Algorand developer collective D13 has reported that a sum of crypto worth $8.6 million has likely been stolen from the Algorand wallet MyAlgo. According to the report, D13 has been investigating the issue since February 20 and has confirmed that 17 addresses holding $7.2 million USDC and ALGO have been compromised, with a possible $1.4 million compromised on four other addresses.
D13 presented two possible explanations for the incident. The first is that users may have had their wallet seed phrase stolen through a phishing or social engineering attack.
The second is that MyAlgo.com may have been attacked to leak unencrypted private keys. While it is difficult to regard the incident exclusively as user error, D13 noted that users need to exercise caution and rekey their MyAlgo wallets, much like changing passwords on other accounts, or move their funds elsewhere.
MyAlgo separately advised users to withdraw their funds, noting that it “strongly advises” users to move their funds out of MyAlgo mnemonic wallets. It instructed users to act slowly and carefully, noting that the most recent transfers occurred last week and that no suspicious fund movements have been noticed since then.
D13 also recommended that users take the necessary precautions to safeguard their wallets, including changing their passwords and securing their seed phrases.
The developer collective also noted that key generation issues, Mac and iOS vulnerabilities, and malware are unlikely explanations for the incident. D13 drew attention to an attack on Solana’s Slope wallet in 2022, noting that even attacks that result in a relatively small movement of funds could represent a larger issue.
The incident highlights the importance of user security and the need for developers to provide secure, robust systems to protect users’ crypto assets.