If you used Trinity from December 17, 2019 to February 17, 2020, your tokens might be at risk and you need to take action to prevent theft.
Summary: Trinity is a software wallet for the IOTA digital asset that has been developed for desktop and mobile operating systems. Managed by the IOTA Foundation, this open-source software project enables the user to manage their tokens over the IOTA network. On February 12, 2020 the Trinity Wallet was attacked via a third-party dependency from Moonpay, which resulted in the theft of around 8.55 Ti in IOTA tokens.
This blog post covers the release of the Seed Migration Tool: What it is, why it is needed to protect users who opened the Trinity Desktop Wallet from December 17, 2019 to February 17, 2020, and our path forward.
The Seed Migration Tool (Mac version,Linux version,Windows version) is officially available as part of our plan to protect users from the Trinity Wallet Attack. It is an easy to use piece of software for MacOS, Windows and Linux that automatically migrates IOTA Tokens from potentially compromised seeds onto a new, unaffected seed. The tool has been thoroughly tested by the IOTA Foundation and audited by a leading security firm.
Do I need to Migrate?
We encourage all individuals that opened the Trinity Desktop Wallet between December 17, 2019 and February 17, 2020 to use the migration tool. This is because we cannot say with absolute certainty how many seeds were collected by the attacker while the vulnerability was being exploited on Trinity Desktop Wallets.
What happens if I don’t migrate?
We strongly encourage every Trinity user to use the tool within the seven-day window. Note that manual transfer to a new seed (without the official tool) after the seven day period is still possible, but there is a risk that tokens associated with your Seed could be stolen once the coordinator is reenabled.
Steps to migrate:
- Make sure you update Trinity to the new version
We have released an updated version of Trinity which allows you to check your balance and transactions. Please download the newest version of Trinity and install it over your old version: https://github.com/iotaledger/trinity-wallet/releases/tag/desktop-1.4.3
When you download the new version, MAKE SURE TO CHANGE YOUR PASSWORD AND STORE IT IN A PASSWORD MANAGER. If you have also used the same password for other services or websites, we strongly recommend you change it there, too, as a precaution. By upgrading to this new version of Trinity, you will remove the vulnerability from your wallet.
2. Downloading the Migration Tool (Updated 02/03/2020 ~09:25 CET)
You can download the tool for your platform here:
You can find more information on how to use this tool on our documentation site.
3. Follow the steps in the migration tool.Make sure to only migrate each seed once and keep the migration logs on your computer.
If you are uncertain about this process or need assistance, please reach out to our team or the community on the official IOTA Discord.
IOTA believes in the strengths of open-source software, and in normal situations would release all installable software as an open-source project so you can inspect the code before choosing to install it. However, this is an extreme case, and we have elected not to publish the source code. Time is of the essence because delaying the attackers puts the advantage in your hands. We have internally tested several revisions of this application, submitted it for external audit, and are confident that it does exactly what it is supposed to do — and nothing more.
The security of any system can be defined as the strength of its weakest link. In the case of the Trinity Incident, the weakest link was the trust that the IOTA Foundation placed in a third party’s code delivery system — we own that mistake and have already taken measures to ensure it will not repeat itself.
In the wake of any such digital assault on private property, it is important to reflect upon what went wrong and how things can be improved. This is true of every undertaking, whether in the crypto sphere or elsewhere. Perhaps it is a stretch to imagine that “the whole world is watching”, but eyes are on us; observing how we handle such a delicate situation. So let’s recap:
- We are striving to follow best-practices of transparency and remediation while taking a healthy dose of self-reflection: https://status.iota.org
- We are actively strengthening the operational security posture of the IOTA Foundation against similar and hitherto unknown cyberattacks via external audits and the onboarding of new staff members.
- We released a safe version of Trinity within five days of our first notification of users being impacted.
- We have created a new piece of software that enables you to safely transfer your seeds and tokens, which will allow us to restart the network; resuming normal operations as soon as possible.
On that note, we are grateful to you and our entire community for being patient during this ordeal and look forward to regaining your trust, link by link.
Many in the community have asked, why was the Seed Migration Tool not open sourced from the moment it was released, or even — why wasn’t the development process done in the clear? Doesn’t this violate first principles of open source?
In this situation of duress after a successful cyber-attack, we hope that we can be forgiven for taking extra security precautions. With a potentially active attacker, we elected to slow them down by hindering their insight into our development processes, devops practices, and endpoints.
Now that the window has closed where this advantage was useful for our defense, we have published the source code, derivative binaries and the checksums as referenced in our blog post announcing this tool:
Network Status: https://status.iota.org/
Blog Article: https://blog.iota.org/seed-migration-tool-now-available-c253ccd9d23c
Repository Address: https://github.com/iotaledger/seed-migration-tool
Download links (and associated SHA checksums) updated. The new version contains minor fixes and improved UX.
Note: If you have already successfully migrated your seeds, you do not need to download this release.