Security Alert! MyAlgo users. - The problem

MyAlgo is an official Algorand wallet.
Their code is closed.
RandLab works closely with Algorand.

It is necessary to know the method of attack that MyAlgo has undergone. On their site they state that private keys never leave the device.

So, what kind of attack is it?

First case: a Man in the Middle Attack , then what RandLab declares is false, because it means that the keys leave the app.
No type of attack on the MyAlgo servers can steal the private keys, since they are not there.

Second case: malicious code has been injected on their web-server and this is an internal security problem.

And last but not least, how long has the leak existed?

I expect RandLab or someone else to clarify the problem on THIS FORUM, the official forum for developers and the ecosystem.


1 Like

according to some guy on algo discord, they were hosted on godaddy… other person pinpointed this article GoDaddy suffered a huge hack that saw criminals steal source code and install malware | TechRadar and i believe it sums it up…

with last 3 years someone could inject the code to their websites without them knowing, even possibly creating some proxy code so that in the web developers tools there is no suspicious traffic outside

this article was published 2 weeks back, so i assume the myAlgo is safe now (i might be wrong)

but i still believe we should create “Clean algorand iniciative” where there would be registry where any project can ask for the address and it would tell you if there are some stolen funds there… Open source initiative - #10 by scholtz It might prevent any potential hackers steal the funds or move them to algorand and wash them…


I agree, but to this initiative we must add that all system software officialized by Algorand must be open source.

1 Like

Which channel in Algo discord where was this theory discussed?
Also, to OP…Why is premise that MyAlgo wallet is official wallet? I thought Pera was official Algo wallet?


They got huge grants from the foundation. Audits were funded by foundation. They were heavily promoted by foundation. They have their custom channel in the algorand discord. Yet they dont have the rekey feature implemented yet. (If i am wrong in any point, please correct me)

On the other side, AWallet got grant rejected, did not receive any marketing support, listing to the list of wallets took almost a year.

The only official wallet was “Algorand wallet” which was later removed from the scope of algorand development and renamed to Pera wallet.

1 Like

Not entirely true, here you can find the page where MyAlgo was defined as Algorand Wallet.


In 2021 the pera wallet was named Algorand wallet, and it was official algorand wallet.

All wallets which works with algorand can be called “Algorand wallet” … it does not mean that the foundation paid the audits… they paid audits only to Pera, MyAlgo mobile, AlgoSigner chrome extension, and Defly.

I believe that Defly has quite old audit, and have a lot of changes since that.
I have not seen any audit of Pera web wallet which is everyone redirected now to.
Pera on android does not have rekey nor mutlisig feature.
MyAlgo does not have rekey feature.
AlgoSigner does not have any UI for rekeying nor multisig.

I am very happy that all this native algorand features which I love will be finally supported by all the wallets :slight_smile: At least some good has came from this incident.

1 Like

Are you sure ?

MyAlgo Wallet was de facto an official wallet.

I hope that in the future only wallets that use the WalletConnect protocol or similar will be used.

1 Like

I agree it was “Featured wallet”… They have a lot of marketing support for them, for example they have custom discord channel for myalgo wallet in official algorand discord.

I have asked if i can have there my channel, and answer was no.

One of the metrics when algorand is arganizing events is number of new pera app downloads. This still means for me that they consider the pera as the main official wallet they want to promote.

1 Like