Pages:
Author

Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 6. (Read 2562 times)

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

I have used Atomic Wallet for a very short period of time for some shitcoins that needed to be moved around and where I didn't even trust the shitcoin's native wallets. I was concerned that Atomic Wallet is closed-source, did some deep research if this software had some bad history or reputation. At that time, I couldn't find deeply alarming news, so I thought, OK, why not, no large amounts of value at stake and I didn't run that software on the same computer where my trusted wallet(s) where.

As an end user I would be pissed if I had no control over updates or downloading a dead version. Forced updates can be a dangerous thing if external or internal attackers of a wallet's backend gain malicious control. With forced updates you can screw every user of the wallet when the wallet's infrastructure gets compromised. Displaying a big red warning in the user's wallet would be nice if that is done in safe way that can't be exploited by malicious actors. My hopes are not high for Atomic users as the past audits seemed to indicate that software and security quality of Atomic isn't what it should be.

There's still too much speculation of what went wrong or how the attacks were possible. A dead version in the app stores wouldn't help if the seed or private keys got compromised. And you could potentially protect only users with a forced update before attackers could do their stealing.

The communication of the wallet's company is very much sub-par. If they don't know what's going on, then why they don't shut down the backend systems and tell the users to immediately move their funds to a new safe wallet that's not affected. (Well, if you have lots of shitcoins, then good luck with finding suitable safe other wallets to hold your shitcoins.)


Zach also claims to know what happened behind the scene.

Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?
legendary
Activity: 2170
Merit: 1789
Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack
Both of them are certainly a possibility. It is hard to figure out what really happened unless Atomic shares what kind of exploits are being used by the attacker. Even if they did that though, the distrust is still there since they can edit some code before making it public to steer the narrative to their preferred direction. Zach also claims to know what happened behind the scene. At the end of the day, someone would be better off using other wallets in the future.

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened.
Unless I'm mixing up some news, IIRC, they disable the downloads shortly after the attack was reported. Not sure why they allow users to download it again, especially after some reports suggesting the latest version is one of the ones that got affected.
sr. member
Activity: 658
Merit: 441
I'm thankful for bitcointalk and the educative information that's been shared here on dailies. As a newbie that registered on this platform, I used to have some crypto assets that's worth few couple of bucks on my atomic wallet until I stumbled on the some topics here about the dangers of using close source wallets, so I decided to move my assets out of atomic wallet... If not I might have been a victim too. This is an eye-opener and I hope other persons can learn from this and distance themselves from using close source wallets and exchanges in storing their funds.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...

[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group
Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

Quote
The application that Atomic Wallet built was not built in a secure manner.

Either someone pushed a malicious version of the application that stole users' keys.

Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.
Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

If they were ' inadvertently logging users' keys to their servers' then the app was totally fucked from the start. The ONLY thing the app should be sending to the servers is the request of the transaction lists for the addresses to figure out how much is in the owned addresses and a signed TX when broadcasting a send. There should be no way in hell that your private keys are EVER sent to them.

However, you can't fix stupid, and since it's closed source you never really know what they are doing [unless you setup a mitm attack on your own network and monitor what comes in and out].

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

-Dave
legendary
Activity: 2268
Merit: 2050
A Bitcoiner chooses. A slave obeys.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?

I think he is confusing Atomic with being Binance owned, but Trust Wallet is just as closed source as well, and ironically there is no point in trusting such wallets. You might as well store your coins on Binance. They might have a lesser chance of being hacked. Although looking at the past history of crypto exchanges, they eventually screw up, get hacked or straight up steal your money. Shocked Roll Eyes

I agree that any wallet which is not 100% open source is a red flag. Otherwise behind the code could be a third party, trying to take your money with a strategically planned hack.  Cry

inb4 North Korea was behind Atomic all along.
legendary
Activity: 1890
Merit: 1537
And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...

[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group
Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

Quote
The application that Atomic Wallet built was not built in a secure manner.

Either someone pushed a malicious version of the application that stole users' keys.

Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.
Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.
legendary
Activity: 1148
Merit: 3117
Update: So it looks like the stolen funds (~35M $) are on the move:

On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.

Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/
And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...

[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group
legendary
Activity: 2212
Merit: 7064
Update: So it looks like the stolen funds (~35M $) are on the move:
Crazy!
Number grows with every new day and who knows how many people don't even know or they didn't report loses.
It's important not to open atomic wallet that is connected to internet, than import seed phrase backup to another wallet and move coins asap.
Few years ago I tested this atomic wallet and I never liked how it works, but closed source and amateur devs was always a red alert for me.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.
This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical. 

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.

Yes with a but, or no with a however.
Having multiple files now means that humans are going to be human. So if some function calls something that you are not using / not interested in then you (who I assume to be human) may not examine it as well or even at all. Having it all in the 1 monolithic file forces you to read the entire thing.

There is a good and bad side to both ways.

Back to this. Has anyone here actually lost real funds? I keep hearing reports of people loosing money, but so far it's nobody here as far as I can see.

-Dave
legendary
Activity: 3010
Merit: 3724
Join the world-leading crypto sportsbook NOW!
At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

Yeah Yamane_Keto, we understood what you meant, but I'm not sure you understood what you're expecting of average users either Wink

I'm the regular user we're all talking about. Understand the most basic of coding languages, far from enough to understand anything harmful or malicious on Github if it screamt out at me.

It's still many time safer, and practical, to simply trust a software you know is actively being reviewed and checked by very good developer communities. To the simple user (yours truly), Electrum and Bitcoin Core prove that, by acting very quickly when changes need to be made or holes plugged.
legendary
Activity: 2268
Merit: 18771
At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.
If you are a newbie who cannot code, then both tasks are equally impossible. And if you are a newbie who cannot code, then you will be exponentially safer using Electrum than you would be using some random paper wallet generator you found via Google.

Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.
Paper wallets are an excellent option if you can vet the code you are using, you understand how to set up and use a truly airgapped system, and you understand how to spend from these wallets without ruining your privacy and security or losing any coins. But this is complicated to do. Suggesting them as an alternative for everyone leaving Atomic or other closed source wallets is bad advice.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.
This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical. 

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.
This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical.

My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.
If you're not a competent software engineer, as the folks behind software like Bitcoin Core and Electrum, then you shouldn't trust yourself more than them. The odds of messing up are far greater.
hero member
Activity: 630
Merit: 510
This is poor advice.

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum. My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.
Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.


Update: So it looks like the stolen funds (~35M $) are on the move:

Without making the wallet open source, I don't think anyone would be stupid enough to use them.
staff
Activity: 3500
Merit: 6152
Update: So it looks like the stolen funds (~35M $) are on the move:

On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.

Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/
hero member
Activity: 644
Merit: 661
- Jay -
Yes. Internally, locally... What is the difference? The point is that the seed phrase and private keys are created, stored and accessible by your wallet software.
The slight difference is that on one end it is stored in their logs and any breach on their side can access it or the software themselves can easily steal your private keys and on the other hand it is not stored in their data logs but on the user's wallet file and not directly accessible to them.

There is always a risk when dealing with soft-wares even those that are open source, but is is much safer choosing one which is open source and reputable.

- Jay -
legendary
Activity: 2268
Merit: 18771
If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.
This is poor advice.

There have been a number of paper wallet generators over the years which have also been malicious and have stolen any funds sent to the paper wallets they generate. And even if someone happens to pick legitimate paper wallet software, paper wallets are difficult to set up and use correctly without making a critical mistake, exposing your private keys to the internet, sending your change to an address you cannot access, and so on. They should not be used by newbies as a "best place to start".

The best advice for newbies who cannot review code has always been to choose an open source, reproducible, widely used, widely reviewed, and reputable wallet. This is why Electrum is so popular and so often recommended
hero member
Activity: 630
Merit: 510
As I said earlier, the manipulation of terminology is what gave many users a false sense of security. Custodial walle and Non-Custodial walle have no meaning, but the real difference is whether that software is a wallet or not. In the sense that all closed source wallets are not a wallet because we do not know how the private key is generated and whether the code is safe or not. The fact that a third party may know your private key means that you do not own your money.

If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.
full member
Activity: 247
Merit: 124
dON'T tRUST, vERIFY!
That's not a good move. Importing 12 kata into the new wallet you want to transfer will be meaningless because the 12 kata you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.
What is meaning of "kata"? Is japannese language?
hero member
Activity: 1316
Merit: 787
Rollbit - The #1 Solana Casino
>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
That's not a good move. Importing 12 word into the new wallet you want to transfer will be meaningless because the 12 word you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years Cry
Unstoppable wallet that I can say is a good wallet for you to transfer existing coins in Trust Wallet and Exodus by sending them to the Unstoppable wallet that you created recently.
What I say is the same as what has been explained by hosseinimr93
Pages:
Jump to: