The Cyber Criminal Who Stole €10 Million Worth of IOTA Cryptocurrency Has Been Caught
On Wednesday, a 36-year-old man was arrested in Oxford, UK on suspicion of stealing as much as €10 million (about $11.33 million) worth of IOTA cryptocurrency. The investigation started about twelve months ago in Germany, and with the help of Europol and the UK police, the prime suspect is now in custody. Police officers seized quite a few electronic devices from the man's house, and while they were there, they also found some drugs, which should make his whole experience a little bit more unpleasant. We're pretty sure that the 80+ victims that had their crypto coins stolen wouldn't mind.
The fact that someone managed to make off with other people's digital money isn't really that surprising. Despite some people's beliefs that everything related to cryptocurrency is untraceable, the fact that someone got caught isn't shocking, either. What is surprising is how ruthlessly simple and effective the scam was.
Iotaseed.io – when naïve users meet a clever scammer
The so-called IOTA seed is at the root of the whole scheme. It acts as a combination of a username and a password, and if someone has it, they can log in to your account and steal all your IOTA money. Because they are so important, IOTA seeds need to be 81-characters long and must consist letters as well as the number 9.
From a security standpoint, having an 81-character-long string protecting your money is a sensible idea. When you consider the usability aspect, however, you'll spot a couple of problems. First of all, if users are left to their own devices, the seeds they create would probably be easy to guess. And if they do try to create something random, they'll need to spend a lot of time and effort on it. That's why, Trinity, IOTA's official wallet application, comes with its own random seed generator. If you don't want to use it, you can enter a couple of simple commands on Linux and Mac computers which are capable of generating random strings that meet all the requirements. Apparently, for some people, even that was too much work. This is where the 36-year-old suspect allegedly came in.
Police believe that they have apprehended Norbertvdberg, the online personality that created iotaseed.io – an online IOTA seed generator that was active between August 2017 and January 2018. Obviously, some people weren't entirely ready to trust a website that they stumbled upon on Google (apparently, iotaseed.io had a pretty decent search engine ranking) with all their crypto money, but Norbertvdberg was determined to clear their suspicions.
He published what he claimed was iotaseed.io's code on GitHub and told everyone that the generator is open-source. Surprisingly or not, for many people, this was enough proof of the website's legitimacy. You can probably guess what happened next.
A simple scam and a massive loot
The code in the GitHub repository wasn't the same as the one on iotaseed.io. The difference was not easy to spot, but a more careful examination revealed two things. First, the seeds iotaseed.io generated weren't as random as they should have been, and second, all generated seeds were carefully logged.
On January 19, 2018, Norbertvdberg used them to drain victims' wallets. The break-in was synchronized with a DDoS attack on IOTA's servers which means that the cryptocurrency's developers and administrators were too busy to notice the increased number of transactions. The money disappeared in minutes, and shortly after, the generator on iotaseed.io went offline, with the home page reading "Taken down. Apologies". In the meantime, Norbertvdberg tried to erase all traces of their online existence. If the police have the right person, this endeavor has been less than successful than the heist.
What can you do to make sure that this doesn't happen again?
The victims will probably never see their IOTA coins again, regardless of whether or not the arrested man turns out to be Norbertvdberg. And even if they do, the charts suggest that they're now worth a lot less than they were a year ago.
Cryptocurrency fraud is not likely to end soon. We're talking about a money-making venture after all which means that con artists will be all over it for as long as the profits flow. They will continue to try to deceive you, and you should finally learn not to blindly trust people on the internet.
Speaking of trust, the fact that you're even considering investing some money in a cryptocurrency like IOTA means that you have at least a certain amount of confidence in its developers' integrity. Why, then, would you look for a third-party seed generator to protect your IOTA wallet?
Cryptocurrency wallets, in general, are valuable items nowadays. If you have (or consider having) one and you want to find out what you can do to improve its security, click here.