If you used Trinity from December 17, 2019 to February 17, 2020, your tokens might be at risk and you need to take action to prevent theft.

Summary: Trinity is a software wallet for the IOTA digital asset that has been developed for desktop and mobile operating systems. Managed by the IOTA Foundation, this open-source software project enables the user to manage their tokens over the IOTA network. On February 12, 2020 the Trinity Wallet was attacked via a third-party dependency from Moonpay, which resulted in the theft of around 8.55 Ti in IOTA tokens.

This blog post covers the release of the Seed Migration Tool: What it is, why it is needed to protect users who opened the Trinity Desktop Wallet from December 17, 2019 to February 17, 2020, and our path forward.

Quick Overview

The Seed Migration Tool (Mac version, Linux version, Windows version) is officially available as part of our plan to protect users from the Trinity Wallet Attack. It is an easy to use piece of software for MacOS, Windows and Linux that automatically migrates IOTA Tokens from potentially compromised seeds onto a new, unaffected seed. The tool has been thoroughly tested by the IOTA Foundation and audited by a leading security firm.

Trinity users will have seven days from 5PM UTC February 29 until 5PM UTC March 7 to migrate. At the end of this period, we will turn the Coordinator back on.

Do I need to Migrate?

We encourage all individuals that opened the Trinity Desktop Wallet between December 17, 2019 and February 17, 2020 to use the migration tool. This is because we cannot say with absolute certainty how many seeds were collected by the attacker while the vulnerability was being exploited on Trinity Desktop Wallets.

What happens if I don’t migrate?

We strongly encourage every Trinity user to use the tool within the seven-day window. Note that manual transfer to a new seed (without the official tool) after the seven day period is still possible, but there is a risk that tokens associated with your Seed could be stolen once the coordinator is reenabled.

Steps to migrate:

Make sure you update Trinity to the new version

We have released an updated version of Trinity which allows you to check your balance and transactions. Please download the newest version of Trinity and install it over your old version: https://github.com/iotaledger/trinity-wallet/releases/tag/desktop-1.4.3

When you download the new version, MAKE SURE TO CHANGE YOUR PASSWORD AND STORE IT IN A PASSWORD MANAGER. If you have also used the same password for other services or websites, we strongly recommend you change it there, too, as a precaution. By upgrading to this new version of Trinity, you will remove the vulnerability from your wallet.

2. Downloading the Migration Tool (Updated 02/03/2020 ~09:25 CET)

You can download the tool for your platform here:

Mac version

SHA256 b5ef69424f327e45d21ac5c98f37595054c994ca889d6f339b62ff68ae8deeed

Linux version

SHA256 05911bfdddb0f090de58c4eb5bd5e4e28977deed879371293315758fd4cf5a7b

Windows version

SHA256 12e6463099ea400e7ab70e8d977d563e2761a32476f61327a10ad6bd0af487bc

You can find more information on how to use this tool on our documentation site.

3. Follow the steps in the migration tool. Make sure to only migrate each seed once and keep the migration logs on your computer.

If you are uncertain about this process or need assistance, please reach out to our team or the community on the official IOTA Discord.

Release Strategy

IOTA believes in the strengths of open-source software, and in normal situations would release all installable software as an open-source project so you can inspect the code before choosing to install it. However, this is an extreme case, and we have elected not to publish the source code. Time is of the essence because delaying the attackers puts the advantage in your hands. We have internally tested several revisions of this application, submitted it for external audit, and are confident that it does exactly what it is supposed to do — and nothing more.

Conclusion

The security of any system can be defined as the strength of its weakest link. In the case of the Trinity Incident, the weakest link was the trust that the IOTA Foundation placed in a third party’s code delivery system — we own that mistake and have already taken measures to ensure it will not repeat itself.

In the wake of any such digital assault on private property, it is important to reflect upon what went wrong and how things can be improved. This is true of every undertaking, whether in the crypto sphere or elsewhere. Perhaps it is a stretch to imagine that “the whole world is watching”, but eyes are on us; observing how we handle such a delicate situation. So let’s recap:

We are striving to follow best-practices of transparency and remediation while taking a healthy dose of self-reflection: https://status.iota.org

We are actively strengthening the operational security posture of the IOTA Foundation against similar and hitherto unknown cyberattacks via external audits and the onboarding of new staff members.

We released a safe version of Trinity within five days of our first notification of users being impacted.

We have created a new piece of software that enables you to safely transfer your seeds and tokens, which will allow us to restart the network; resuming normal operations as soon as possible.

On that note, we are grateful to you and our entire community for being patient during this ordeal and look forward to regaining your trust, link by link.