Topic: I get hacked, 2.4 bitcoin stolen from coinomi wallet - page 2. (Read 617 times)

This is a strange incident and i am really worried that if this could happen with Coinomi wallet, then other non-custodial wallet are also not save ?
Which non-custodial wallet is best for saving the bitcoins other than the hardware wallet ?

Also do you think that it is a flaw in the Coinomi wallet or was it something related to any malware/virus in the phone which caused this hack ?

The Op makes a big mistake because mobile wallets are never going for long-term holding and most wallet providers may not tell you this but it's the truth. According to the research conducted by the Computer Science and Engineering - Michigan State University.
It shows that mobile wallets are deemed to face a lot of security threats of

 (1) Deanonymize of user real identities, Bitcoin addresses, and transactions,
(2) Introduce continuous unwanted Bitcoin spamming traffic towards victims
(3) launch Bitcoin fraud attacks to take advantage of Bitcoin wallet users
You'll find the pdf file here

It is just like the saying "there's no smoke without fire" what you just said now is another human error that will lead wallet hack and I believe this is one of the reasons why your Metamask wallet was hacked.

I don't trade much and even I do, I use binance for that purpose and have some balance left in the exchange for trading.
Although the amount is not more than $10,000 all the amount that I hold in the smartphone wallet is for long term.
I am planning to delete the smartphone wallet from my phone now since I already have the backup of the seed.
For monitoring the balance I will just look it up on the explorer.

I express my deepest sympathy to you. It's very unfortunate that this happened to you, especially when the price of bitcoin is so high that you can really get depressed because of this event. But I'll tell you what - many people, for their own reasons, often threw away their old computers and laptops and then realized that there was a fortune left in bitcoins. I think that you should not think about it a lot - you need to live on and get the most out of your situation. Thanks for sharing your story.

We'll all just have to take your word on that, since your software is all closed source and we have absolutely no idea what it is doing with seed phrases. And if you are so sure that no user could possibly have lost funds via this method, then why did you tell everyone who might have been affected at the time to create a new wallet and send their funds to it? And how could you possibly say that seed phrases sent to Google definitely did not result in the loss of funds? Did Google let you audit their systems?

Plenty of people on this forum would love to take a look at your code. Please share some links.

I think what happened to the OP is no different from what happened to a coinomi user in 2019, a user named Warith Al Maawali has claimed that he lost nearly $60 thousand in assets due to a bug that occurred in coinomi, thus causing the user key or passwords are read in plain text and leaked to other parties so that they are easily accessed by third parties, I think coinomi might again need to review their current server security and if it does have a bug it's better to fix it immediately so that trust from user in coinnomi can be high again .

I hope you learnt some valuable lesson here ...

1. Use services that use OpenSource software that are Peer reviewed by independent developers. (They cannot hide backdoors)
2. Do not use FREE VPN's with unencrypted data
3. DO NOT use old phones with outdated software
4. Store large amounts of coins on hardware wallets (They are not expensive)
5. Do not store all coins on one platform or device (A single hack can clean you out)

I have to say one thing.... You did a lot of research and you were able to track the coins ....many people cannot even do that.  

I am happy to see you are reviewing your closed source policy.

Coinomi was the second wallet I ever used, since 2017, and I still use it today. It is a wallet that serve my needs in my mobile device.

IMO, a mobile wallet is always unsafe and I agree with DaveF, no one should keep coins that are worth more than the mobile device in a mobile wallet.

I will add one more suggestion to Coinomi: Make it hardware wallet compatible, like electrum/metamask/etc

If your wallet become open source and hardware wallet compatbile, it will make your wallet one of the best in the market.

Given the number of users we have we would expect thousands of users to come forward with the same issue after this update if that was the case. We are more than happy to respond to any official request to review our source code by reputable companies. We are also reviewing our decision to be closed source with the preffered outcome to be open source again.

This comment is complete FUD. There was an incident in 2019 with our initial DESKTOP beta release only (so irrelevant to this case) which was fixed and there is a report to confirm this as not a cause for any user to have lost funds: https:/[Suspicious link removed]/VZQAotXNrJ

We are reviewing our decision to be closed source and hope we can move to an opensource model in the near future. That being said opensource does not mean 'safe' it just means the code can be verified and compiled from source. We are open to any official request to review and verify our source code by reputable code reviewers.

The fact remains it shouldn't have happened at all. They were running out dated software, they left some servers unencrypted, the stored private keys on those unencrypted servers. There were a number of pretty basic mistakes that all had to made to lead to this situation.

I don't trust free VPNs as a rule of thumb. Combine this with the fact that Windscribe have only very recently open sourced their desktop application and their mobile and router applications remain closed source, and they have never been subjected to an independent audit (please correct me if I'm wrong), means I would not use them and would not recommend them. I'd be happy to reconsider my position in the future if and when these issues are addressed.

Don't do this. As soon as you take a photo of your seed phrase, then you have opened it up to compromise. Your seed phrase should be written down on paper only, not stored electronically.

Guess we'll never know since most of them will be closed source, just like your wallet.

Hi there, As we and other have explained here each and every transaction from the app requires confirmation of your password before being sent (your private keys are kept encrypted at all times with the password, so even if the app wanted, it would not be able to decrypt the keys without the password).

Unauthorized transactions can only be made by a) someone who has access to your seed phrase, or b) someone with access to your device and knows your password. There is no other way. We occasionally receive news of users having their email accounts hacked, giving attackers access to their seed backup files kept on their email or other cloud service. Please review your seed backup security, try to remember if you ever entered your seed on any other wallet, website, form, notes tool, etc; or check if anyone could have accessed the app on your device and knows your password.

One thing which concerns us the most is the use of the VPN on a device you claim is "connected to the network once a month to update" and is only used for coinomi. This does not ring true with the evidence you posted here, it shows you have 300+ applications on your device which would suggest some daily use on this device. With this many apps it is becoming increasingly likely that one or more of those apps are possibly stealing data from your device or logging some of your activity. This coupled with the age of your device OS is a huge cause for concern.

We highly recommend you file a report with your local police/cyber crime unit so they can begin the task of reaching out to exchanges and centralised services in the hopes of blacklisting the funds for you whilst investigation takes place.

Kind regards.

Hacked is a serious problem in cryptocurrencies, cases of hacked private keys, hacked accounts on exchanges and many more make us to be alert, few days ago my Google metamask was also hacked and made me lose around $500 and the best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

i wouldnt store any significant amount on a phone.

that being said ive used mycelium for years on my daily driver android phones that are on 24/7 (and that are always fully patched and running the latest OS that are supported) and never had a problem, but its just very small amounts of btc and im fully prepared to lose it at any time due to whatever reason (hacks/stolen/wallet goes bad/whatever).

hardware wallets for the win. paper is good but only use them if you know what youre doing.

I have always used the theory that the coins on your phone should never be worth more then your phone.
But that's just me.
I use Coinomi on my phone to store a bunch of alts that I have accumulated over the years. Since my phone is older and worth less, and overall crypto is up in the last couple of days I am in violation of that but it's still under a couple of hundred dollars.

And as others have pointed out you are on a old phone with known vulnerabilities that were never fixed.

https://www.firstpost.com/tech/news-analysis/google-finds-11-vulnerabilities-in-the-samsung-galaxy-s6-edge-eight-fixed-3673083.html
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=galaxy

They, and it's not just Samsung its all phone makers, just let the old hardware sit forever with known issues because they just don't care.

-Dave

I trust Windscribe  I use it from 2017 , free account but I mine and my limit is 50gb per month more than enough , on the phone I have  an account without email with 2gb traffic/month
I don't think the VPN is the problem... if they hack my phone they have lots of opportunity since 2019 because Coinomi have enough updates in last  year.

If you have several thousand dollars in your wallet and you constantly trade from your mobile phone wallet, but I would not keep more than 10,000 dollars in a mobile wallet.
If you store coins, then you can use the Ledger or Trezor, and if you like trading, then read about SafePal. You will get the opportunity to trade without KYC on binance.

Oh my god, now that's something we don't get to read everyday. OP, are you sure you updated the wallet from a genuine source ?
You should always updated your apps only from playstore/app store and I hope you did the same.
But in that case how can one possible hack your coins. Are you sure you didn't visit any maliciuos website through your phone.


Now I am being a little concerned here because I have my coins stored on a smartphone wallet.
But I am using Mycelium which is an opensource wallet for storing bitcoin and Exodus for altcoins which is partiall open source.
At the same time the phone is completely separate and has no other apps installed. I don't use it for anything at all.

There are many misconceptions here, and a small research could have saved your money.

First of all, VPN do not increase security, but a bad VPN might even be bad for it as o_e_l_e_o pointed out. Aditionally,  this is more than  enough money just to buy a hardware wallet (less than 50 usd) which  was designed to secure your coins

A cold wallet is just a wallet which never connects to internet.

You never had a cold wallet. Once your your was created using coinomi,  that seed was already exposed to an online environment.  Installing it in a new phone, downloading a VPN, etc just reduced it security.

The correct procedure would be to buy a hardware wallet (or create a paper wallet  , but you lack knowledge for that) and then transfer your funds from coinomi to that new wallet 

This is another proof that you cannot use a cell phone to store bitcoins. If you like wallets on your cell phone, then you need to use through a hardware wallet. Any software wallet is unreliable and can be hacked. I don't use my mobile phone to store cryptocurrencies at all.