MyAlgo Wallet Hack — February 27, 2023
Overview
An estimated $9.2 million (19.5M ALGO, 3.5m USDC, etc.) was stolen on Algorand as a result of an attack from Feb 19th to 21st, 2023. MyAlgo, a wallet provider for the Algorand (ALGO) network, warned its users to withdraw funds from any wallets created with a seed phrase amid an ongoing exploit.
Impact and Response
Around 25 accounts were affected by the exploit. The crypto exchange ChangeNOW was able to freeze over $1.5 million after the attackers tried to launder the stolen funds through it.
Root Cause Investigation
MyAlgo tweeted on Feb. 27 that it still doesn't know the cause of the recent wallet hacks. However, an Algorand-focused developer collective D13.co released a report on Feb. 27 that determined the "most probable" scenarios were that affected users' seed phrases were compromised through socially engineered phishing attacks or MyAlgo's website was compromised, leading to the "targeted exfiltration of unencrypted private keys."
Later Disclosure
The exploit remained unknown until April 2023, at which time it was revealed that malicious JavaScript code must have been injected on January 21st (JavaScript CDN exploit).
Protocol Safety
John Woods, chief technology officer of the Algorand Foundation, said the exploit is "not the result of an underlying issue with the Algorand protocol or SDK."
Sources