Seeds, Security and Cybercrime

Koen Maris on the Successful International Collaboration Lead by Europol in Response to the 2018 Seed Generator Attack.

TL;DR:
Koen Maris of the IOTA Foundation shares insights into the seed generator attack in 2018 and the cooperation with international law enforcement leading to the apprehension and imminent trial of the suspected perpetrator: don’t miss the AMA on July 20 on our YouTube channel.

In January 2018, the IOTA community faced one of the most difficult challenges in its history: Over $11 million in MIOTAS were stolen from users in a blatant example of social engineering in security fraud. One year after the attack, in February 2019, international authorities announced that a Dutch citizen had been arrested in Oxford, England in connection with the case - over two years later, the case is due to go to trial towards the end of this year, a relatively rare occurrence in the complicated world of cybercrime.

To celebrate the positive outcome and reflect on the important security lessons learned in the aftermath of the attack, the IOTA Foundation is hosting a Ask Me Anything chat with Koen Maris and Robert Bryant on July 20 on our YouTube channel – you’re not going to want to miss it.

As a cybersecurity expert with leading CTO and security roles in Telecom Luxembourg, Atos, and PwC among others, Koen Maris has been a member of the board of advisors at the IOTA Foundation since January 2018. Robert is Detective Inspector in the Cyber Crime, Digital Forensic and Dark Web unit at South East Regional Organised Crime Unit (SEROCU).

To get a sneak preview of the AMA happening on YouTube on July 20, we spoke to Koen about the IOTA Foundation’s response and crisis management in the wake of the attack, as well as the fruitful cooperation with international law authorities, including Europol, that tracked down the perpetrator.

The detection of the disappearing coins

On 19 January 2018, messages started appearing on the IOTA Slack channel from concerned users reporting missing coins from their wallets. As the messages multiplied, the IOTA Foundation launched a thorough investigation. Digging deeper, a common factor was identified, as all affected users had used a seed generator on an external website: iotaseed.io. A “seed” is an alphanumeric combination that allows users to access their IOTA wallet.

It was quickly apparent that Iotaseed.io was in fact a malicious fake wallet seed generator, set up by a user called ‘norbertvdberg’ to persuade users to generate seeds on his website.

By providing users with an 81-character string made up of capital letters and one 9, it offered a quick and convenient solution to the more intensive way of creating seeds that were supposedly truly random. Unfortunately, these seeds were collected by the perpetrator between August 2017 and January 2018; once the seeds were used to generate addresses to store tokens, the perpetrator was able to access tokens deposited at those addresses.
Due to the ease of use and supposed trustworthiness of the iotaseed.io site, users did not realize that by generating secret seeds through a website, they would share access to their wallets with an attacker, and ultimately lost their tokens.

For a detailed technical explanation of what happened, follow this link.

The response

Once the IOTA Foundation was in possession of the facts at hand, including the reports of the active community, it involved the German authorities and soon an international collaboration developed between the IOTA Foundation, Europol, the UK’s South East Regional Organised Crime Unit (SEROCU) in cooperation with the UK’s National Crime Agency (NCA), and Germany's Hessen State Police.

As IOTA Foundation’s resident cybersecurity expert, Koen represented the Foundation in this collaboration: “The initial work was delivered by the police in Hessen,” he recalls. “Since we had victims from all over the world we needed centralized coordination. After a while, the German police reached out to UK police and Europol in order to speed up the investigation. They did that because they identified the location of the perpetrator, which seemed to be in the UK. The rest of it was the magic wheel of law enforcement.”

The arrest

It took just over a year between the attack and the arrest of the suspect: on January 23, a 36-year-old Oxford-based male was taken into custody. According to a report by Europol, several computers and electrical goods were seized, along with drugs and cash. According to Koen, the main challenge facing investigators in identifying and tracking down the culprit in a case like this is  “getting proof and hard evidence. In a digital world, it is fairly easy to wipe evidence. And since it is a cross-border operation, everything needs to be checked, double-checked, and checked again, to avoid any compliance mistakes.”

The hard work paid off, and the case goes to court later this year. This represents a significant development because cybercrimes so often go unpunished. Drawing on Koen’s many years of experience in cybersecurity, he sees this as the result of a multitude of factors: “First of all, you need to identify who the attacker is and where that person is located. Those are already determining factors because laws can be different in every involved country. If that works, you need to seek local support from law enforcement. Then collect evidence, without breaking the chain of custody. Build a case etc… And that is when there is a trace that can provide identification, which is mostly not the case. Especially not when you look at ransomware attacks for example.”

Looking forward

While we wait for the outcome of the trial, the AMA with Koen from the IOTA Foundation and Rob from SEROCU on July 20 will be a unique opportunity to hear more about the detection, prosecution, and response to the fraud, as well as dive into Rob and Koen’s vast experience related to cybersecurity.

In the meantime, we asked Koen whether he believes crypto-projects comply with national laws and regulations while also protecting the privacy of their decentralized users? “Yes,” he answers, “we often confuse privacy and secrecy. Privacy is about being surveilled or not, while secrecy is about hiding stuff. If you use cryptocurrencies and use an exchange to go to fiat currencies such as Dollar or Euro, you might have to provide your personal information via Know Your Customer verification services. Which in the end lifts your anonymity, though exchanges must protect that data, so your privacy is not harmed and your identity kept secret. Unless you do something wrong.”

Finally, and with the benefit of hindsight, we asked if he would change anything about the way cybercrime divisions work in response to a similar attack if it happened today.

“I don’t think there is a lot to change,” he answers. “I must say, all agencies I’ve been in contact with were very cooperative, eager to learn and understand, and always offered help. I haven’t been involved in an incident, even outside the IOTA Foundation, where I experienced the contrary. I’d probably drink less coffee these days during an incident, maybe I’d do that differently. And I hope to have a meetup somewhere in Europe when this is over and drink a glass with the community.”

Learn more in our AMA

Due to the technical details of the attack, we’ve only been able to skim the surface of the case in this article: To get more insights into the seed generator scam, the international cooperation over cybercrime, wallet security, and the IOTA Foundation’s evolution in terms of security and trust, you can watch a recording of Koen and Rob’s AMA (recorded on 20 July 2021) on YouTube.

You can also follow Koen on Twitter at @Koen_Security and SEROCU at @SouthEastROCU.

Follow us on our official channels for the latest updates:
IOTA: Discord | Twitter | LinkedIn | Instagram | YouTube