Pages:
Author

Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 4. (Read 2120 times)

hero member
Activity: 1834
Merit: 759
It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

That would be because giving away money when you don't actually have to is bad business. It's possible that they would have compensated him if things didn't get this ugly, but there's absolutely no way they would give him anywhere near the amount he lost. They would spend a lot less money by simply letting it out on the open and then doing damage control than by fully reimbursing him.

It sucks but this is our current reality. Being your own bank is incredible but it has drawbacks. The only real safe way to store your coins is offline.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh??  Roll Eyes

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave
legendary
Activity: 3080
Merit: 1353
It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

Exactly, the way Coinomi treated their customer is not what we expected them to do. Of course how can the guy cooperate with them when he just lost all of his savings from their incompetency. And now their turning tables and blaming the person for being non-cooperated and now they wanted him to be the bad actor here? Not professional @Coinomi.
legendary
Activity: 2744
Merit: 1708
First 100% Liquid Stablecoin Backed by Gold
I am really sorry for your loss OP and hope you will be able to get your funds back.

Still, don't understand why OP used this same password/seed words for two different wallets?

From what I know rule number one is to use different passwords/seed words always.

If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?

How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.

legendary
Activity: 3010
Merit: 8114
It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.
full member
Activity: 670
Merit: 130
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh??  Roll Eyes
legendary
Activity: 2576
Merit: 1655
This issue is out of the open already:

https://cryptoslate.com/security-consultant-reveals-coinomi-wallet-vulnerability-60000-in-crypto-allegedly-hacked/

Anyways, I have nothing against the OP, so maybe he can shed light to this:

Quote
Moreover, Coinomi claims that Maawali would not co-operate unless he was compensated:

“[He] refused to disclose his findings and kept [sic] threatened to take (the matter) public” unless payment of 17 BTC was made to compensate him for the allegedly stolen funds.
hero member
Activity: 798
Merit: 531
Crypto is King.
I saw that on reddit and didn't talk about it anywhere because as of now, it's just one guy making a claim.
I'm not saying it's false but I'd wait for more information about the whole thing.

Actually OP posted about more than one person having this happen to them and posting about it on reddit


Apparently I'm not the only one who got wiped out check these reddit posts:
https://www.reddit.com/r/COINOMI/comments/av8rp0/was_i_hacked_im_not_sure_what_i_did_wrong_help/
https://www.reddit.com/r/COINOMI/comments/av01oz/coinnomi_hacked/
https://www.reddit.com/r/CryptoCurrency/comments/9cja43/half_my_coins_are_missing_from_verge_electrum/


This proves my analysis but yet the company denies the responsibility.


What I did was I used one of my main wallets passphrase/seed (recovery seed) in Coinomi's wallet and that was my awful mistake! If it was the password that protect the private key (wallet.dat) then the attacker/criminal would not be able to do anything because he must obtain the private key in order to use the password and steal the wallet.
sr. member
Activity: 572
Merit: 259
LSK, QTUM
everyone donate 1 dollar to get his funds back  Smiley
65000 people
jr. member
Activity: 42
Merit: 1
I thought the Bitcoinist article about you said they gave you funds eventually and a 'bug-finding' bounty. Is that not true?
sr. member
Activity: 1736
Merit: 357
Peace be with you!
Thanks for the warning and awareness bro, and I feel sorry for your life savings that have been lost because of that wallet provider. Embarrassed I already quit using that Coinomi wallet a long time ago because of their bad customer support that I experienced. Losing life savings that you worked hard for it whatever price it is, is no joke I do hope that you will recover from your losses and get more blessing in the future.

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!
This looks really alarming Shocked Coinomi should take this kind of vulnerability seriously because the funds of their customers will be in great danger just like what happened to you.
I am a coinomi user ever since but had never experienced something like that though I only have smaller amount of funds compared to OP's compromised value of funds. This issue should be explained and solved immediately by coinomi for their user's safety. This is really alarming as all of our funds might be compromised in just a single passphrase as it supports a lot of coins and tokens but I stored my Bitcoins in Mycelium wallet only Altcoins are placed on my Coinomi wallet.
full member
Activity: 532
Merit: 106
Coinomi should quickly take action on this issue. This is a huge damage to their company and it may be a result of their customers moving to a more trusted wallet.

I understand your explanation and I'm sad that it happened to you.
legendary
Activity: 1638
Merit: 1163
Where is my ring of blades...
That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

regardless of how OP lost funds or whether he is telling the truth or Coinomi, in the end this has been a very irresponsible design on their side! they are sending the most secretive information of your wallet (which is your seed that is used to generate ALL your private keys) out to a third party server! there is absolutely no reason for a wallet to even have such options in it.
"spell check" should be done locally and versus the fixed 2048 words that the seed is chosen from.
legendary
Activity: 1792
Merit: 1283
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

I know LoyceV already mentioned it above, but I'd like to reiterate what he said:

Did you really have to use his full name? Pretty unethical behavior at your end IMO.
That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

Wouldn't the more likely scenario be that his own PC was already compromised?

Still doesn't make up for the vulnerability though.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
Let me quote from the Official Statement:
Quote
After the dust settles we all need to remember the names of those who chose self-assertion over general public safety and acted irresponsibly.
Was it really necessary to mention warith's full name 8 times?
Coinomi calls him a "blackmailer", "irresponsible", and claims funds are "possibly still controlled by him". The entire Official Statement reads like damage control to me.
jr. member
Activity: 55
Merit: 10
hero member
Activity: 2884
Merit: 794
I am terrible at Fantasy Football!!!
I've never heard about this Coinomi wallet.Why didn't you just use one of the more popular and trusted crypto wallet services?Storing big amounts of coins into ONE wallet is always a big mistake...
This topic belongs to the Scam Acusasations forums,I think...
The OP was using that wallet because there were some assets that were unsupported by the exodus wallet and he wanted to store those assets and he decided to use the coinomi wallet, it could have been a good idea to use a hardware wallet but now it is too late for him, so let this be a reminder, software wallets are not really the place to store huge amounts of money, if you have even just a few thousands of dollars worth of cryptocurrencies then you need to invest in a hardware wallet.
hero member
Activity: 2646
Merit: 584
Payment Gateway Allows Recurring Payments
Sorry for your losses OP, I've got some altcoins sitting on my coinomi wallet and I'm just letting it there which I rarely visit.
My big question is why you use Coinomi to safe your asset worth $60K-$70K?
I have my life savings on crypto's too but I'm not storing it to a multi-wallet just like coinomi. I trust more ledger nano s than this kind of wallet. This is a very painful and expensive experience for OP, I hope you recover soon. I've decided to start moving those coins of mine.
member
Activity: 335
Merit: 15
Trading & Crypto
Someone should tell me if IPHONE app could have the same vulnerability?
newbie
Activity: 10
Merit: 0
I am really sorry to hear this. I have been using Coinomi for quite some time now and the reason I did was because they said that your keys and passphrase are stored in your own mobile and not a server. I thought it was safe alll this time, but after reading your post I am having second thoughts. Again, I am really sorry for your loss Sad
Pages:
Jump to: