The MyAlgo attacks have so far been clustered around five distinct waves, roughly corresponding to these dates:

First Wave: February 20, 2023
Second Wave: March 5, 2023
Third Wave: March 6, 2023
Fourth Wave: March 17, 2023
Fifth Wave: March 31, 2023

This article presents data from the fifth wave - March 31 - as well as subsequent movements of stolen funds.


The attack was automated and ran for 14 hours - from 2023-03-31 10:15 (GMT) until 2023-04-01 00:25 (GMT). ASAs were drained from 4,166 accounts into the following malicious account:


At least 184 of these addresses have been targeted in previous waves.

69 different ASAs were stolen. Aside from the initial seeding of the malicious address by a known-compromised address, ALGO was not targetted in this attack.

The total value stolen is approx. $160K USD, per ASA stats (note: some tokens were not recognized).

Dex Swaps

25 DEX swaps were made on Tinyman during the attack. The following ASA amounts were swapped for a total of 353,860.76 $ALGO.

$BUY Token Clawback

Notably, the attackers stole 30% of the circulating supply of the $BUY ASA ( This asset has freeze and clawback enabled. The company was notified and was able to claw back the funds while the attack was still in progress.


You can find a detailed spreadsheet with all malicious transactions, including sheets with aggregates per stolen ASA, DEX swap aggregates and victim addresses here.