Pages:
Author

Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings - page 5. (Read 2120 times)

legendary
Activity: 1792
Merit: 1283
Presently I'm using coinomi wallet and I've been using coinomi wallet since 2016 I guess ,the experience is always best than other wallets I've used so far ,I don't have answer to your claim but I'm using the mobile version ,since you using the windows version it might be true or your pc was already hijacked right before you import your passphrase ,I'm sorry for your loss

So, you haven't actually gone through the trouble of reading his post then?

Fact is that they sent passphrases in clear plain text to Google servers.
Whether you've personally have had any issues with Coinomi is besides the point AND you're doing everyone a disservice by bringing that up.

Next time, maybe don't comment when you have no clue what OP is talking about.

Disclaimer: Look, I don't mind uninformed people asking questions or adding to the discussion, but I do mind when they're spreading misinformation.
member
Activity: 546
Merit: 21
Presently I'm using coinomi wallet and I've been using coinomi wallet since 2016 I guess ,the experience is always best than other wallets I've used so far ,I don't have answer to your claim but I'm using the mobile version ,since you using the windows version it might be true or your pc was already hijacked right before you import your passphrase ,I'm sorry for your loss
legendary
Activity: 1792
Merit: 1283
Fucking hell, I would literally be sick if I had lost such a big amount of money.
It's easy for people to criticize you for not choosing a proper wallet, but yeah, hindsight 20/20 right...

I hope you share this across multiple social media websites and keep doing this for at least a couple of weeks.
People should absolutely know that Coinomi sent passphrases over plain text for X amount of years(?)!

Without trying to be a dick about it, I would seriously recommend that you keep your live savings in a secure cold storage wallet.
Figure out a solution to do this securely and mostly offline, there are some great tutorials out there on how to do this.

Looking at your post, you obviously have the technical know-how to pick a more secure, more technical crypto storage solution.
Please do so in the future, if you're not totally done with cryptocurrency.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
Next time if you need to spell check your passphrase/seed and to make sure that you are following the English dictionary just use Coinomi wallet LMAO!

I have to give you the credit that you are dealing with this issue with a cool mind. I am really sorry to heart that this happened with you.


I'm used to software wallets since 2013 and never had such incident because I was taking proper security measures by isolating my crypto stuff.

Getting exploited by such stupid vulnerability was not in my list and I have learned it the hard way and hopefully the community learns from my expensive experience.
Thanks for sharing this with the community.

But your story is different from mine since you imported your passphrase from exodus wallet and maybe someone had spotted this since you really have decent amount.

This has nothing to do with his previous passphrase/wallet. In its simplest sense, OP lost his money because Coinomi has a backdoor which has been used by a hacker to get his passphrase. So whatever apps you use to generate the passphrase, you can fall for the same hack.

May be create a new wallet using Electrum, safest is to use 2/2 multiSig wallet. Transfer the balance to the new wallet. I hope no more people fall far this trick and lose their money.
full member
Activity: 670
Merit: 130
This is indeed SAD.

Although it was known from last year incident with Luke Childs (you have it in your article as well) that coinomi are either malicious or incompetent or a bit of both. I state the latter not only because of their childish security issues/mistakes (they just had to enable SSL back then or their unsigned main app now) but from their responses when you tell them that something is wrong.

I hope somehow you get back your stolen funds.  
Thanks for sharing this !
hero member
Activity: 658
Merit: 851
I saw that on reddit and didn't talk about it anywhere because as of now, it's just one guy making a claim.
I'm not saying it's false but I'd wait for more information about the whole thing.
legendary
Activity: 3010
Merit: 3724
Join the world-leading crypto sportsbook NOW!
First saw this post on reddit. Suggest you move this to the Wallet Software section so people using the wallet can also be aware.

I can't technically say who or what's to blame for the loss of funds, but so many red flags with the way dev teams like Coinomi's that reminds me why I'm so reluctant to try these wallets. How Coinomi could ever not sign their main app is beyond me, for example.

I'd actually alert Google as well. It does sound like only someone on their team (as you saw with access to the HTTP requests to googleapis) took it.
sr. member
Activity: 572
Merit: 259
LSK, QTUM
i am sorry for your loss. i also read about ledger nano and there are also issues.
its hard to find a wallet to trust.
legendary
Activity: 3304
Merit: 1617
#1 VIP Crypto Casino
Coinomi is effectively a web wallet, it’s always a risk leaving a significant amount of coins in an online wallet. OP I feel for you, I really do but judging by how knowledgable you seem & how eloquently you type I think you were probably aware of the ridks.

Sadly you know yourself that this could have been avoided even by keeping your coins on a bitcoin core (QT) wallet.
sr. member
Activity: 980
Merit: 294
There is another guy who launched a unique concept token to highlight such scams.

I think u should contact him and see if u guys can work on something together to spread more awareness about these now big scams

This is the Ann
https://bitcointalksearch.org/topic/ann-mother-fucking-token-mft-proof-of-gettingfked-algorithm-5112397

May Ur steps end these incidents for ever.
That guy you're talking about is full of sarcasm in his body and he's actually funny but OP has a serious issue, it's his life savings.
Probably if this will happen to me I will not be able to sleep nor eat and maybe be depress and even being sarcastic wouldn't help either way.

Perhaps who knows, out of frustration, OP will collab with this motherfuckercoin. We'll see then.
staff
Activity: 4284
Merit: 8808
Don't use closed source wallets.

If anything this incident increases my (nearly zero) estimate of this wallet's security: Someone looked and found at least at the moment it was sending the key material only to Google. That is more secure than should have been expected.

Don't use closed source wallets.

Don't use wallets that support a zillion different cryptocurrencies (just supporting one securely is a task too hard for basically anyone to get right...).

Don't used closed source wallets.

I'm sorry to hear about the OPs loss.

Don't used closed source wallets.
copper member
Activity: 364
Merit: 4
This is a great heads up on an unsecure wallet. Majority of mine are on a hardware wallet with others split across a desktop software wallet and even some on several different exchanges.
jr. member
Activity: 45
Merit: 12
  What a sad and pathetic thing to read.
 
As if these exit scams were not enough , now even companies doing so.

I m fed up of these scams.


May Ur steps end these incidents for ever.

Best luck.
hero member
Activity: 1834
Merit: 759
Those are some pretty damning evidence. If I had money in a Coinomi Wallet, I'd be sweating bullets as I transfer my funds right about now. I mean, transferring data in plaintext is one thing, but are you sure some random Google employee was able to see your seed? Wouldn't they have strict protocols to avoid scenarios like that? Maybe your traffic was intercepted or something.

But yeah I suppose that's not the main issue. This is yet another harsh reminder to trust no one.

As an addendum, I hope something comes out of your legal action. Pretty much every single wallet out there state that they won't be responsible for any losses on their ToS that they make you agree to. It's going to be an uphill battle.
hero member
Activity: 3192
Merit: 939
I've never heard about this Coinomi wallet.Why didn't you just use one of the more popular and trusted crypto wallet services?Storing big amounts of coins into ONE wallet is always a big mistake...
This topic belongs to the Scam Acusasations forums,I think...
hero member
Activity: 2912
Merit: 556
Enterapp Pre-Sale Live - bit.ly/3UrMCWI
My big question is why you use Coinomi to safe your asset worth $60K-$70K? It doesn't make sense for me. With so much money inside the wallet, you can buy hardware wallet like Ledger S Nano even Ledger X Nano (which is the newest product from Ledger). I don't want to get any trouble to save all of my asset in the wallet online or offline.

You can buy 10 or even more Ledger X Nano to save all of your assets. The first mistake is because of yourself, and you do not realize about that, and now, you got the trouble for losing all of the assets because Coinomi compromised your passphrase. It's not about their mistake to get inside your wallet, but it's our responsibility to protect all of we had. Realize that thing first.

I think your computer was compromised with malware because you use Windows wallet installer which you don't know is it safe or not. But once again, next time if you have an asset worth for $1k or more, it is better you save it in the Ledger or Trezor.

Personally, I use Coinomi wallet to in my android phone, but I don't save all the asset inside the wallet, and I only save for 5-10 coins in there. The rest coin, I keep it in my ledger. I don't have any trouble so far.

It is an important lesson for you and for every people who have a large asset, never used a wallet in online or inside the computer, it is better to buy one hardware wallet which can save all of the assets so you don't have to worry about something bad that might happen.
hero member
Activity: 1022
Merit: 503
I'm a coinomi user since 2017 and got no problem with that, so far. My biggest fund there was around $5k and didn't worry about hacking issue since I have a passphrase. But your story is different from mine since you imported your passphrase from exodus wallet and maybe someone had spotted this since you really have decent amount.

I'm not a techy person so I can't say anything, I just feel sorry for your money that seems no getting back.
And if there will further update what coinomi has to say please keep us posted here.

You probably didn't read my post very well. Coinomi's wallet simply takes your passphrase and spell checks it with a remote server!

Sort of since it's lengthy, lol. Well I really thought that it's exodus the importing that triggered everything, pardon me on that. So earlier, had checked those links in the OP since honestly I'm in coinomi's side ( sorry again ) but upon reading all those links I found out these are all true ( especially those reddit posts ). Maybe I trusted it too much and ain't aware those "backdoors".

I'm having my thoughts right now which wallets are safe since even a hardware wallet can be tampered upon shipping.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
What I do not understand is, why Coinomi need to spell check your seed phrase on googleapis.com? Is this done on purpose to blame external factors, when someone within the company used this "backdoor" and get caught?

I have always said that centralized wallet providers and exchanges should never be trusted with your life savings. DO NOT put all your eggs in one basket. <80%+ of my hoard are stored on Cold wallets & Hardware wallets and only 20% are stored on different centralized services for daily access>  Wink
newbie
Activity: 10
Merit: 51
I read your whole excerpt ... this makes me sick to my stomach... RIP your life savings. I'm sorry this happened and I appreciate your detailed explanation. Glad you are documenting it all as much as possible to sue them. Lips sealed Undecided

I have one question....

Why did you not have a hardware wallet with the majority of your coins in there? They are like $60 USD...

I'm really not sure but I think one of the reasons is that you can only have a limited number of unique coins in a single hardware (please correct if I'm wrong).

I'm used to software wallets since 2013 and never had such incident because I was taking proper security measures by isolating my crypto stuff.

Getting exploited by such stupid vulnerability was not in my list and I have learned it the hard way and hopefully the community learns from my expensive experience.
from what I understand, ledger hardware wallet can hold 1000+ coins' pub and private key so you always have your coins ready to go... I really am sorry for your loss. What a weird exploit.. man in the middle attack. The fact that coinomi threatened you with legal action... Man post this in the scam accusations sub forum. People there would have a field day looking into your claims. So basically whoever did this exploit still has access to it if I understand correctly? Everyone should pull their coinage off coinomis wallet asap. I'm a bit confused though. You said you downloaded their pgp verisigned wallet app and installed it and that's the application that is exploitable by way of spell check through Google's remote API?

Thanks for the information and the tip.

I just wanted to point out that even hardware wallets can be vulnerable because you can't make sure that your hardware wallet does not get tampered with during shipping and someone installs predefined private keys in it. It's not about using hardware or software wallet. It's about having a well defined security policy and audit before you sell or promote your product to the end users especially when you deal with their money or crypto-currencies. At some point you have to trust the vendor otherwise and if they f***up you get f***edup too.

Regarding the access, you are right. Whoever controls googleapis.com can see your passphrase that are sent by Coinomi's wallet to them!

Companies purchase digital signatures from certificate authorities to sign their application so that when you download their application you know it's from the actual source. If anyone modifies the application (backdoors it for example) then the digital signature will be invalid. At first I thought their application was infected because it did not contain digital signature but later on I discover that they send the passphrase/seed to a remote server and that solved the puzzle.

So their signed and unsigned application are both vulnerable.
damn you are right about the fact that they could preload the wallets with a backdoor from shipping a hard wallet... never thought about it like that... ffs that worries me lol. I'm going to do much more digging on hardware wallets now before I decide on one.

In regards to the man in the middle attack that got you... HFS man. Someone who works for a Google entity swiped you... what a shame. I wonder how many other people have suffered from this exploit... now that it is released into the light web it'll probably be replicated by other means at a higher rate... users beware please.

Did you have a passphrase set on your wallet to send and receive or just the seed code to recover the pub/priv keys? Reason why I ask is I am curious if you have a password on your wallet.dat and someone is able to type in your seed string, would they still be able to steal your coins without the wallet passphrase?

Apparently I'm not the only one who got wiped out check these reddit posts:
https://www.reddit.com/r/COINOMI/comments/av8rp0/was_i_hacked_im_not_sure_what_i_did_wrong_help/
https://www.reddit.com/r/COINOMI/comments/av01oz/coinnomi_hacked/
https://www.reddit.com/r/CryptoCurrency/comments/9cja43/half_my_coins_are_missing_from_verge_electrum/

This proves my analysis but yet the company denies the responsibility.


What I did was I used one of my main wallets passphrase/seed (recovery seed) in Coinomi's wallet and that was my awful mistake! If it was the password that protect the private key (wallet.dat) then the attacker/criminal would not be able to do anything because he must obtain the private key in order to use the password and steal the wallet.
Pages:
Jump to: