Investigating stolen funds on Mainnet

Stay updated here:

Status history

February 19th 2020 – 15:14


A short update about the current situation.

1. As a reminder, ALL TRINITY USERS WHO OPENED TRINITY BETWEEN 17 DECEMBER 2019 AND 18 FEBRUARY 2020 01.30 CET WILL NEED TO USE THE SEED MIGRATION TOOL IN ORDER TO PROTECT THEIR TOKENS. We are still working on building and testing the seed migration tool. We will inform you here as soon as it is ready.

*Note Ledger Nano users do not need to use the migration tool.

2. Last night we released an updated mobile wallet for both iOS and Android. Please visit the App Store or Play Store respectively to download it or update your current version. While, as of now, we have no indication that mobile users were affected by the attack, out of an abundance of caution, WE STRONGLY RECOMMEND THAT EVEN MOBILE WALLET USERS CHANGE THEIR PASSWORD AND USE THE SEED MIGRATION TOOL AS SOON AS IT’S AVAILABLE.

3. Trinity users who have already updated their wallets will have noticed the removal of MoonPay services from the updated versions of the wallet. This was necessary because the security vulnerability was introduced into the Trinity wallet via the MoonPay integration. We are working on an incident report in which we will publicly disclose the details of the vulnerability, how it was introduced, how it was exploited, and the steps we are taking to improve our security practices as a whole.

4. We have received requests from several users to provide information as to whether any Trinity users’ credit card information might have been compromised in connection with this security incident. Moonpay provides payment processing as a function of its own platform, which is independent of Trinity. For now, we can only share with the community the below statement from Moonpay on this matter. Please note that the IOTA Foundation is not in a position to independently verify the accuracy of the statement, due to the fact that the evidence to support it is not in our possession.

MoonPay Statement to Customers on Credit Card Information

“MoonPay, as a partner of Trinity Wallet, has been working with the IOTA Foundation and third-party experts to assist with the ongoing investigation. At this time, as the payment processor of the Trinity Wallet, we want to inform users who have input their credit card details into the Trinity Wallet that, to the best of our knowledge, their credit card information is unlikely to have been compromised by this security incident. Credit card details are encrypted and processed in compliance with the Payment Card Industry Data Security Standard. However, until the investigation has been completed, we would like to ask users who purchased Miota using the Trinity Wallet to monitor their statements and report any suspicious activity they observe to their banks immediately.”

5. We are constantly in contact with law enforcement in several countries and are working closely with them to ensure fast and thorough investigations. If you’re an affected user, we would greatly appreciate it if you could please file a report with your local police, as this will help us with the criminal investigations. In most countries you can quickly file a report online. We recommend that you include in your report the following German case file number so that the authorities in your country can quickly get in touch with the other authorities already working on the investigation elsewhere:

Germany, Center for Cybercrime, LKA Berlin, Case Number: 200213-1717-i00290

6. We are still refining the remediation plan in light of continuously updated information and will provide further details as soon as we can.

Thank you all for your patience. We will continue to update you on all important developments as we are able.

February 17th 2020 – 14:47

Here is a short overview of the attack remediation plan and the next steps going forward. Essentially the remediation plan involves three steps:


As announced yesterday, we have released an updated version of Trinity which allows you to check your balance and transactions. Please download this newest version of Trinity here and install it over your old version:

When you download the new version, MAKE SURE TO CHANGE YOUR PASSWORD AND STORE IT IN A PASSWORD MANAGER. If you have used the same password also for other services or websites, we strongly recommend you change it there, too, as a precaution.

By upgrading to this new version of Trinity, you will remove the vulnerability from your wallet and render the hacker incapable of accessing your wallet if s/he has not already done so.


In the upcoming days, we will release a seed migration tool that will allow users to transfer their tokens to a safe seed. We strongly recommend that ALL users who have opened any version of Trinity (Desktop or Mobile) since the 17th of December 2019 utilize the tool and migrate their tokens to a new, safe seed during the soon-to-be-announced migration period BEFORE the coordinator is re-started. More information on the tool and how to use it will be provided when the tool is published.

By migrating your tokens to new, safe seeds prior to the re-start of the coordinator, you will render the attacker incapable of making unauthorized transfers of your tokens if s/he has not already done so.

*Note: our current information indicates that the hack started on or around 25 January 2020 and that only Trinity Desktop users’ seeds were potentially compromised. However, out of an abundance of caution, we are nevertheless recommending that ALL users (not only desktop users) who are concerned about possible token loss should migrate their tokens to a new seed.

*Note: Ledger Nano users do not need to use the migration tool but a password change is still strongly recommended.


Our current information indicates that only a limited number of bundles were successfully transferred by the attacker out of the true owners’ wallets. We have notified all exchanges of all compromised bundles we are aware of so as to prevent any further movement of any stolen tokens. We therefore anticipate that in the majority of cases, Steps 1 and 2 will be sufficient to protect most users’ tokens.

To address the minority of cases in which unauthorized token transfers were made out of users’ wallets, a third step is needed. We will perform a global snapshot of the network that will, pending community validation, enable us to bring stolen tokens back to the affected users. More information on the process as well as the consequences for all affected users will be provided soon.

Assuming the snapshot is successfully validated by the IOTA community (node operators), we will implement a KYC procedure involving a third party that will enable all users who had their tokens stolen to reclaim them. The same procedure will also be required for certain cases in which the migration tool is used fraudulently or incorrectly. More information on this process will follow shortly.

After the migration process, we will restart the coordinator and resume normal operations on the network. An update on the timeline will be released in the upcoming days.

We will publish detailed instructions on the steps users should take as soon as the remediation tools and processes are ready. For now, please make sure to download the new Trinity version to change your password and check your balance.

We would also like to ask any affected users from the United States to come forward and DM our team, as your cooperation could assist us with ongoing law enforcement investigations.

Thank you all for your patience. We will continue to update you on all important steps along the way and will do our best to make the transition as easy and smooth as possible.

February 17th 2020 – 01:23

We have just released a safe version of Trinity Desktop to allow users to check their balance and transactions. This version (1.4.1) removes the vulnerability announced on 12th February 2020. Download the version here and install it over your old version:

Balances and transactions are fetched on login. If your balance does not look correct or you have unrecognised outgoing transactions, please contact a Discord mod or member of the IOTA Foundation directly on Discord. Please be aware that there are unfortunately active imposters posing as IOTA Foundation personnel on our Discord. Therefore it is important that you directly initiate contact with the IF or mod team yourself.

Trinity Mobile does not appear to have been affected by the attack but we ask that you not to open Trinity Mobile until a new mobile version is released.

The Coordinator remains down for now as we finalise our remediation plan. You will not be able to send value transactions. We will post an additional update soon detailing the plan going forward.

February 16th 2020 – 13:10

The new Trinity version is currently in progress. This version will be first and foremost, safe. We have identified the vulnerability and it has been removed from the wallet. This version will allow you to open the wallet and check your balance and transactions.

When released, we ask that if you see any unusual activity on your accounts to contact the Discord mod team or IOTA Foundation members directly. Please be aware that there are unfortunately active imposters posing as IOTA Foundation personnel on our Discord. Therefore it is important that you directly initiate contact yourself with the IF or mod team.

In the meantime, we are internally validating the full remediation plan before getting full sign off. Once we have signed off on the plan we will share further details publicly.

Again, we appreciate your patience right now. We are doing everything we can to resolve this incident in as secure and smooth a way as possible.

February 16th 2020 – 00:20

We have made substantial progress with the investigation and remediation plan today.

We continue our work with law enforcement, our in-depth analysis of exactly what happened, together with a remediation plan to the secure funds of Trinity users.

We are building a new analytics toolset (utilising our permanode) that tracks funds in real time. This tool will help support the ongoing investigation.

We have also remediated the vulnerability in Trinity. The upcoming Trinity update will not function as a final transition tool, as we are still working on bringing the network back to full operation. If you have Trinity installed on your computer, we highly recommend you upgrade to this version when released.

We greatly appreciate your patience while we resolve this complex situation. And will continue to share regular updates as we have developments.

February 15th 2020 – 11:50

We are working on the remediation plan to avoid the loss of funds. We will share more details once the plan is fully aligned and approved.

February 14th 2020 – 23:50

After successfully identifying the attack on Trinity through a third-party integration, we are currently working on a plan on how to recover from this exploit and get the network back into full operation. We also want to allow anyone who might have been affected to safely transition. We are working on an action plan, which will be communicated as soon as possible. On the vulnerability side, all parties are notified and they are working with law enforcement and external auditors to fully understand how this happened. Please refer to this page for future updates.

February 14th 2020 – 16:50

We have found the exploit and are now working on resolving the issue. As expected, the exploit is related to the (user-facing) Trinity Wallet. The IOTA core protocol is – as already communicated before – not breached.

We know that you would like to understand more details, but ask you to refrain from questions towards the Community Moderators due to the parallel ongoing coaction with law enforcement. The teams are currently developing the mitigation strategy. We will share all details about the exploit in due time and (of course) publish a complete incident analysis as well.

February 14th 2020 – 14:45

After another long night we are confident to exclude several of the initially estimated root causes of the attack. The team is investigating every single dependency (and their dependencies) of Trinity.

Additional external cyber security experts have joined the investigation with multiple security teams working on the incident analysis. The investigation has yielded absolutely no indication that there has been a core protocol breach of any kind. Rather, all evidence so far points to a problem with a dependency of the Trinity wallet.

The attack pattern analysis showed that the halt of the coordinator interrupted the attacker’s attempts to liquidate funds on exchanges. The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges’ KYC limits in mind. We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated. Our current assumption is that the perpetrator targeted high value accounts first, before moving on to smaller accounts and then being interrupted early by the halt of the coordinator. (Again: Hardware wallet users are not affected.)

Please note that we are very much aware of the sentiment of the community. But with the safety of the users’ funds being the highest priority in a Major Incident like this, we stand by our decision to make use of the coordinator’s security features and halt all value transfers during the ongoing investigation, in order to protect the users. This not only stops the perpetrator from exploiting more captured seeds but ensures the time needed to fully understand the intrinsics of the attack and enact a mitigation strategy.

We are also consolidating an FAQ document to answer the community’s pressing concerns.

February 13th 2020 – 21:45

We are still evaluating multiple possible root causes, including an exploit of a previous Trinity version with all its dependencies.

We have been working on the investigation of attacked seeds and analyzed the attack pattern, using a set of newly developed tools, as well as finishing a complete manual verification (to validate tooling reliability).

In order to have a single point of information for the community, we have accelerated the setup of, which is available since the afternoon to consolidate all updates. A newly created questionnaire also gives us a more detailed insight around the circumstances under which the funds have been stolen.

Additional several cyber forensic experts have joined the investigation to perform deep scans of Trinity’s dependencies as well as affected systems. First (but not all) exchanges have responded, reporting that no monitored funds have been transferred or liquidated.

Due to the ongoing investigation of the root cause, we will continue to halt value transactions on the network. Please note that data transactions are not affected.

February 13th 2020 – 16:45

We’ve shifted the complete focus of all relevant resources of the IOTA Foundation to this investigation last night and we have been working in teams to investigate impact and cause together with the identified victims. The conclusions so far are:

  • Most evidence is pointing towards seed theft, cause still unknown and under investigation
  • Victims (around 10 that identified with the IOTA Foundation so far) all seem to have recently used Trinity
  • After in depth transaction analysis it looks like about half of the victims with confirmed funds moved out are already in contact with the IOTA Foundation
  • We will continue to investigate to find the root cause and will follow up with further actions and updates
  • We’ll share a full transparent report of all events once this has concluded, for now we’ll limit the information we share to not give provide the attackers with any additional insights

We can’t rule out other scenario’s, the found information is not conclusive. We will keep you updated on this status page if we have new information to share.

February 12th 2020 – 18:20

After initial investigation we decided to turn off the Coordinator to make sure no further theft can occur until we find out the root cause of these thefts. Further investigation taking place from here on.

February 12th 2020 – 17:55

After receiving several reports of fund theft that looked out of the ordinary in a short timeframe we decided to warn about this in Discord and on Twitter. As a precaution we ask you to keep your Trinity wallet closed for now.

Get real time updates directly on you device, subscribe now.

You might also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More