Security Alert: Crypto Wallet Coinomi Reportedly Sending Seed Phrases to Google

Francisco Memoria

Multi-asset cryptocurrency wallet Coinomi reportedly has a major security vulnerability, as it has, according to various security researchers, been sending users’ seed phrases in plain text to third-party servers.

Twitter user Warith Al Maawali, who first discovered the vulnerability, claims to have found out about it after losing large amounts of cryptocurrency after adding his recovery phrase to Coinomi. He wrote:

My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase.

The vulnerability itself sees the cryptocurrency wallet send users’ seed phrases as non-encrypted plain text to a Google-owned, over a spell check function. Using software that allows the monitoring and debugging of HTTP/HTTPS traffic on applications, Maawali found out about the activity.

To verify the threat, he noted on a website dedicated to the incident that all users have to do is “simply paste any random sentence with [a] spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page.” The result, he wrote, is that the error will be underlined in red, after being sent to Google for a spell check.

On Twitter, security researcher Luke Childs published a video showing that Coinomi was indeed sending its users’ seed phrases to Google.

Maawali believes his funds were stolen by someone with access to the traffic, or by someone at Google who noticed the seed phrase. The researchers added that other Coinomi wallet users have reported seeing their funds disappear.

Coinomi’s Response

Before making the vulnerability public, Maawali claims to have reached out to Coinomi explaining the situation. Per his words, the team behind the wallet “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”

Maawali claims Coinomi “kept reminding” him in a threatening way of “the legal implications” of disclosing the vulnerability. He noted they shouldn’t forget about the legal implications of his funds, now gone.

Luke Childs has notably in the past disclosed a vulnerability Coinomi had. The vulnerability transmitted its users’ transactions unencrypted to Electrum servers, without using standard security technology. At the time, the developers reacted defensively, criticizing Childs claiming he spread fear, uncertainty, and doubt (FUD).

Maawali advised those using Coinomi to secure their funds as soon as they can:

To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later

Available data shows the Coinomi wallet isn’t open-source, meaning its code isn’t available to the public. Some in the crypto community believe these wallets should be avoided, as they can contain hidden security vulnerabilities.

UK's Regulator Warns Against Fraudulent Firm Cloning Financial Giant TP ICAP

The UK’s financial regulator, the Financial Conduct Authority (FCA), has uncovered another allegedly fraudulent crypto-related scheme.

On Friday (May 24, 2019), the FCA revealed that a company called ICAP Crypto had been impersonating an established firm known as ICAP Europe Limited. ICAP Crypto reportedly attempted to lure unsuspecting investors into a potential scam involving cryptocurrencies.

Using Company Details Belonging to Legitimate Financial Firms

While ICAP Crypto’s management does not claim its services are regulated by the FCA, the allegedly fraudulent firm has been using the company details that belong to legitimate UK-registered financial service providers.

The FCA has warned that the potential scammers operating ICAP Crypto may be using the company license information of established firms in order to lure investors into investing into a fraudulent crypto scheme.

According to the FCA, ICAP Crypto has provided contact information which may be “mixed” with details that belong to TP ICAP, one of the largest global interdealer brokers. Moreover, the FCA cautioned users that ICAP Crypto has launched a website that is not licensed by the FCA to offer financial services.

No Details Regarding Crypto Services

There’s also no association between the management and services provided by TP ICAP and ICAP Crypto, the UK’s financial regulator clarified. Furthermore, the FCA’s investigation has revealed that ICAP Crypto appears to be offering various crypto-related services including a platform to launch initial coin offerings (ICOs).

Although ICAP Crypto seems to be offering several different cryptocurrency-related products, the FCA found that the allegedly fraudulent firm has not provided any specific details regarding its services.

ICAP Crypto’s management states that its services include “a sophisticated blend of engineering with experience to empower thousands of marketers to access markets around the world through the use of digital currency entirely outside the traditional financial system.” However, it remains unclear what type of services the company actually offers.

FCA Planning To Draft Comprehensive Crypto Regulations

In January 2019, the UK’s financial regulator called for increased regulatory oversight over the leading European nation’s cryptocurrency market. In order to create regulations for digital assets, the FCA launched a consultation which requested feedback regarding how to regulate crypto transactions.

The FCA had specifically asked for feedback on how to regulate crypto exchanges, digital asset payment processing services, wallet providers, and broker dealers offering crypto derivatives.