Iota (MIOTA) began its seed migration period on Feb. 29, with plans to reopen the network around March 10. Though some have criticized the decision to close the Coordinator, it may have saved many users’ funds from being stolen.

Potential Moonpay compromise

The Iota network was shut off on Feb. 12, shortly after the team received multiple reports of drained user wallets. This was possible thanks to the presence of the Coordinator, a centralized transaction verifier that is required to operate the network.

Shutting down the Coordinator stopped the attacker from draining any more user wallets, giving the team time to investigate. The issue was not easy to solve, however, as they soon realized that many users had their private seeds compromised by the attacker.

The Iota Foundation (IF) identified a third-party integration with Moonpay, a fiat-crypto gateway service, as the likely culprit.

The wallet loaded the Moonpay code through a common but potentially insecure Content Delivery Network (CDN) call. It was accessed through a simple HTTPS request, similar to loading a browser page. Analysis of Moonpay’s Domain Name System (DNS) provider, CloudFlare, revealed that the attacker had manually changed the IP behind the CDN address.

This was allegedly done through a CloudFlare API key that granted the necessary authorization. It is not clear how the attacker may have obtained it, though it seems very likely that it required some kind of close contact with the Moonpay team, possibly a physical compromise. The ability to independently steal CloudFlare keys would be a very serious vulnerability of its own.

The changed DNS allowed the hacker to serve his own malicious code to each user’s wallet. The injected software then registered both the password and seed of the wallet and sent it to the attacker.

The attack was first studied on Nov. 27, and was fully exploited starting on Jan. 25. On Feb. 10, Moonpay patched the vulnerability, allegedly without informing the Iota team of what had happened.

During that time frame, the hacker was able to steal at least 8.55 million MIOTA, worth $1.87 million at press time.

Network on vacation

While the network shutdown prevented any more tokens from being stolen, relaunching it as is would allow the hacker to continue undisturbed. For this reason, the Iota team had to develop a seed migration tool that would immediately transfer the tokens away from the affected wallets.

After starting on Feb. 29, the team is giving users seven days to undergo the transfer procedure. The Coordinator will be reenabled between March 7 and March 10 — just shy of one month of network inactivity.

Many commentators criticized Iota for its apparent centralization, claiming the network is “dead.” Few other networks could have been shut down so easily, but some Iota fans argue this was a positive thing, as it prevented a much larger theft.

Dominik Schiener, co-founder of Iota, commented to Cointelegraph:

“While this was a very unfortunate event, it shows that we at the IOTA Foundation are very committed to protecting the funds of the IOTA users and it shows that we have professionally responded to such a major incident. While our trust may be broken for some within the crypto community, our partners still stand behind us and believe in the future of IOTA.”

He then referred to the upcoming Chrysalis upgrade and the launch of an incentivized Coordicide alpha network as the next evolution of Iota. “We feel confident that we will work our way back to where we were and make everyone within the community believe that IOTA is on the right path,” he added.