Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 7. (Read 2334 times)

It could be all. A malicious update, by a maliciously altered dependency, which was maintained by some ill-intentioned developer from the Atomic Wallet dev team. There's no evidence that supports otherwise, because there is nothing transparent in the first place.

I can't imagine you to be that dumb. Unless it ain't their entire life savings (as some say), I can't justify being so confident with stuff you've no idea about. I just can't picture myself putting all my money (or most of it) in some shitcoin like XRP, which is significantly weaker in both centralization and security. Maybe I could gamble some (much less than half of it), but not all.

As already mentioned, this doesn't change anything. You should create a new wallet using a safe tool on an safe device and move all the fund to that.


No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years

---

I have several wallets, they took largest amounts first, and still didn't take small change amounts (2000 USDT), guess their bandwidth is limited (doing it manually?).

I don't believe there are any. If you're willing to switch to a mobile wallet, then you have Unstoppable wallet. It has a swap feature but you can't use it with BTC, LTC, etc. It uses Uniswap (ETH), QuickSwap (MATIC), PancakeSwap (BSC), and 1Inch which is an aggregator.

Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

Yep, I imported the seed and send the funds to an existing wallet of mine. What is sort of the same you said and has the same effect.

Greets.

They are probably counting every user who has ever opened the Atomic Wallet app which will also include a significant amount of no-coiners, and also zombies which have never touched their funds for several months. So most likely the actual percentage of hacked active users is probably much higher (like at least 5%).

I mean, we are still at a stage where lots of people still keep their life savings in centralized exchange and DeFi protocols  
People are advised to avoid them year in year out, but they are still dumb and lazy enough to secure their money.

This incident should be one of those real life situations that highlights why a closed source wallet even if noncustodial is very dangerous. Reproducibility should also be emphasized.

---

1 more reason to avoid the shitcoin then  

---

So the jerks provided an update on Reddit a few hours ago, but I gotta say it's the most useless update about such a grave situation

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

Nobody knows the problem. Atomic wallet is close source.

Electrum is good for bitcoin because it is completely open source. Coinomi is close source, I can not recommend it.

Did you import your Atomic wallet seed phrase on Electrum? Create another wallet on Electrum and transfer your coins there so that your coins can be safe.

For high amount of bitcoin, use a cold wallet. Electrum can be used as a cold wallet. Or get a reputed open source hardware wallet.

As of yet, not much real information in this topic... all assumptions for the moment... 
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

I'm a long time user of Atomic Wallet and never had any problems. Their multi-coin and built-in exchange was their biggest pro for me. Used it just for playing with alt coins and pocket money.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Greets.

Atomic wallet haven't provided anything official on what caused this loss of their customers' funds, but i have seen some people post that Atomic wallet may have to offer some compensation to the victims for damages, but from their terms of service [1], it is not going to happen. People should only use self custody wallets that are open source and have a good reputation, because if you make a wrong choice and lose your funds, you can't get it back.
[1] https://atomicwallet.io/terms-of-service

And don't forget the why....
If they got the report on Tuesday and were hacked on Friday then you can accept that they did not have time to fix the issues.
But when they have had it for so long it comes down to was the coding that bad? Were the issues buried so deep that they had to rebuild from scratch? Do they only have 1 programmer and they were working as fast as they could?



People invest in a lot of things that may or may not be smart to do. That does not mean they are not paying attention to other things.
If you looked at my shitcoin portfolio you would question my sanity. BUT and this is important Dave's left testicle coin currently trading at $0.02 can probably bounce to $0.10 more easily then BTC going from where it is now at $26800 all the way to $130000. Putting your entire life savings into something like XRP / Dave's testicle coin is just stupid. But if you have $50000 to gamble putting $10000 into 5 coins and hoping for the win is not a totally horrible thing. IF YOU CAN AFFORD TO LOOSE IT ALL I have some penny / dollar stocks I have bought over my 30 years of playing the markets. MOST have died. The few that made it more then 10x covered the losses of the others. So while people looked at me as asked why I invested in X I can then point to Y & Z and say those 2 more then covered it.

-Dave

Another reminder to everyone in the crypto space about the dangers of using closed-source software that tries to implement each protocol there is for the sake of profit. Developers, especially those working with financially related products, should always bear in mind that the more complex software you build, the more vulnerabilities and bugs it will have. But given that the circle of developers and auditors is very narrow compared to open-source development, these vulnerabilities are very hard to detect timely. Of course, they actively defend "security through obscurity" and use it as an excuse because it allegedly helps protect customers from hackers, scammers, and other evil actors, but when a hack actually occurs, they start referring to their ToS and that people themselves are responsible for their private keys. It is a very convenient approach to doing business, you just make money off naive users who are unable to read guides on proper self-custody solutions, and when shit happens, you just tell people it is their problem. My prediction is that people suffering from the Atomic Wallet hack won't receive their money back, but they also won't stop using closed-source, poorly implemented software for their life savings. These just can't learn.

Don't know, I've never held bitcoin on an Atomic wallet (though I did download it for desktop just to see what the UI looked like) but that's probably not how they got hacked, right?

I don't know why anyone would use Atomic other than to take advantage of their staking function, but even then if you're staking a significant amount of whatever, why would you use a closed-source wallet like that?  It must be popular amongst those who don't know much about crypto security--but then again, a lot of knowledgeable crypto users kept coins on Ledger wallets right up until they announced their back door.  That's humanity for you; it's in our nature to want to trust others....until we learn the hard way not to.

Other wallets might also get compromised if the computer is compromised. Even if someone has access to your wallet, I don't think they can access it unless they can crack your password or have private keys. Since it's only happened with Atomic users (we did not see the same reports from other wallet users yet), I guess OmegaStarScream might be correct. They might be fallen for phishing. But according to Atomic Wallet, 1% of their monthly active users reported that their wallet is drained. So, If their active user is 100K, 1K users' wallets were compromised. I don't think that many users could fall for the phishing trap.

Atomic might be hiding something about how are the private keys generated and them being non-custodial. I was using Atomic Wallet 2.45.1 For a while. Luckily I had nothing in my Atomic wallet, and I just uninstalled their software in case it contained any virus. Many users screamed in their tweets and complained about how much they lost. I am afraid now. I moved from Atomic to Electrum a while ago. I hope Electrum is the most secured and trusted among others!

This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.
Closed source wallets could be doing it differently and keeping logs of private keys, (we would never know) which a hacker can access if they breach their security, which you cannot verify either.

- Jay -

I mean, if you are dumping $45,000 in to a centralized, absolute shitcoin like XRP, then you probably aren't doing much in the way of research.

We don't know. Such is the nature of closed source software. Nobody knows what it is actually doing. Is it generating seed phrases from a list that the developers are secretly holding? Is it sending seed phrases over the internet to a server somewhere? Has it got a built in function to sweep all funds to a malicious address at a particular date? Who knows? This is the risk you take with closed source software.

Looks like officials from Atomic where aware of existing  security vulnerabilities in their product but didn't take any step to eliminate them and/or notify users who  where trusting them. The money has outweighed the wisdom and they have chose  to stay nontransparent with customers.  

That's just terrible news.
Sure, anyone storing massive amounts of value in a mobile wallet is always taking a high risk and already made the first mistake here.
Still, this usually hits crypto-newbies the hardest. Couldn't find anything, is there an approximate number of how many people are affected?

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

Yes this is pretty bad. So far over $35M has been hacked and they have no idea what the issue is. They should send out a mass email to all the users who use Atomic Wallet and tell them to move to another wallet or even exchange.

Importing the seed into a new wallet won't help since they most likely have the seed. You need to move to a fresh new wallet. Wonder what the cause of this could of been? This is what happens when you use a closed source wallet.

Feels bad reading some of the comments. Some people think they are going to get a refund from the Atomic Wallet company. Feel bad that they don't know its gone forever.

Part of the problem that I have been saying for years is the fact that people have grown so accustomed to the security that comes with their bank and brokerage applications. Where if you do something stupid more than likely you could get your money back and if you forget your password you have way of recovering it and they have safeguards against you doing things without clicking I am sure a bunch of times.

So, people think that all financial applications including cryptocurrency ones are more or less operating the same way. And then are shocked when they do not.

For all of everybody running around screaming about everything in the financial world even back in 2008 with all the bank failures and all the other banks that imploded so far this year more or less in most occurrences people got all their money back. Now try to convince those people that they are responsible for their own actions.

I'm also going to go out on a limb here and say that it is older people that this happens too. Whether or not everybody wants to run screaming about this group or that group kids today(and I'm gonna say anybody under 30 ) have seen and heard all the disasters that happen online and because they grew up with the tech they understand a lot of its limitations.
Grandma and grandpa who you finally convinced to use online banking now think everything operates the same way, and when they had a problem with their online checking account they could call an 800 number and spend an hour getting help through the situation. Do you think they're going to understand the concept of custodial or non custodial or open source or closed source? Or the fact that if they forget the password there's absolutely nothing anybody can do about it. Yes it's a generalization, but probably fairly accurate.

-Dave