13 Million: Komodo Hacks Itself Before Hackers Have a Chance To

Komodo, a multi-chain cryptocurrency platform, has recently hacked itself to stop hackers from exploiting a security vulnerability that would’ve allowed them to steal over $13 million worth of cryptocurrencies, which are currently safe with the Komodo team.

According to ZDNet, the Komodo platform recently learned about the vulnerability after security researchers found a backdoor in one of its older wallet apps Agama. The vulnerability would allow hackers to steal every cryptocurrency held inside these.

Before hackers could take advantage of the vulnerability, the Komodo team extracted users’ funds from affected wallets and moved them to safe wallets they control, out of a hackers’ reach. The team got around 8 million KMD (around $11.9 million), and 96 BTC (around $740,000) into its wallets.

A recently published security alert details:

After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.

Explaining the backdoor, the Komodo team noted that bad actors got it into Agama by first contributing useful code to it and updating it, and then updating the code to include the security vulnerabilities.

The Komodo team is now letting users reclaim their funds. Its security alert adds that to do so users should head on over to their support page article. Komodo is also advising users to move to one of its newer products, and has discontinued the older Agama wallet.

Users are advised to create KMD and BTC addresses with new seedphrases after recovering their funds, so hackers aren’t able to use old seed and passphrases to access their wallets. Cryptocurrency wallets are a common attack vector for hackers in the space.

As covered, the popular Electrum bitcoin wallet has seen hackers phish users to steal over 200 BTC from them. The phishing attack involved an error messaging urging legitimate wallet users to update their software to a malicious version of Electrum. YouTube has also inadvertently promoted an illegitimate version of the wallet earlier this year.