Pages:
Author

Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 8. (Read 2562 times)

hero member
Activity: 644
Merit: 661
- Jay -
Every wallet stores customer seeds and private keys internally; it cannot function differently.
This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.
Closed source wallets could be doing it differently and keeping logs of private keys, (we would never know) which a hacker can access if they breach their security, which you cannot verify either.

- Jay -
legendary
Activity: 2268
Merit: 18771
Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?
I mean, if you are dumping $45,000 in to a centralized, absolute shitcoin like XRP, then you probably aren't doing much in the way of research. Tongue

But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?
We don't know. Such is the nature of closed source software. Nobody knows what it is actually doing. Is it generating seed phrases from a list that the developers are secretly holding? Is it sending seed phrases over the internet to a server somewhere? Has it got a built in function to sweep all funds to a malicious address at a particular date? Who knows? This is the risk you take with closed source software.
hero member
Activity: 714
Merit: 1298
Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

Looks like officials from Atomic where aware of existing  security vulnerabilities in their product but didn't take any step to eliminate them and/or notify users who  where trusting them. The money has outweighed the wisdom and they have chose  to stay nontransparent with customers.  

legendary
Activity: 2114
Merit: 1403
Disobey.
That's just terrible news.
Sure, anyone storing massive amounts of value in a mobile wallet is always taking a high risk and already made the first mistake here.
Still, this usually hits crypto-newbies the hardest. Couldn't find anything, is there an approximate number of how many people are affected?

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...
legendary
Activity: 3808
Merit: 1723
Yes this is pretty bad. So far over $35M has been hacked and they have no idea what the issue is. They should send out a mass email to all the users who use Atomic Wallet and tell them to move to another wallet or even exchange.

Importing the seed into a new wallet won't help since they most likely have the seed. You need to move to a fresh new wallet. Wonder what the cause of this could of been? This is what happens when you use a closed source wallet.

Feels bad reading some of the comments. Some people think they are going to get a refund from the Atomic Wallet company. Feel bad that they don't know its gone forever.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

Part of the problem that I have been saying for years is the fact that people have grown so accustomed to the security that comes with their bank and brokerage applications. Where if you do something stupid more than likely you could get your money back and if you forget your password you have way of recovering it and they have safeguards against you doing things without clicking I am sure a bunch of times.

So, people think that all financial applications including cryptocurrency ones are more or less operating the same way. And then are shocked when they do not.

For all of everybody running around screaming about everything in the financial world even back in 2008 with all the bank failures and all the other banks that imploded so far this year more or less in most occurrences people got all their money back. Now try to convince those people that they are responsible for their own actions.

I'm also going to go out on a limb here and say that it is older people that this happens too. Whether or not everybody wants to run screaming about this group or that group kids today(and I'm gonna say anybody under 30 ) have seen and heard all the disasters that happen online and because they grew up with the tech they understand a lot of its limitations.
Grandma and grandpa who you finally convinced to use online banking now think everything operates the same way, and when they had a problem with their online checking account they could call an 800 number and spend an hour getting help through the situation. Do you think they're going to understand the concept of custodial or non custodial or open source or closed source? Or the fact that if they forget the password there's absolutely nothing anybody can do about it. Yes it's a generalization, but probably fairly accurate.

-Dave
legendary
Activity: 2170
Merit: 1789
Zach claims to have successfully recovered some of the stolen funds. He said he knows what is wrong but prefers not to share it as of now[1]. Wonder why he decided to do that, maybe the attacker still has the means to exploit more? Kinda surprising the funds are even recoverable.

[1] https://twitter.com/zachxbt/status/1665226056570118146
hero member
Activity: 2520
Merit: 952
This should make us all aware that closed source wallets should be avoided at all costs even though they might be promoting themselves as a non-custodial wallet.

I saw posts on Reddit saying this could be an inside job as well.

Atomic wallet devs were warned about security risks in their wallet long ago, check out this coindesk post [1].

[1] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/
full member
Activity: 1092
Merit: 227
Well this makes me think about all those claims which stated if you own the keys then you are owner and no one can have access to your wallets/funds within. I’m shocked to see this news about atomic wallet. How does everyone going to trust any other wallet too if wallet services that claim to be non custodial? This is definitely phishing attack, because let us say it was really a compromised wallet and hacked one then either the hacker has just found out the loop hole in the non custodial system or it could be the owner himself who has turned his business into some quick disruption of money. In anyways, user is the one that gets suffered. Hope everyone rest moves their funds as quickly as possible to other wallet.
legendary
Activity: 1526
Merit: 1359
Thanks for sharing this!

I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.

It would be foolish to continue using this wallet after reading about multiple reports of lost funds from all over. Even the official website has disabled software downloads, and they have stated that they are currently investigating the issue.

But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

Every wallet stores customer seeds and private keys internally; it cannot function differently. But since this is a closed-source wallet, we cannot know what is happening in the background. Some preliminary reports claim that it was a malicious update originating from a hacked official site, but there is still no official explanation.

Sorry if my questions are kind of stupid. I have no idea about the technicalities.

No, your questions are not stupid, but it is still too early to say anything because we do not know what actually happened.

I just use the wallet from time to time for smaller transactions.

If you still have funds in your wallet, it is advisable to transfer them to a safe place as soon as possible.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.

I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.

You should never write any wallet in JavaScript, and in particular NodeJS & Electron (not to be confused with "Electrum" wallet which uses Python), because your project dependencies will pull literally hundreds of other dependencies, some of which are outdated, and there's no way for you to get around that situation. Instead of a bullet, it's like a hundred pieces of shrapnel from a missile and will almost certainly get you killed.

Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/
Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating.

Quote
~snip

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

XRP, a shitcoin, does not have any reputable wallet software for it.
hero member
Activity: 798
Merit: 896
Leading Crypto Sports Betting & Casino Platform
Thanks for sharing this!

I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

Sorry if my questions are kind of stupid. I have no idea about the technicalities.

I just use the wallet from time to time for smaller transactions.
hero member
Activity: 1439
Merit: 513
Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.
Atomic wallet is a non-custodial wallet and gives you the private keys. The problem with Atomic wallet is that it's close source and there is no way to know how the keys have been generated and whether the user is the only who has access to the keys or not.
oops don't know how I confused closed source with not your keys concept  Roll Eyes
I got ate up for closed source on 1splitkey, even though it was split keys people didn't trust it.
I now know that lack of understanding means lack of trust.
I closed source code as it was tesla agents that controlled systems and didn't want that repurposed via simple cli tweaks. That was my reasoning. What's theirs? Why where they so successful?
These occurrences prove that they arnt always non-custodial.

legendary
Activity: 2422
Merit: 1083
Leading Crypto Sports Betting & Casino Platform
This is a rather sad news, I am rather a bit surprised that this has to happen, my astonishment is probably due to the fact that it is a non-custodial wallet that is involved in this hack, we I think we are very used to custodial wallet, and centralized platforms being hacked, a non-custodial wallet hack is rather new and shocking, and some would want to ask questions like, if a non-custodial wallet can be hacked, then which type of wallet is exactly safe?

I think the above question can only be answered after the management of Atomic wallet come out with a comprehensive reason of what lead to the hack, and let's hope they are sincere to their users and the entire crypto community at large.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

So IMO it would be better if Atomic wallet move their coins/token by importing recovery words to other wallet rather than opening their Atomic wallet application.


A software wallet is only as safe as the computer and OS used to run it. If the computer is compromised then malware with sufficient elevated rights can compromise the software wallet. If the software wallet itself is badly crafted, which you can't check with closed-source software, then you're screwed anyway.

Importing the BIP-39 compatible recovery words of the Atomic Wallet in another wallet only makes sense if you can exclude the possibility that those recovery words or the underlying seed wasn't already compromised. Sure, if the current attack on Atomic Wallet needs some more ongoing interaction with the Atomic Wallet software, then you may gain some ground by importing it in another verified wallet that supports all your coins and tokens. Sadly, many alternatives are closed-source, too, with very few exceptions (I believe Unstoppable Wallet is multi-coin and open-source).

Even more sadly is that those closed-source wallets mostly don't offer the use of a hardware wallet with them. If implemented properly and without malicious intends that would mostly prevent a compromise of the seed and/or private keys that are secured by the hardware wallet.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/
Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating.

Quote
My wife and I just noticed we lost all of our XRP! Over 90,000 tokens fucking gone what the hell is going on?!

Edit: All our Bitcoin is gone as well we were just so surprised about the XRP we didn't realize. We keep hugging each other we thought this was supposed to be cold storage.

I love how the reply email tells us not to share our keys "we don't" and to contact exchanges so they can block addresses like this was somehow our fault.

FUCK YOU Atomic Wallet

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.

I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.

Just another in the long list of reasons to never use closed source wallets.

On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?


For those of you like me that did not remember if you left any funds in there (I had an entire $2 of tron so no big deal) just put your phone in airplane mode or disconnect your internet from you PC and check. And then if needed get your private keys. Don't start with getting the keys and importing do a time / effort analysis.


Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.

And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.

-Dave
legendary
Activity: 1526
Merit: 1359
On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?

Yeah, I was confused between Atomic and Trust wallet. Their homepage which show review from "CZ Binance" on Trustpilot[1] also add confusion since i remember CZ Binance also promote Trust wallet on Twitter some time ago[2].

I have been searching around this forum, but I could not find any previous discussions about this specific topic. However, I did come across a few articles from 2018 that shed some light on the partnership between CZ Binance and Konstantin G., who is the CEO and founder of AtomicWallet and the former CEO and co-founder of Changelly.

https://www.unlock-bc.com/news/2018-05-03/changelly-partnered-with-binance-konstantin-met-with-cz-in-malta/


legendary
Activity: 2268
Merit: 18771
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.

I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.

Just another in the long list of reasons to never use closed source wallets.

On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?
legendary
Activity: 2702
Merit: 4002
The only advantage of that wallet is the ability to integrate the wallet with automatic/instant exchange, in other words, easy to exchnage between cryptocurrencies, but I see it as a lazy user, I hope that they have not lost a lot.
Are all users lost their money? Or is there a certain reason to lose their money, I use the phone and I did not find time to track the story.
Pages:
Jump to: