MyAlgo tweeted the warning on Monday, following disturbing reports of an ongoing exploit that has already drained millions worth of ALGO. Although the wallet provider did not cite any estimated figures, a renowned on-chain sleuth ZachXBT said over $9.2 million might have been stolen from February 19 to 21. Fortunately, the crypto swap platform ChangeNow managed to freeze $1.5 million, as per data from the blockchain intelligence platform TRM Labs.
John Woods, the CTO at the Algorand Foundation, took off to Twitter to say that the attack impacted around 25 wallets so far and assured users that the exploit was “not the result of an underlying issue with the Algorand protocol or SDK.” He also advised MyAlgo users to rekey to a ledger or other third-party wallet as a precautionary measure.
According to a report by Algorand’s developer collective D13.co, the two most probable scenarios are seed phrases being compromised through social engineering/phishing, and MyAlgo website compromise leading to targeted exfiltration of encrypted private keys. At the same time, investigators ruled out the possibility of other attack vectors, such as OS malware, weak key generation, and mac/iOS vulnerabilities.
“So while we can not prove that there has been a MyAlgo compromise, we have enough reasonable doubt to strongly recommend that MyAlgo users rekey their MyAlgo accounts using Pera Web or Defly wallets, or if their old addresses are not significant (governance, NFT minting addresses), simply moving to a freshly created wallet on different wallet software,” the report reads.
“The fact that we have not detected any movements from the attackers in a week is not a guarantee of continued silence and safety for accounts of any size. Not your keys, not your crypto, remember? Since the blockchain doesn't issue refunds, either move or rekey to be safe.”