Algorand dev group says $8.6M likely stolen via MyAlgo; users should rekey wallets
An attacker may have run a phishing campaign or compromised MyAlgo's website.
A sum of crypto worth $8.6 million has likely been stolen via the Algorand wallet MyAlgo, according to the Algorand developer collective D13 on Feb. 27.
D13 said it has been investigating the issue since day one on Feb. 20. It reported that 17 addresses holding $7.2 million USDC and ALGO had been confirmed as compromised. It added that $1.4 million might be compromised on 4 other addresses.
The group presented two possible explanations for the incident. It said that users may have stolen their wallet seed phrase through a phishing or social engineering attack or that MyAlgo.com may have been attacked to leak unencrypted private keys.
If an attack were carried out via targeted phishing, it would be a user error. However, D13 said it is difficult to regard the incident “exclusively as user error.” It drew attention to an attack on Solana’s Slope wallet in 2022, noting that even attacks that result in a relatively small movement of funds could represent a larger issue.
The developer collective additionally said that key generation issues, Mac and iOS vulnerabilities, and malware are unlikely explanations for the incident.
D13 also recommended that users “rekey” their MyAlgo wallets — a procedure much like changing a password on other accounts — or move their funds elsewhere.
The affected wallet, MyAlgo, separately told users to withdraw their funds on Feb. 27. It wrote that it “strongly advises” users to move funds out of MyAlgo mnemonic wallets.
It instructed users to act slowly and carefully, noting that the most recent transfers occurred last week and that no suspicious fund movements have been noticed since then.