The measures taken to mitigate the situation were also itemized in the publication.
Recap of the Series of Attacks that Led to Trinity
According to the report, on 12th February 2020, around 3 PM CET, there were tons of messages sent to the moderators on the IOTA Discord server, from the users that observed zero balance and/or unauthorized transactions sent from their wallets.
After a series of similar incidents were reported, it became obvious it was a coordinated attack on the wallet, which prompted the IOTA Foundation engineers to get to work in order to discover the specific cause of the attack.
The first decision taken by the foundation in the first 4 hours of the investigation was to deactivate the coordinator. This was the measure taken as a temporary security mechanism in the course of the network maturation phase.
Halting the coordinator is a very big decision due to the suspension of value transaction confirmation it initiates on the network. But this delicate decision had to be taken to prevent the hackers from transferring more tokens.
This vital decision taken halted the attackers from further preplanned damage because it stopped a lot of transactions from and to the attackers at once.
For detailed information about the attack, visit blog.iota.org.
What Trinity Users Need to Do
According to IOTA Foundation, it is necessary for Trinity users to use the forthcoming migration tool to ensure the protection of their tokens from unforeseen attacks to their tokens.
The Foundation averred that such an attack needs a lot of complex measures for the IOTA network before the operation can fully resume without further potential losses.
For this reason, IOTA Foundation decided an important and extra precautionary step to ensure the safety of the affected users of Trinity wallet by developing a detailed migration plan and a dedicated tool.
This plan and tool will aid the Trinity users to have a safe way of migrating their tokens to a new seed. IOTA Foundation assured the sharing of the details of this migration plan in the subsequent blog post.
Read the Steps Taken to Address the Incident As Shared by IOTA Foundation Below:
- The Foundation set up a status update page where victims and the public could access regular updates.
- Built a new Tangle analytics toolset (utilizing our permanode) that tracks tokens in real-time. This tool will help support the ongoing criminal investigation.
- Allocated all available resources to assist with the investigation of attacked seeds and analyze the attack pattern, using the set of newly developed tools, as well as a separate parallel manual analysis and verification (to validate tooling reliability).
- Released a new version of Trinity Desktop for users to install on top of the current version with the attack vector removed, which would allow users to safely open and check their wallet balances. You can find it here.
- Released new versions of Trinity Mobile on iOS and Android with MoonPay removed. These can be downloaded via the App Store and Play Store respectively.
- Developed an attack remediation plan, which involves building a seed migration tool to move users to a safe seed.
- Brought on multiple security experts and firms to assist with the analysis and cyberforensic investigation, as well as develop the remediation plan.
- Contacted the UK, German, and Maltese police and the FBI to report the incident and provided documentation and updates as they became available.
- Collected information from affected users and developed a dedicated community discord channel for them.
- Collected and analyzed app files from both affected and non-affected users, categorized malicious code types and developed a timeline of when the malicious code was deployed.
- Contacted all relevant exchanges to gather insight into where the tokens had been transferred and to lock any unsold tokens.
- Worked together with MoonPay to investigate the cause of this hack and acquire the necessary information for the investigation.