Algorand-based wallet provider MyAlgo has again urged users to withdraw their funds after a February security breach which doesn’t appear to have been resolved.
Update: Funds are still being actively drained from MyAlgo users. https://t.co/fzkS9PFkAm pic.twitter.com/cgrWigu2Wn
— ZachXBT (@zachxbt) March 6, 2023
Meanwhile, decentralized exchange Algodex has revealed a malicious actor infiltrated a company wallet on Mar. 5 in what “appears to be similar to what is currently happening in the Algorand ecosystem,” it said in a Twitter post.
In a Mar. 6 post, Algodex explained that during the early hours of the previous morning, a company wallet was infiltrated by a malicious actor.
According to Algodex, precautions were taken before the attack, including moving the bulk of their USDC and treasury tokens ALGX tokens to secure locations.
#PeckShieldAlert @AlgodexOfficial reported that a malicious actor infiltrated 1 of their corporate wallets (w/s ~55k)
The exploit seems to share similarities with the ongoing incidents in the #Algorand ecosystem@myalgo_ alerted users to withdraw funds/rekey funds to new account https://t.co/G7nhlzMebF
— PeckShieldAlert (@PeckShieldAlert) March 7, 2023
However, the infiltrated wallet was tied to Algodex’s liquidity rewards program and was responsible for providing extra liquidity to the ALGX token.
“This resulted in the malicious actor being able to remove the Algo and ALGX in the Tinyman pool created by us to provide additional liquidity to the ALGX token,” Algodex said.
The exchange noted that $25,000 in ALGX tokens meant to provide liquidity rewards were taken but said it would replace this in full.
It added that the total loss from the theft was less than $55,000, but Algodex users and the liquidity of ALGX were not affected.
Meanwhile, the wallet provider for the Algorand network, MyAlgo, has renewed warnings for users to withdraw their assets or rekey their funds to new accounts as soon as possible.
All users of MyAlgo must withdraw their funds or rekey their funds to new accounts asap! ⚠️ Do not wait!!
Create new account:https://t.co/FhRCndPvfShttps://t.co/mj57KBg8Ml
Rekey Account Instructions:
— MyAlgo (@myalgo_) March 6, 2023
Multiple warnings have been issued on the tail end of a Feb. 19 to Feb. 21 security breach at MyAlgo, which resulted in losses of around $9.2 million.
On Feb. 27, the MyAlgo team tweeted a warning of a targeted attack carried out “against a group of high-profile MyAlgo accounts” conducted over the past week.
Related: 7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama
The wallet provider further stated the cause for the wallet hack was unknown and encouraged “everyone to take precautionary measures to protect their assets” by transferring funds or rekeying accounts.
Algodex, Lofty and AlgoCasino were all hit March 5th
This seems to be a little more than phishing as per experts in the field
It has been strongly advised by people smarter than me that we A) Rekey accounts B) Send tokens to a brand new non-MyAlgo wallet C) Rekey to cold wallet https://t.co/nS2frvmmyT
— AndrewW.algo (@AndrewWindmills) March 6, 2023
John Wood, chief technology officer at the networks governance body the Algorand Foundation, went on Twitter the same day, saying around 25 accounts were affected by the exploit.
“This is not the result of an underlying issue with the Algorand protocol or SDK,” he said at the time.