MyAlgo users urged to withdraw, as cause of $9.2M hack remains unknown

The users of the Algorand-based MyAlgo crypto wallet have been warned to withdraw their funds following a series of exploits that nabbed millions worth of crypto.
The users of the Algorand-based MyAlgo crypto wallet have been warned to withdraw their funds following a series of exploits that nabbed millions worth of crypto.

A wallet provider for the Algorand (ALGO) network, MyAlgo, has warned its users to withdraw funds from any wallets created with a seed phrase amid an ongoing exploit that has seen an estimated $9.2 million worth of funds stolen.

MyAlgo tweeted the advice on Feb. 27, adding it still doesn’t know the cause of the recent wallet hacks and encouraged “everyone to take precautionary measures to protect their assets.”

Earlier on Feb. 27, the team tweeted a warning of a “targeted attack [...] carried out against a group of high-profile MyAlgo accounts” that has seemingly been conducted over the past week.

The self-titled “on-chain sleuth,” ZachXBT, outlined in a Feb. 27 tweet that it’s suspected the exploit has pilfered over $9.2 million and crypto exchange ChangeNOW was able to freeze around $1.5 million worth of funds.

Particularly susceptible to the exploit were users who had mnemonic wallets with the key stored in an internet browser, according to MyAlgo. A mnemonic wallet typically uses between 12 and 24 words to generate a private key.

John Wood, chief technology officer at the networks governance body the Algorand Foundation, took to Twitter on Feb. 27, saying around 25 accounts were affected by the exploit.

He added the exploit “is not the result of an underlying issue with the Algorand protocol” or its software development kit.

Related: $700,000 drained from BNB Chain-based DeFi protocol LaunchZone

Algorand-focused developer collective D13.co released a report on Feb. 27 that eliminated multiple possible exploit vectors such as malware or operating system vulnerabilities.

The report determined the “most probable” scenarios were that the affected users’ seed phrases were compromised through socially engineered phishing attacks or MyAlgo’s website was compromised, leadin to the “targeted exfiltration of unencrypted private keys.”

MyAlgo stated it would continue to work with authorities and would conduct a “thorough investigation to determine the root cause of the attack.”