loader gif

Attackers compromise MyDashWallet and steal private keys

Stealing - Crime,Thief,Identity,Currency,Computer Crime,Computer Hacker,Computer,Wallet,Surveillance,Internet,White Collar Crime,Businessman,Laptop,Manager,Men,Security,Adult,Burglar,Business, Corporate Business, Criminal, Horizontal, Law, Occupation, Photography, Portability, Rudeness, Technology, Using Laptop, Wireless Technology,
  • Anyone who used mydashwallet.org between May 13 and July 12, 2019, had their private keys compromised.
  • The Greasy Fork account was then compromised on May 13, 2019, with the hacker adding code to send the user’s private keys to an external server.

Attackers gained access to MyDashWallet between May 13, 2019, and July 12, 2019, and stole the private keys.

The big picture

MyDashWallet disclosed that its external site serving CryptoJS scripts was compromised on May 13, 2019. The online wallet warned its users to move their funds to a new HD Wallet.

“To be safe please MOVE your funds to a new HD Wallet (create new wallet in new browser tab or with any other wallet, copy target address, move all funds from your old wallet to the new wallet),” MyDashWallet said.

Michael Seitz, Marketing Manager at Dash said in a forum that a hacker gained access into the system between May 13 and July 12 and obtained the private keys to any wallet during that period. Anyone who used mydashwallet.org between May 13 and July 12, 2019, should have had their private keys compromised.

However, users who used MyDashWallet in conjunction with a hardware wallet or with associated tipbots are not affected. Dash Core Group is assisting the online wallet in resolving the incident and notifying law enforcement.

What happened?

  • A Dash.org administrator who goes under the name Tungfa explained that MyDashWallet was modified on April 18, 2019, to download an external script from Greasy Fork.
  • The Greasy Fork account was then compromised on May 13, 2019, with the hacker adding code to send the user’s private keys to an external server.
  • This change was detected on July 12, 2019, when the hacker used the private keys to move user funds.

“The hack itself was only active for two months before being detected. The insecure coding practice implemented by MyDashWallet went undetected for over a year due to insufficient review of code by third parties. In the future, all code handling private keys should be reviewed thoroughly before being trusted with user funds. In particular, the use of local keystore files should be discouraged in favour of hardware wallets, similar to best practices implemented by MyEtherWallet,” Tungfa said.

loader gif