IOTA: Snake oil insecurity with a centralized kill switch to shut off your money

[nullius]

It is high time—no, long past time to better warn people about the billion-dollar scam with a centralized kill switch.  Please support:

• Flag #1417 against mich (see below)
• Flag #1416 against domsch (ibid.)
• Flag #1392 against iotatoken (see below)
• Flag #1388 against Come-from-Beyond, who is “a.k.a. Come-from-Beyond... one of the founders of IOTA, and the core developer of the reference implementation” and is still associated with IOTA, albeit as an “unofficial advisor“ albeit with “no position in the organization”.^*
  
  (* As a practical matter, Mr “Come-From-Beyond“ is the only well-known IOTA representative on this forum, official or otherwise; and the below quotations of OP on the IOTA announce thread were unchanged during his 2018–19 position on the IOTA Foundation Board of Directors.  The scam accusation hereby is against IOTA itself; this thread is intended to support flags against any known major or quasi-official IOTA promotional accounts, regardless of technicalities.)

From Coindesk, with my red boldface added:

IOTA Foundation Suspends Network, Probes Fund Theft in Trinity Wallet

Feb 13, 2020 at 23:22 UTC
Updated Feb 14, 2020 at 15:14 UTC

IOTA Foundation, the nonprofit behind the IOTA distributed network, recommended users close their Trinity wallets Thursday after multiple reports of fund theft.

IOTA said it started receiving the reports Wednesday and decided to shut off the Coordinator node in the network for further investigation.

[...]

On Twitter, IOTA said it is working with law enforcement and cybersecurity experts to investigate a coordinated attack that resulted in stolen funds.

Dominik Schiener, co-founder of the IOTA Foundation, did not respond to request for comments before the press time. CoinDesk will add updates as the story develops.

(Note:  This theft followed by IOTA hitting the kill switch happened only a few months after IOTA mainnet had 15 hours of “downtime” caused by a “corrupt ledger state”...  Wait, what the hell kind of cryptocurrency has network-wide “downtime”?  Bitcoin has no “downtime”, and certainly no “corrupt ledger state”.)

What bad news this is for a network that people are entrusting with their money:

• The minor point:  One way or another, some people got their money stolen due to IOTA’s snake oil “security”.
• The major point:  IOTA has a kill switch!  They can and do “pause” or “suspend” the whole network, via the peremptory fiat of someone who can turn off your money with the push of a button.  Just like flipping a light switch.  I actually do not even know of any other cryptocurrency, even horribly centralized ones, that can be shut down so easily as “[pausing] the Coordinator”.

(Archived)

Now, compare this fiasco and other known problems with IOTA to the dishonest claims in OP of IOTA’s announcement thread (current snapshot):

Iota’s blockchain solves the following problems of its blockchain cousin:

Centralization of control
As history shows, small miners form big groups to reduce variation of the reward. This leads to concentration of power (computational and political) in hands of few pool operators and gives them ability to apply wide spectrum of policies (filtering, postponing) on certain transactions. Although there are no known cases where pool operators abused their power, there have been several instances where the opportunity were present. This possibility in a monetary system powering a multibillion (in USD) industry is completely unacceptable.

“Obsolete” cryptography
Although large scale quantum computers do not exist yet, future oriented companies have already begun initiating the steps towards quantum-resistant cryptography. From a security point of view it makes perfect sense to assume that hardware capable of cracking classical cryptoalgorithms may appear in the very near future, so preparation is the only defense.

Let me get this straight:  IOTA avoids “centralization of control” by having a centralized kill switch which can turn off your money at any time—and they use that kill switch when theft occurs because their way to avoid “‘obsolete’ cryptography” is to sell you a bug-ridden heap of snake oil that has had its homebrew crypto broken in the past, and apparently is overall insecure and buggy (whether or not this latest theft was caused by a break of their crypto).

SCAM

Because I am a techie, let me put this in terms of something that looks like maths and stuff:

IOTA = your money → 🗑️

The current IOTA disaster shows that honest technical experts on this forum, including myself, were justified long ago in giving a roundhouse kick to IOTA’s snake oil security.

What do I mean by “snake oil”?  Everybody who knows anything about practical cryptography knows well these warning signs:

https://www.schneier.com/crypto-gram/archives/1999/0215.html#snakeoil

Snake Oil

The problem with bad security is that it looks just like good security. You can't tell the difference by looking at the finished product....

The term we use for bad cryptography products is "snake oil," which was the turn-of-the-century American term for quack medicine. It brings to mind traveling medicine shows, and hawkers selling their special magic elixir that would cure any ailment you could imagine.

[...]

Elsewhere I've talked about building strong security products, using tried-and-true mathematics, and generally being conservative. Here I want to talk about some of the common snake-oil warning signs, and how you can pre-judge products from their advertising claims. These warning signs are not foolproof, but they're pretty good.

Warning Sign #1: Pseudo-mathematical gobbledygook.

In the quote above, notice the "unique in-house developed incremental base shift algorithm." Does anyone have any idea what that means? Are there any academic papers that discuss this concept? Long noun chains don't automatically imply security.

[...]

Warning Sign #2: New mathematics.

Every couple of years, some mathematician looks over at cryptography, says something like, "oh, that's easy," and proceeds to create an encryption algorithm out of whatever he has been working on. Invariably it is lousy.

[...]

Warning Sign #3: Proprietary cryptography.

I promise not to start another tirade about the problems of proprietary cryptography. I just include it here as a warning sign.

[...]

Warning Sign #4: Extreme cluelessness.

Some companies make such weird claims that it's obvious that they don't understand the field.

[...]

Warning Sign #7: Unsubstantiated claims.

[...]

Other companies make claims about other algorithms that are "broken," without giving details. Or that public-key cryptography is useless. Don't believe any of this stuff. If the claim seems far-fetched, it probably is.

[...]

I can stop at 5 of Schneier’s “warning signs” without proceeding further, methinks.

I am not only calling IOTA insecure now.  See what I said two years ago in a discussion with some of the smartest people in the Development & Technology forum, after IOTA’s homebrew hash was cracked.  All emphasis and boldface are hereby quoted as in my original posts.

Merited by achow101 (2), LoyceV (1)

The recent (and a really good) example of bad code here: http://www.tangleblog.com/wp-content/uploads/2018/02/letters.pdf

Dom, David and the rest of the IOTA team,
We have found serious cryptographic weaknesses in the cryptographic hash function
curl used by IOTA, curl. These weaknesses threaten the security of signatures
and PoW in IOTA as PoW and Signatures rely on curl to be pseudo random and collision
resistant.
...

This is not “bad code”.  It is DIY crypto.  Worse, DIY crypto for a primitive—a DIY hash!  Worse still, DIY crypto by a corporate outfit which never showed any evidence of being inhabited by world-class cryptographers—despite their claim in a spin-job piece that “the IOTA Foundation has already subcontracted a team of 5 world-class cryptographers, as well as 3 independent ones to come up with a final design of Curl and then start the long peer-reviewed process, as was always the plan.”  N.b. that even world-class cryptographers need their primitive designs to undergo extensive peer review before fielding them with Other People’s Money—whether it’s the “final design”, or otherwise!

One of the people who broke IOTA had some damning words for it, in “Cryptographic vulnerabilities in IOTA”:

You might think that IOTA, a cryptocurrency worth over a billion dollars, and working with organizations like Microsoft, University College London, Innogy, and Bosch, BNY Mellon, Cisco, and Foxconn (through the Trusted IOT Alliance) would not have fairly obvious vulnerabilities, but unfortunately, that’s not the case. When we took a look at their system, we found a serious vulnerability and textbook insecure code.

“In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low,” states Bruce Schneier, renowned security technologist, about IOTA when we shared our attack.

Anybody who buys into such ill-conceived crypto-junk as IOTA deserves to lose their money, on grounds of foolishness.

Merited by TMAN (10), achow101 (2), LoyceV (1)

Bitcoin requires a new mindset.  [...]  If you get that, then you will pay careful attention to the quality of your code.  Also, you will much respect Core—because they get it, too.  And if you dare to make your own currency, you will not start by designing your own hash function as IOTA did!  That really wrecks any credibility they ever had.

I don't know precisely what happened with IOTA but I have read a little bit about it and I'm not sure why the currency continues to circulate given what I do know.  I guess too many people had invested into it by that point, which is more a political reason for continuing to exist rather than anything based on technical merit or the capability of the system.  I'm not sure why the IOTA people thought it was a good idea to throw in some untested cryptography, but that seems like a very amateur thing to do.

As for the latter bolded part:  I don’t see “amateur”.  I see PHB + NIH.

Come on.  We’re the big boys.  Microsoft is involved—you know, the company which does \ instead of / as a directory delimiter.  For our billion-dollar cryptocurrency, we will do innovation!  We don’t just use a commercial off-the-shelf hash which everybody else has.  We have our own hash!  The boss says so.

I hereby partly retract one statement that I made in the above quotes:

Anybody who buys into such ill-conceived crypto-junk as IOTA deserves to lose their money, on grounds of foolishness.

The word “deserves” was rhetorical hyperbole.  Newbies and people who are not technical experts do not deserve to lose money on a billion-dollar scam, which they lack adequate knowledge properly to evaluate.  Wherefore my new action against IOTA:  People deserve to be warned, so that they do not unknowingly take the high risk of losing money that comes with investing in a “cryptocurrency” that uses snake oil crypto, has suffered thefts (due to apparently as-yet undisclosed insecurities), and has actually had its whole network shut down with a centralized kill switch.  IOTA is a broken-by-design financial time bomb!


Disclosures:  I have no financial position which could be in any way directly affected by IOTA’s market price.  Indeed, I flatly ignore >99% of the altcoin market.  IOTA just keeps coming to my attention as a disaster by design.  In 2018, it was their broken homebrew hash; now, it is their kill switch...  I want to warn others so that people don’t take a high risk of losing money by buying into a billion-dollar scam with snazzy marketing, big corporate backers, and abysmally insecure technology.

[1714837360]

1714837360

[1714837360]

1714837360

[1714837360]

1714837360

[1714837360]

1714837360

[1714837360]

1714837360

[nullius]

Translations:

• Pyccкий by Ratimov

If this thread grows long, important forward references will be linked from this post.

[Lauda]

I have always been advocating against IOTA, but the situation is much more worse than I have previously believed! I wish that this was handled much sooner..

See also: https://twitter.com/matthew_d_green/status/967073310604488707

Matthew Green @matthew_d_green
4:26 PM · Feb 23, 2018

If you want a postcard summary of why you should avoid the Iota project — with your brains and your money — this conversation is it.

Matthew Green is a professor of cryptography at Johns Hopkins University. His blog can be found here: https://blog.cryptographyengineering.com/. That was part of a tweetstorm. As reported by IEEE Spectrum, a professional publication from the Institute of Electrical and Electronics Engineers:

https://spectrum.ieee.org/tech-talk/computing/networks/cryptographers-urge-users-and-researchers-to-abandon-iota-after-leaked-emails

Cryptographers Urge People to Abandon IOTA After Leaked Emails

A dump of private emails pits developers of the cryptocurrency against external security researchers

By Morgen Peck

27 Feb 2018 | 17:00 GMT

This past weekend, multiple prominent security researchers and academic cryptographers took to Twitter to paint a big black mark on the cryptocurrency project, IOTA. The posts implore investors not to hold the currency and researchers not to collaborate on enhancing the security of the system.

An outcry was triggered shortly after a chain of private emails sent among the IOTA team and a group of external security researchers was made public, exposing the developers’ response to the disclosure of a critical flaw in one of their cryptographic building blocks. The correspondence, which ended with vague threats of legal action by IOTA founder, Sergey Ivancheglo, against a member of the Boston University security group, has prompted many academic researchers to denounce the entire project.

...

However, there are many in the community who argue that the system, which today relies on the activities of a central operator called a “coordinator,” is not as decentralized as advertised.  Those who adhere to this line of thinking—people like Rick Dudley, a blockchain architecture advisor and consultant in New York City—note that the team behind IOTA has made it especially difficult for outside researchers to evaluate the technology.

Also very important read: https://www.media.mit.edu/posts/iota-response/

I'm really sorry for everyone who lost money in this very sophisticated scam, and hope that we can prevent additional people from becoming victims of IOTA.
My flag is here (negative rating also left):
https://bitcointalk.org/index.php?action=trust;flag=1388

[bitmover]

From iota.com blog

https://blog.iota.org/instant-feeless-flash-channels-88572d9a4385?gi=9eb5072573c4

Instant & Feeless— Flash Channels
Lewis Freiberg
Lewis Freiberg
Sep 24, 2017 · 10 min read

The goal of the IOTA Foundation is it to build a flourishing Machine Economy, where machines seamlessly interact and transact with each other. With IOTA, we have introduced the first scalable distributed ledger architecture that has no transaction fees and is able to run in the Internet of Things environment. The power of IOTA is in its network, as it scales horizontally with the number of network participants transacting with each other.

Free and instant transaction.  Fully scalable.

But everything has a price. Looks like iota price is very expensive

This scalability drama is just ridiculous. An stupid idea which became a marketing z to make fools  by shitcoins and stay away from bitcoin because it is "old slow and expensive "

[Lauda]

From iota.com blog

https://blog.iota.org/instant-feeless-flash-channels-88572d9a4385?gi=9eb5072573c4

Instant & Feeless— Flash Channels
Lewis Freiberg
Lewis Freiberg
Sep 24, 2017 · 10 min read

The goal of the IOTA Foundation is it to build a flourishing Machine Economy, where machines seamlessly interact and transact with each other. With IOTA, we have introduced the first scalable distributed ledger architecture that has no transaction fees and is able to run in the Internet of Things environment. The power of IOTA is in its network, as it scales horizontally with the number of network participants transacting with each other.

Free and instant transaction.  Fully scalable.

But everything has a price. Looks like iota price is very expensive

This scalability drama is just ridiculous. An stupid idea which became a marketing z to make fools  by shitcoins and stay away from bitcoin because it is "old slow and expensive "

Response Three:
Orcutt’s claim that IOTA is free of fees is misleading. Though perhaps not immediately obvious, IOTA transactions are "zero fee" in exactly the same way that Bitcoin transactions are. An important difference is that Bitcoin has miners who can perform the proof of work for you, while IOTA users do the proof of work on their own devices, per transaction. However, a Bitcoin user can also mine their own block to get their transactions accepted into the blockchain without paying fees. To put it another way, most people wouldn’t be interested in buying a refrigerator operated by a hand crank, even if the advertisement said “No electricity required!”

It’s true that transactions with Bitcoin and other digital currencies, even when amortized over a block with thousands of other transactions, require much more work than transactions in IOTA. However, the claim is not that IOTA transactions are easier—the claim appears to be that IOTA transactions are free.

Semantics aside, this claim, which appears in IOTA marketing materials, is deceptive; the work required is a fee, whether or not it requires a monetary payment. Restricting the ways in which the fee can be paid—requiring that the work be done on a user’s own device—doesn’t make it go away.

Source:

https://www.media.mit.edu/posts/iota-response/

[nullius]

For those who need a TL;DR:  There Ain’t No Such Thing As A Free Lunch!  (Link for Tor users, whom that website blocks—or see Wikipedia.)

That is just common sense, the general concept of which has been the stuff of proverbs for thousands of years.  Crypto newbies may not know Schneier’s warning signs of snake oil cryptography.  Whereas every reasonable person should know that “free” is the most expensive—especially when it comes to financial investments.

From iota.com blog

https://blog.iota.org/instant-feeless-flash-channels-88572d9a4385?gi=9eb5072573c4

Instant & Feeless— Flash Channels
[...]

Free and instant transaction.  Fully scalable.

But everything has a price. Looks like iota price is very expensive [...]

Response Three:
Orcutt’s claim that IOTA is free of fees is misleading. [,,,]

Source:

https://www.media.mit.edu/posts/iota-response/

People need MIT wizards to lay that out for them? 

[allyouracid]

I'm really sorry for everyone who lost money in this very sophisticated scam, and hope that we can prevent additional people from becoming victims of IOTA.

I see correlation rather than causation. There just is no real connection between how / if a product works and its market share.

Fact is, though, that IOTA has always overpromised and underdelivered. It was (like most cryptocurrencies) hyped like there's no tomorrow. At the end of the day, people who lost money on it lost it because of their greed, not because IOTA is a "scam", or, as I prefer, vaporware.

[Lauda]

I'm really sorry for everyone who lost money in this very sophisticated scam, and hope that we can prevent additional people from becoming victims of IOTA.

I see correlation rather than causation. There just is no real connection between how / if a product works and its market share.

Fact is, though, that IOTA has always overpromised and underdelivered. It was (like most cryptocurrencies) hyped like there's no tomorrow. At the end of the day, people who lost money on it lost it because of their greed, not because IOTA is a "scam", or, as I prefer, vaporware.

This space (today) consists of probably >99% people who are unable to research these things sufficiently for themselves due to lack of technical knowledge et. al. They are easy targets for fraudsters and scammers, and I do not blame them. We are here to educate and protect as many as we can.  
If you say you are developing X, and it does not get released within 3-5-10 ETA's, then it is very probably vaporware.
If you say that the thing that you have released today is X, and it is actually not even close to that, but Y, then that is fraudulent advertising i.e. scamming.

Keep this important distinction in mind.

[The Sceptical Chymist]

People need MIT wizards to lay that out for them? 

Lol, I probably wouldn't understand a thing that they were saying--but I definitely see where this shit took a nosedive (and why).

Before reading this thread I really didn't know anything about IOTA.  It was just a project whose name I saw from time to time on the forum, and I had no idea how centralized it was.  I appreciate Nullius breaking everything down here (and for starting the thread in the first place), as I wouldn't have read anything about this scam otherwise.

Wouldn't this sort of shenanigans be a problem with Ripple as well?  And I have to profess ignorance about how Ripple works, but I'm pretty sure it's just as centralized as IOTA is. 

[Lauda]

Wouldn't this sort of shenanigans be a problem with Ripple as well?  And I have to profess ignorance about how Ripple works, but I'm pretty sure it's just as centralized as IOTA is.  

It is a very different case that needs to be handled on its own. Evidently, Ripple does not claim to be a cryptocurrency such as Bitcoin AFAIK (they are something else entirely) - despite their frequent attacks and public lies by their CEO (public as in in interviews and similar). They will get their chance in the spotlight as soon as there is more time.

[JollyGood]

Any crypto having a kill switch is rather far-fetched. Why did they have it in the first place? Any centralised project can have a lot of things their way or unconventional but when I read about the whole project going off-line for those two days or so it shows exactly why IOTA should and any other centralised crypto should be avoided unless they show exactly what cards they are holding.

Back in January 2018 this project had a market capital of over $14 billion but IOTA now has just $770 million market capital and it is dropping fast. Here is yet another of many mismanaged projects that had too much talk and not enough action and development therefore it fell from massive all time highs to a fraction of that.

[PrimeNumber7]

Any crypto having a kill switch is rather far-fetched. Why did they have it in the first place?

According to the IOTA documentation, the coordinator (aka kill switch) is to prevent certain types of attacks related to double spending. IOTA does not have any miners, and it does not cost any coin to send a transaction (only a trivial amount of POW effort), and there is the risk that someone could do something very similar to a selfish mining attack that does not cost anything to try. 

The way I read the documentation, I don't think the coordinator was intended to be used as a kill switch, or more specifically, this is not how it is presented.

I don't like the use of a centralized validator, and would not trust any coin that uses one. It appears they are rolling back the IOTA blockchain to reverse the transactions involving the stolen coin. Etherum did something very similar in it's early days when a hacker exploited a flaw and drained coin out of the DAO, although it has something resembling consensus before doing this.

[Lauda]

I don't like the use of a centralized validator, and would not trust any coin that uses one. It appears they are rolling back the IOTA blockchain to reverse the transactions involving the stolen coin. Etherum did something very similar in it's early days when a hacker exploited a flaw and drained coin out of the DAO, although it has something resembling consensus before doing this.

Thanks for the link. I did not know this.

Step 3 is a snapshot will be taken of the IOTA network from before the hack, and any transactions involving compromised wallets will be rewound. A 3rd party service will then perform a know your customer (KYC) identification process to return stolen funds.

Wow..

[allyouracid]

This space (today) consists of probably >99% people who are unable to research these things sufficiently for themselves due to lack of technical knowledge et. al. They are easy targets for fraudsters and scammers, and I do not blame them. We are here to educate and protect as many as we can.  

Which is a - pun intended - very laudable thing to do. For the noobs getting educated, this is a huge plus, considering large corporations like Volkswagen, Bosch, Microsoft etc. didn't get that opportunity.
While most of those announcements of cooperations with companies are surely exaggerated (many of such cooperations merely consist of a company having a "blockchain research unit" which checked out the IOTA repo to take a look at it… bit offtopic, but that Tweet about sums it up: https://twitter.com/CryptoCronkite/status/1227320690321297409), I can see how they scratched their heads when they saw in what terrible way CfB etc. interacted with researchers who took their valuable time for pointing out weaknesses a.k.a. helping to make the product better.

For me, this project was over when CfB told the researchers that they implemented the "colission feature"  in curl to protect IOTA from copycats, what the actual fuck.

If you say you are developing X, and it does not get released within 3-5-10 ETA's, then it is very probably vaporware.
If you say that the thing that you have released today is X, and it is actually not even close to that, but Y, then that is fraudulent advertising i.e. scamming.

Keep this important distinction in mind.

Depends on what point of view you have (some would even say that Bitcoin is not a decentralized, Peer-to-Peer Electronic Cash System ^^): those who were following the project closely knew about the coordinator, and that it was a centralized element which was intended to kickstart the network and to be removed, later. The "later" got delayed again and again, making the description of IOTA a concept rather than an actual product, thus vaporware.

For somebody who only read the catchy phrases and didn't bother taking a very close look at what he throws his money at, it might well be described as a scam. To be fair, the IOTA team did not put much effort into explaining IOTA's weaknesses.

[Lauda]

Which is a - pun intended  - very laudable thing to do.

 

For me, this project was over when CfB told the researchers that they implemented the "colission feature"  in curl to protect IOTA from copycats, what the actual fuck.

They changed their mind later, apparently it was written by an AI.  

Depends on what point of view you have (some would even say that Bitcoin is not a decentralized, Peer-to-Peer Electronic Cash System ^^):

While people have the right to keep any ridiculous belief that they want to, the above is not based on science and is thus incorrect. I am not interested in unbacked opinions - this case was constructed very objectively, hence why I created a flag.

those who were following the project closely knew about the coordinator, and that it was a centralized element which was intended to kickstart the network and to be removed, later. The "later" got delayed again and again, making the description of IOTA a concept rather than an actual product, thus vaporware.

For somebody who only read the catchy phrases and didn't bother taking a very close look at what he throws his money at, it might well be described as a scam. To be fair, the IOTA team did not put much effort into explaining IOTA's weaknesses.

Last sentence: There's a very good reason for that - think about it using Occam's razor.

[tyKiwanuka]

Please support flag #1388 against Come-from-Beyond, who is “a.k.a. Come-from-Beyond... one of the founders of IOTA, and the core developer of the reference implementation” and is still associated with IOTA, albeit as an “unofficial advisor“ albeit with “no position in the organization”.^*

By now CfB has nothing to do anymore with IOTA other than his company using the Tangle - or intending to do so, but he will probably fork it. David Sønstebø and CfB have been bff for a long time until the moment they had different opinions about the future of IOTA. You can read what David has to say about that here.


https://twitter.com/c___f___b/status/1224039770499796993

To my knowledge, this is the Bitcointalk account David is in control of: iotatoken


During the split-up drama between David and CfB some weeks ago, CfB posted some private (and most likely sort of confidential) conversations on his Twitter account and Paracosm Discord.


Source: Paracosm Discord

Most of these leaks are already deleted, but they revealed some shady things waiting to happen as you can see in the screenshot above. There are still unclaimed IOTA from the ICO and David wants (wanted) to give them to JINN.

JINN is a private company in stealth mode, that was founded by David, CfB and some other unknown third guy. See more here.

[JollyGood]

Excellent post. Thank you for the links and background information.

By now CfB has nothing to do anymore with IOTA other than his company using the Tangle - or intending to do so, but he will probably fork it. David Sønstebø and CfB have been bff for a long time until the moment they had different opinions about the future of IOTA. You can read what David has to say about that here.


https://twitter.com/c___f___b/status/1224039770499796993

To my knowledge, this is the Bitcointalk account David is in control of: iotatoken

[Lauda]

By now CfB has nothing to do anymore with IOTA other than his company using the Tangle - or intending to do so, but he will probably fork it. David Sønstebø and CfB have been bff for a long time until the moment they had different opinions about the future of IOTA. You can read what David has to say about that here.
- snip -
To my knowledge, this is the Bitcointalk account David is in control of: iotatoken

Thanks. Here is also the flag against that account:
https://bitcointalk.org/index.php?action=trust;flag=1392

[JollyGood]

Flag has been supported. A massive thank you to all contributors to this thread for bringing any information of substance about the IOTA team.

Thanks. Here is also the flag against that account:
https://bitcointalk.org/index.php?action=trust;flag=1392

[tyKiwanuka]

This might be a bit off-topic, but gives some insight about the whole incident. The IOTA Foundation has released a three-part series, where they explain (in part 1) how an attacker could successfully steal around 8.5TI (around USD 2,550,000).

This was the main issue:

At the time of its integration into Trinity, Moonpay was only available as bundled code delivered by a CDN (content delivery network), so the IOTA Foundation integrated it as such. Although widely used in web technologies, CDN delivery has inherent risks. One of those risks is that the code expected by the device could be unknowingly replaced with code that is not expected. The IOTA Foundation flagged the risks involved and requested an NPM (Node package manager) to mitigate it. This was later published by Moonpay, after most of the integration work had already been done, but release pressure and human error added up to the Foundation not switching to the more secure NPM package prior to launch. This was the weakness leveraged by the attacker and one that could likely have been resolved if the Foundation had had a more extensive, cross-team review process for larger releases.

Pretty careless and there is no way this should have happened.

See the whole story here: Trinity Attack Incident