MyAlgo

2021-02-16

Rand Labs releases updated MyAlgo wallet with multisig support, establishing it as a primary Algorand wallet.

2023-01-21

Malicious JavaScript worker uploaded to the CDN serving wallet.myalgo.com, beginning silent private key exfiltration from users who unlocked their wallets.

2023-02-19

First wave of active thefts begins; attackers use harvested credentials to drain approximately $7.2 million confirmed across 17 addresses.

2023-02-21

First theft wave concludes. Total losses in this wave estimated at $9.2-9.6 million including 19.5M ALGO and 3.5M USDC. ZachXBT publicly quantifies stolen amounts.

2023-02-27

MyAlgo issues public warning advising all mnemonic wallet users to immediately withdraw funds. New wallet version released, ending the CDN injection.

2023-02-28

CoinDesk publishes initial reporting. ChangeNOW freezes approximately $1.5 million in stolen funds transiting through its platform.

2023-03-05

Second wave of thefts begins, targeting additional compromised credentials.

2023-03-06

Algorand Foundation publicly acknowledges the exploit after approximately two weeks of silence. Algodex also reports its company wallet was infiltrated by a malicious actor (loss under $55,000). Lofty.ai reports $65,000 theft on Algorand.

2023-03-09

Algorand Foundation CTO John Woods releases statement confirming the exploit is not caused by an underlying issue with the Algorand protocol or SDK.

2023-03-17

Fourth wave of thefts occurs.

2023-03-31

Fifth and final documented wave of thefts occurs.

2023-04-01

Exploit details — including the CDN injection date of January 21 — are publicly revealed. MyAlgo discloses preliminary findings identifying CDN MITM as the attack vector.

2024-01-30

MyAlgo wallet officially shut down and decommissioned. Platform no longer accessible for transaction signing.