Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 7. (Read 2583 times)

it's non-custodial, open source or closed, and! it literally doesn't work. It's a torn pocket,  after what I read, that was perhaps part of the strategy. I think that sometimes it is not just knowing all the technicalities associated with a wallet, it is a mistake not to understand the products that exist, with this wallet it is demonstrated, they are pocket, $100 wallets.

Alas, security is not easy at all, even while doing everything you stated above, you have no way of knowing when a Microsoft employee simply changes the code on Github and gets you to compile their version of the code, you need to read the whole code again and make sure it doesn't send your private keys in plain text over the internet, it's almost impossible to be 100% secured.

Of course, that's just over-exaggerating the matter, but just because it's unlikely -- it doesn't mean it can't happen, I saw a discussion on reddit the other day in regards to this subject, someone said "I'd rather just use an exchange so that if I lose my money I got someone to blame".

This brings an interesting conspiracy theory that, all of these hacks are not done for money, but for a greater goal, they simply shape the path to custodial wallets, at one point, banks will take over and will provide custodial services, where your BTC is insured by large insurance companies or the government itself, those two have deep pockets and will be able to track and potentially catch whoever steals anything from "them", so it becomes a choice of keeping your BTC"safe and insured by the government" or "at high risk" being in your custody, essentially, turning BTC into another government-controlled asset. 

Also, he can get a reputed open source hardware wallet that support multiple coins.

You can be able to get your private keys directly on Android Electrum versions below 4.4.0, but this has been removed from version 4.4.0 and above.

On desktop Electrum, if you click on wallets -> private keys -> export, you will be able to see your addresses and the corresponding private keys. Or if you click on view -> check addresses, click on addresses on the GUI and right click on any address of your choice, you will see the address private key if you click on 'private key'.

What is most important is the seed phrase, because it can generate all the private keys.

Yes. Internally, locally... What is the difference? The point is that the seed phrase and private keys are created, stored and accessible by your wallet software. And just to clarify, it is not necessary for the file to be encrypted (although it is generally not recommended to store the keys in an unencrypted file).

I don't think users that didn't used Atomic Wallet recently are safe as well. I've seen multiple reports of users on Reddit & Twitter that didn't used the application recently and still got hit by the hack. If it was me the second I heard about this I would instantly create a new wallet on a secure environment and transfer all of my funds to it.

I personally would not open Atomic Wallet at this time, seems very risky. So importing the seed into another Wallet is a must to send the coins in a safe way.

Greets.

It could be all. A malicious update, by a maliciously altered dependency, which was maintained by some ill-intentioned developer from the Atomic Wallet dev team. There's no evidence that supports otherwise, because there is nothing transparent in the first place.

I can't imagine you to be that dumb. Unless it ain't their entire life savings (as some say), I can't justify being so confident with stuff you've no idea about. I just can't picture myself putting all my money (or most of it) in some shitcoin like XRP, which is significantly weaker in both centralization and security. Maybe I could gamble some (much less than half of it), but not all.

As already mentioned, this doesn't change anything. You should create a new wallet using a safe tool on an safe device and move all the fund to that.


No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years

---

I have several wallets, they took largest amounts first, and still didn't take small change amounts (2000 USDT), guess their bandwidth is limited (doing it manually?).

I don't believe there are any. If you're willing to switch to a mobile wallet, then you have Unstoppable wallet. It has a swap feature but you can't use it with BTC, LTC, etc. It uses Uniswap (ETH), QuickSwap (MATIC), PancakeSwap (BSC), and 1Inch which is an aggregator.

Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

Yep, I imported the seed and send the funds to an existing wallet of mine. What is sort of the same you said and has the same effect.

Greets.

They are probably counting every user who has ever opened the Atomic Wallet app which will also include a significant amount of no-coiners, and also zombies which have never touched their funds for several months. So most likely the actual percentage of hacked active users is probably much higher (like at least 5%).

I mean, we are still at a stage where lots of people still keep their life savings in centralized exchange and DeFi protocols  
People are advised to avoid them year in year out, but they are still dumb and lazy enough to secure their money.

This incident should be one of those real life situations that highlights why a closed source wallet even if noncustodial is very dangerous. Reproducibility should also be emphasized.

---

1 more reason to avoid the shitcoin then  

---

So the jerks provided an update on Reddit a few hours ago, but I gotta say it's the most useless update about such a grave situation

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

Nobody knows the problem. Atomic wallet is close source.

Electrum is good for bitcoin because it is completely open source. Coinomi is close source, I can not recommend it.

Did you import your Atomic wallet seed phrase on Electrum? Create another wallet on Electrum and transfer your coins there so that your coins can be safe.

For high amount of bitcoin, use a cold wallet. Electrum can be used as a cold wallet. Or get a reputed open source hardware wallet.

As of yet, not much real information in this topic... all assumptions for the moment... 
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

I'm a long time user of Atomic Wallet and never had any problems. Their multi-coin and built-in exchange was their biggest pro for me. Used it just for playing with alt coins and pocket money.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Greets.

Atomic wallet haven't provided anything official on what caused this loss of their customers' funds, but i have seen some people post that Atomic wallet may have to offer some compensation to the victims for damages, but from their terms of service [1], it is not going to happen. People should only use self custody wallets that are open source and have a good reputation, because if you make a wrong choice and lose your funds, you can't get it back.
[1] https://atomicwallet.io/terms-of-service

And don't forget the why....
If they got the report on Tuesday and were hacked on Friday then you can accept that they did not have time to fix the issues.
But when they have had it for so long it comes down to was the coding that bad? Were the issues buried so deep that they had to rebuild from scratch? Do they only have 1 programmer and they were working as fast as they could?



People invest in a lot of things that may or may not be smart to do. That does not mean they are not paying attention to other things.
If you looked at my shitcoin portfolio you would question my sanity. BUT and this is important Dave's left testicle coin currently trading at $0.02 can probably bounce to $0.10 more easily then BTC going from where it is now at $26800 all the way to $130000. Putting your entire life savings into something like XRP / Dave's testicle coin is just stupid. But if you have $50000 to gamble putting $10000 into 5 coins and hoping for the win is not a totally horrible thing. IF YOU CAN AFFORD TO LOOSE IT ALL I have some penny / dollar stocks I have bought over my 30 years of playing the markets. MOST have died. The few that made it more then 10x covered the losses of the others. So while people looked at me as asked why I invested in X I can then point to Y & Z and say those 2 more then covered it.

-Dave

Another reminder to everyone in the crypto space about the dangers of using closed-source software that tries to implement each protocol there is for the sake of profit. Developers, especially those working with financially related products, should always bear in mind that the more complex software you build, the more vulnerabilities and bugs it will have. But given that the circle of developers and auditors is very narrow compared to open-source development, these vulnerabilities are very hard to detect timely. Of course, they actively defend "security through obscurity" and use it as an excuse because it allegedly helps protect customers from hackers, scammers, and other evil actors, but when a hack actually occurs, they start referring to their ToS and that people themselves are responsible for their private keys. It is a very convenient approach to doing business, you just make money off naive users who are unable to read guides on proper self-custody solutions, and when shit happens, you just tell people it is their problem. My prediction is that people suffering from the Atomic Wallet hack won't receive their money back, but they also won't stop using closed-source, poorly implemented software for their life savings. These just can't learn.

Don't know, I've never held bitcoin on an Atomic wallet (though I did download it for desktop just to see what the UI looked like) but that's probably not how they got hacked, right?

I don't know why anyone would use Atomic other than to take advantage of their staking function, but even then if you're staking a significant amount of whatever, why would you use a closed-source wallet like that?  It must be popular amongst those who don't know much about crypto security--but then again, a lot of knowledgeable crypto users kept coins on Ledger wallets right up until they announced their back door.  That's humanity for you; it's in our nature to want to trust others....until we learn the hard way not to.

Other wallets might also get compromised if the computer is compromised. Even if someone has access to your wallet, I don't think they can access it unless they can crack your password or have private keys. Since it's only happened with Atomic users (we did not see the same reports from other wallet users yet), I guess OmegaStarScream might be correct. They might be fallen for phishing. But according to Atomic Wallet, 1% of their monthly active users reported that their wallet is drained. So, If their active user is 100K, 1K users' wallets were compromised. I don't think that many users could fall for the phishing trap.

Atomic might be hiding something about how are the private keys generated and them being non-custodial. I was using Atomic Wallet 2.45.1 For a while. Luckily I had nothing in my Atomic wallet, and I just uninstalled their software in case it contained any virus. Many users screamed in their tweets and complained about how much they lost. I am afraid now. I moved from Atomic to Electrum a while ago. I hope Electrum is the most secured and trusted among others!