to the theft.
Iotaseed.io was operating as late as November 2017, but was taken down in January 2018. Ironically, at one point the site displayed a message:
Check that the URL above is https://iotaseed.io There are scammers out there!
Part of the problem may have been that the official IOTA wallet contains no tool to generate seeds. Instead, the Foundation asks users to:
Randomly write down uppercase letters (A-Z) and the number 9 on a piece of paper until you have 81 characters written.
… or to execute terminal commands, or use a password generator to create an 81-character password, and the manually change some of characters to 9. He admits that this method is a “somewhat more complicated routine”.
Norbertvdberg took advantage of user confusion, posting several times on the official IOTA Foundation forum recommending https://iotaseed.io to new users asking how to create random keys.
The whole thing infuriated users. In a thread on the IOTA forum discussing the theft, one user said:
This is a terrible situation and we can’t believe that user bad practices are entirely at fault here. It is very bad practice that a wallet would not generate its own secure seed instead of requiring an external program to do this. Furthermore, to make users log in with their seed puts them at constant risk of key loggers and mistakenly pasting the seed into websites and chat windows. These things definitely need to be solved ASAP.
Please stop pointing fingers at users as this is preventing critical modifications being added to the wallet and improving security and user experience.
Users noticing that their funds had been stolen contacted Germany’s Hessen State Police, who discovered the UK suspect in July 2018. They notified the Joint Cybercrime Action Taskforce (J-CAT), which is part of Europol’s European Cybercrime Centre (EC3). This eventually got the case to the UK National Crime Agency, which led to the arrest. Officers also confiscated several computers from the suspect’s home for forensic analysis.
Based on a distributed ledger technology known as Tangle, IOTA offers free transactions with almost zero compute power. Designed primarily for transactions between IoT devices, its creators hope that the system will create new business models involving connected devices.
The takeaway from this whole sorry affair is that if you’re dealing with a technically complex asset like cryptocurrency, it pays to invest the time in understanding how it works, what the dangers are, and how you can protect yourself against them.
Cryptocurrency developers and administrators must also accept that some users will take the path of least resistance, without realizing that this path isn’t secure. Admins can protect their community – and therefore their ventures – by generating secure tools that assist users through all steps of the setup and management process, rather than assuming they will choose security over convenience.