The MyAlgo attacks have so far been clustered around five distinct waves, roughly corresponding to these dates:
First Wave: February 20, 2023
Second Wave: March 5, 2023
Third Wave: March 6, 2023
Fourth Wave: March 17, 2023
Fifth Wave: March 31, 2023
This article presents data from the fifth wave - March 31 - as well as subsequent movements of stolen funds.
Summary
The attack was automated and ran for 14 hours - from 2023-03-31 10:15 (GMT) until 2023-04-01 00:25 (GMT). ASAs were drained from 4,166 accounts into the following malicious account:
MVEKYHFLJ63UKDYGNKCJD7WO5KFJZFVFMJPSDAWLDIDP4LUP575YDOW6GI
At least 184 of these addresses have been targeted in previous waves.
69 different ASAs were stolen. Aside from the initial seeding of the malicious address by a known-compromised address, ALGO was not targetted in this attack.
The total value stolen is approx. $160K USD, per ASA stats (note: some tokens were not recognized).
Dex Swaps
25 DEX swaps were made on Tinyman during the attack. The following ASA amounts were swapped for a total of 353,860.76 $ALGO.
$BUY Token Clawback
Notably, the attackers stole 30% of the circulating supply of the $BUY ASA (buying.com). This asset has freeze and clawback enabled. The company was notified and was able to claw back the funds while the attack was still in progress.
Data
You can find a detailed spreadsheet with all malicious transactions, including sheets with aggregates per stolen ASA, DEX swap aggregates and victim addresses here.