Security Alert: Crypto Wallet Coinomi Reportedly Sending Seed Phrases to Google

Francisco Memoria

Multi-asset cryptocurrency wallet Coinomi reportedly has a major security vulnerability, as it has, according to various security researchers, been sending users’ seed phrases in plain text to third-party servers.

Twitter user Warith Al Maawali, who first discovered the vulnerability, claims to have found out about it after losing large amounts of cryptocurrency after adding his recovery phrase to Coinomi. He wrote:

My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase.

The vulnerability itself sees the cryptocurrency wallet send users’ seed phrases as non-encrypted plain text to a Google-owned, over a spell check function. Using software that allows the monitoring and debugging of HTTP/HTTPS traffic on applications, Maawali found out about the activity.

To verify the threat, he noted on a website dedicated to the incident that all users have to do is “simply paste any random sentence with [a] spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page.” The result, he wrote, is that the error will be underlined in red, after being sent to Google for a spell check.

On Twitter, security researcher Luke Childs published a video showing that Coinomi was indeed sending its users’ seed phrases to Google.

Maawali believes his funds were stolen by someone with access to the traffic, or by someone at Google who noticed the seed phrase. The researchers added that other Coinomi wallet users have reported seeing their funds disappear.

Coinomi’s Response

Before making the vulnerability public, Maawali claims to have reached out to Coinomi explaining the situation. Per his words, the team behind the wallet “did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation.”

Maawali claims Coinomi “kept reminding” him in a threatening way of “the legal implications” of disclosing the vulnerability. He noted they shouldn’t forget about the legal implications of his funds, now gone.

Luke Childs has notably in the past disclosed a vulnerability Coinomi had. The vulnerability transmitted its users’ transactions unencrypted to Electrum servers, without using standard security technology. At the time, the developers reacted defensively, criticizing Childs claiming he spread fear, uncertainty, and doubt (FUD).

Maawali advised those using Coinomi to secure their funds as soon as they can:

To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later

Available data shows the Coinomi wallet isn’t open-source, meaning its code isn’t available to the public. Some in the crypto community believe these wallets should be avoided, as they can contain hidden security vulnerabilities.

Bitpoint Reveals Breakdown of Funds Stolen and Pledges Reimbursement After Hack

Neil Dennis

Japan's Bitpoint cryptocurrency exchange has published a breakdown of the assets lost in this month's security breach where hackers stole around Y3 billion ($28 million), and has pledged to reimburse customers.

A document published by parent company Remix Point on Tuesday showed that of the Y3.02 billion stolen, Y2.6 billion belonged to customers, while Y960 million were company-owned assets.

Here's the full breakdown:

  • Bitcoin BTC1,225 - total stolen worth Y1.53 billion at the time of attack: Y1.28 billion belonging to customers and Y250 million to the exchange
  • Bitcoin cash BCH1,985 - worth Y70 million at time of attack: Y40 million customer owned and Y30 million exchange owned
  • Ether ETH11,169 - worth Y330 million at time of attack: Y240 million customer owned and Y90 million of exhange's
  • Litecoin LTC5,108 - worth Y500 million, with about Y40 million in customer funds
  • XRP28,106,323 - worth Y1.03bn at the time of attack of which around a quarter were customer funds

Reimbursement

Remix Point added in its Tuesday statement that it would reimburse customer losses, compensating them in lost cryptocurrencies rather than their fiat equivalent.

The exchange revealed on Sunday it had already tracked $2.3 million worth of stolen tokens. Reported by Finance Magnates Bitpoint said it had recovered the funds and reabsorbed them.

Bitpoint said last week's security breach occurred due to unauthorized access to private keys of its hot wallets and now intends to move all holding into cold storage, where no breaches of security had been detected.

Co-operation With Regulators

Remix Point said in the document published on Tuesday that it was co-operating with self-regulatory body, the Japan Virtual Currency Exchange Association, to help establish better security measures across the industry.

It requested the association, along with its exchange rivals, monitor any suspicious activity in the coming days that might involve the deposit of funds potentially associated with the incident.