Algorand Users Funds Continues To Be Stolen: Algodex, Lofty and Smaller Wallets Now Amongst Victims

Image by Freepik

Algorand Users Funds Continues To Be Stolen 

It was first reported by AlgoDaddy on the 21st of February that a few large wallets had been drained for their funds. 

A few days later it turned out that at least 13 Million ALGO had been stolen from whale wallets, amongst the affected wallets was the Algorand DeFi platform GARD.

Algodex, Lofty & Smaller Wallets Affected

During the last couple of days the malicious actors have once again become active, as reported by the user D13 on Twitter, and the attackers have now started to drain smaller wallets in the process. 

Both Algodex and Lofty reported having funds stolen, the latter losing $65K worth of ALGO. However, Lofty claims no user funds have been compromised. 

The attackers are active again today and two things have changed:

- smaller accounts are being attacked
- automation/scripting is observed from the attackers

If you are putting it off as "they won't bother with my account" this could prove costly.

Rekey or move funds. https://t.co/V8JKVEuLDd

— D13.co (@d13_co) March 6, 2023

Reportedly, not only ALGO are being drained from these wallets, but Algorand ASA's as well, such as gALGO, goBTC, goETH, goMINT, USDC, USDT and OPUL.

No Problem With The Blockchain Itself

The suspected source of the attack is some kind of exploit or systematic phishing through the MyAlgo mnemonic wallets, however this is yet to be fully confirmed. 

Algorands chief technical officer, John Woods, previously commented that there are no exploits or problems with the actual Algorand protocol itself, and that it remains secure. 

Save Your Funds, Rekey or Create New Wallet

It's possible to rekey your software wallets with either the Pera wallet or with the Defly wallet. 

Rekeying your wallet will keep all your inventory in the same account, saving energy and time, while keeping your custom addresses and avoiding becoming ineligible for Governance. 

Steps To Avoid Future Exploits

• Never share your 25 word seed phrase with anyone. 

• Anyone who suspect that their account might have been compromised should be immediately create a new wallet and transfer their funds there. 

• In addition, thread carefully when using dApps in the crypto space. Don't opt in to smart contracts that you don't fully trust. Make sure you do your due diligence.

• Be careful when using google to access your favorite websites in the ecosystem, often phishing sites will be promoted, using similar domain names as the real sites, looking identical, and stealing your ALGO in the process. 

• Never store your seed phrase digitally, not as a screenshot nor saved in a document. This is one of the main ways malicious forces use to gain access to your account. Rather store the seed phrase on a physical piece of paper or metal, in a safe place protected from destruction (i.e. residential fire).

• Make sure to always use two-factor authentication whenever possible. This is especially important if you keep any amount of crypto store on central exchanges. 

• Use a separate phone or computer to handle your crypto-related interactions. Keep this computer up-to-date and free of any suspicious apps or programs. You may even keep it offline when not using it.

Article Author: Martin
Follow on Twitter: AlgoDaddy