A wallet provider for the Algorand (ALGO) network, MyAlgo, has warned its users to withdraw funds from any wallets created with a seed phrase amid an ongoing exploit that has seen an estimated $9.2 million worth of funds stolen.
MyAlgo tweeted the advice on Feb. 27 adding it still doesn’t know the cause of the recent wallet hacks and encouraged “everyone to take precautionary measures to protect their assets.”
IMPORTANT: ⚠️We strongly advise all users to withdraw any funds from Mnemonic wallets that were stored in MyAlgo. As we still don’t know the root cause of recent hacks, we encourage everyone to take precautionary measures to protect their assets. Thank you for your understanding.
— MyAlgo (@myalgo_) February 27, 2023
Earlier on Feb. 27 the team tweeted a warning of a “targeted attack […] carried out against a group of high-profile MyAlgo accounts” which has seemingly been conducted over the past week.
The self-titled “on-chain sleuth,” ZachXBT, outlined in a Feb. 27 tweet that it’s suspected the exploit has pilfered over $9.2 million and crypto exchange ChangeNOW was able to freeze around $1.5 million worth of funds.
I haven’t seen many posts about this on CT yet but it’s suspected over $9.2m (19.5M ALGO, 3.5m USDC, etc) has been stolen on Algorand as a result of this attack from Feb 19th to 21st.
— ZachXBT (@zachxbt) February 28, 2023
Particularly susceptible to the exploit were users who had mnemonic wallets with the key stored in an internet browser according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key.
John Wood, chief technology officer at the networks governance body the Algorand Foundation, took to Twitter on Feb. 27, saying around 25 accounts were affected by the exploit.
1/n Update on the exploit impacting ~25 accounts: from our investigation, this is not the result of an underlying issue with the Algorand protocol or SDK.
— John Woods (@JohnAlanWoods) February 27, 2023
He added the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.
Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.
The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised that lead to the “targeted exfiltration of unencrypted private keys.”
MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”