Bitcoin Forum

-- Update 1 --
Please make sure to check my new reply to this post:
https://bitcointalk.org/index.php?topic=5114708.msg49967946#msg49967946

-- Update 2 -- [03/Mar/2019]

My second official statement regarding Coinomi wallet "Spell Check" scandal (video included):
https://twitter.com/warith2020/status/1102445902353043456

-- End of Update --


Please note that you can view a better version of this post here:
https://avoid-coinomi.com

TL;DR
Coinomi (https://www.coinomi.com/) multi-asset wallet poor implementation leads to sharing your plain-text passphrase with a third-party server. My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed.

Please note that this security issue cannot be exploited by anyone except by the people who created it or have control over the backend. To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later.

To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text!

They did not take the responsibility of my loss, I gave them more than 24 hours before full disclosure, they fixed the issue without notifying their users and they kept procrastinating like scumbags to buy more time.

Below is a link to their final response to my request after going back and forth with them for over 3 days to get my stolen funds back, even after they confirmed the security issue and you can clearly see how silly and reckless their responses are (these responses are just examples):
https://avoid-coinomi.com/files/coinomi_final_response.png

My advice never ever trust Coinomi with your hard earned crypto-currency assets. Read this post entirely to understand why because this is not their first time reflecting this kind behavior.

The Incident
First of all I admit it was my mistake trusting Coinomi wallet by inserting one of my main wallets (Exodus wallet) passphrase into their application. I trusted them because I downloaded the software from their website, the setup file was digitally signed and was mentioned by several reputable websites such as bitcoinwiki.org. I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.

The incident began on 14th February, 2019. I downloaded and installed Coinomi application (Windows version) and noticed that their setup file was digitally signed but their main application was NOT signed after the installation process was completed.

I contacted them publicly through twitter (@warith2020 (https://twitter.com/warith2020)) and they confirmed the issue then uploaded a new version with the main application signed. At that time I had already entered my Exodus’s wallet passphrase into Coinomi’s application.

On 22nd February 2019, I noticed that more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around 3:30 am UTC. Then followed by ETH (including ERC20 tokens), LTC and finally BCH.

Technical Analysis
I started going back in time and arranging the events. The only new thing that I did was installing and running Coinomi wallet so my first conclusion was that the unsigned version of the application had a backdoor.

I did further investigation and compared both the unsigned version of the setup file and the signed version. The only difference was they added digital signature to the main executable file and the Java file (the main application).

At that stage I thought that there is probably something suspicious about the application apart from having their main executable unsigned, so I started replicating what I did in a new virtual machine but this time I installed “Fiddler”. A software that allows you to monitor and debug HTTP/HTTPS traffic of all applications running on your machine.

I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:
https://redirector.gvt1.com/edgedl/chrome/dict/en-us-8-0.bdic

Then I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER****** (boom puzzle solved!)

The WHOLE passphrase in plain-text is sent to googleapis.com a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:
https://avoid-coinomi.com/files/coinomi_screenshot_1.png

To verify my findings I have uploaded a video for anyone who wants to test and replicate what I did:
https://avoid-coinomi.com/files/coinomi_http_traffic_video.mp4

You can also simply paste any random sentence with spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page and you will see that it gets underlined with red line after being sent in clear text to googleapis.com.

To understand what’s going on, I will explain it technically. Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google’s open-source project) based browser.

The whole thing is done using JxBrowser to build cross-platform applications and before you say (like Coinomi‘s CTO did) that it’s JxBrowser issue, let me tell you that they mentioned this on their website in 2016 and how to disable the spell checking default behavior:
https://jxbrowser.support.teamdev.com/support/solutions/articles/9000044250-configuring-spell-checker

So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!

Coinomi’s Response
The team behind Coinomi are either extremely smart to add such backdoor so that when they get caught they would simply say it was an honest mistake or they are extremely stupid to overlook such security bug.

I will not be surprised if they intentionally created this backdoor behavior function and had an insider at Google especially when you learn from recent news about a founder of crypto-currency exchange claiming weird suspicious death while no one except him has access to the crypto-currency assets!

Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation. They kept ignoring my request of taking the responsibility and ignored my solid facts regarding it. They didn’t give a single **** about my stolen crypto assets. They kept reminding me (kinda threatening me) of the legal implications if I go public with the information I have and they forgot their legal responsibility for my stolen crypto assets as well as the risk that impacts other users of the wallet

In fact, Coinomi’s team discreetly deleted their reply to my tweets to hide the evidence regarding their unsigned main executable in which they confirmed the issue and they didn’t respond to my requests as shown in the following screenshots:
https://avoid-coinomi.com/files/coinomi_tweets.pdf

Such behavior was a clear evidence for me that there is something suspicious about their wallet and they didn’t want to expose it. It seems the founders are the developers of the application and they don’t like anyone who criticizes their ugly baby creation “Coinomi” wallet. They think that they are the code gurus fallen from the heavens who write perfect code.

However, before I published my findings I sent them the whole thing giving them more than 12 hours heads-up because they requested a clear technical evidence. Their CTO told me that he will download the report within 3 hours (they downloaded the report after 5-6 hours). Imagine someone tells you that you have a CRITICAL vulnerability in your software which holds users' hard earned crypto assets and yet you act carelessly because somehow you think you are a superior creature (Khan from Star Trek Into Darkness movie).

Below are the screenshots of the private messages between Coinomi’s CTO and me:
https://avoid-coinomi.com/files/coinomi_cto_private_messages.pdf

This is not their first time behaving this way especially when someone finds an issue with their application. Luke Childs previously published a security vulnerability/misconfiguration and their response was somehow similar:
https://bitsonline.com/coinomi-vulnerability-respond/
https://imnotdead.co.uk/blog/coinomi

Recap
To recap the events for further investigation:

• My first passphrase attempt was sent to googleapis.com through Coinomi wallet was on 14th February 2019
• Google’s employee or whoever has control over the data that are sent to googleapis.com processed the data that had my passphrase and that was between 14th and 19th February 2019
• My crypto assets were stolen on 19th February 2019 starting around 3:30 am UTC and the transactions continued for 15 minutes. At the end 90% of the assets were gone and remaining assets were only left because these assets were supported by Exodus wallet but NOT Coinomi wallet (what a coincidence you say!)

Please note that I took all the security precaution to keep my passphrase and wallet safe. I have a separate isolated virtual machine for it with Anti-Virus/Anti-Malware and firewall installed. I also had other wallets on the same virtual machine for years. Nothing was stolen except for the wallet which I recently used my passphrase in, which is Coinomi wallet!

What's Next
I will start taking legal actions against the company behind Coinomi if they don’t act and take the responsibility. The company is registered in UK as “Coinomi LTD (https://beta.companieshouse.gov.uk/company/10451885)” if anyone one has faced or facing similar case were you suddenly lost your crypto assets and you happen to have used Coinomi wallet. The funny thing is that they state on their website:
“Most importantly, no Coinomi wallet has ever been hacked or otherwise compromised to date.” (bull****!)

Be aware that probably all desktop versions are affected (I’m not sure about the mobile versions) and the guy/group who is/are capturing the passphrases, possibly targeting only wallets with decent amount of assets to stay low profile as long as he/they can.

I have also uploaded copy of the latest version of Coinomi application in case they take down the links to hide the facts:

• Download UNSIGNED version (proof that the main application was not signed) (https://avoid-coinomi.com)
• Download signed version (proof that the wallet sends passphrase to a remote server) (https://avoid-coinomi.com)
• Screenshot of the SHA256SUM hashes before the patch (https://avoid-coinomi.com/files/coinomi_hashes.png)

Final Thoughts
This was an expensive and mentally painful experience to learn from and hopefully after publishing this post no one will experience the same. The lessons learned so far:

• Never trust any multi-asset crypto wallet unless they have done an external security audit by a trusted third-party and their security audit is publicly available.
• Never ever trust Coinomi with your hard earned crypto-currencies. They do not take any responsibility and when they f***-up things they just run away like it’s not their business.
• Never ever trust Google services/products with your sensitive information. They have great control over the data and it seems their policy isn’t that strict which results in taking advantage and the power of the collected data by their employees especially who have malicious intents.

At the end I need to make it clear again why I published this:

• Spread awareness among users who are using or used Coinomi wallet.
• Demand my stolen crypto-currency assets from the company behind Coinomi wallet either in terms of crypto currency or in terms of fiat currency. The more they procrastinate the more the value of the assets increase by time.
• Force Google to start investigating the issue. I’m pretty sure this is a serious issue not only in regards of my stolen crypto-currency assets but also in terms of users’ privacy and their data being maliciously used by Google’s employees or whoever have control over these data.

Finally I hope the moderators pin this post to spread awareness. I’m pretty sure hundred thousands of crypto assets will be saved and many users will have the opportunity to save their hard earned crypto assets!

Next time if you need to spell check your passphrase/seed and to make sure that you are following the English dictionary just use Coinomi wallet LMAO!

I read your whole excerpt ... this makes me sick to my stomach... RIP your life savings. I'm sorry this happened and I appreciate your detailed explanation. Glad you are documenting it all as much as possible to sue them. :-X :-\

I have one question....

Why did you not have a hardware wallet with the majority of your coins in there? They are like $60 USD...

I'm really not sure but I think one of the reasons is that you can only have a limited number of unique coins in a single hardware (please correct if I'm wrong).

I'm used to software wallets since 2013 and never had such incident because I was taking proper security measures by isolating my crypto stuff.

Getting exploited by such stupid vulnerability was not in my list and I have learned it the hard way and hopefully the community learns from my expensive experience.

from what I understand, ledger hardware wallet can hold 1000+ coins' pub and private key so you always have your coins ready to go... I really am sorry for your loss. What a weird exploit.. man in the middle attack. The fact that coinomi threatened you with legal action... Man post this in the scam accusations sub forum. People there would have a field day looking into your claims. So basically whoever did this exploit still has access to it if I understand correctly? Everyone should pull their coinage off coinomis wallet asap. I'm a bit confused though. You said you downloaded their pgp verisigned wallet app and installed it and that's the application that is exploitable by way of spell check through Google's remote API?

Thanks for the warning and awareness bro, and I feel sorry for your life savings that have been lost because of that wallet provider. :-[ I already quit using that Coinomi wallet a long time ago because of their bad customer support that I experienced. Losing life savings that you worked hard for it whatever price it is, is no joke I do hope that you will recover from your losses and get more blessing in the future.

This looks really alarming :o Coinomi should take this kind of vulnerability seriously because the funds of their customers will be in great danger just like what happened to you.

I'm a coinomi user since 2017 and got no problem with that, so far. My biggest fund there was around $5k and didn't worry about hacking issue since I have a passphrase. But your story is different from mine since you imported your passphrase from exodus wallet and maybe someone had spotted this since you really have decent amount.

I'm not a techy person so I can't say anything, I just feel sorry for your money that seems no getting back.
And if there will further update what coinomi has to say please keep us posted here.

This has nothing to do with his previous passphrase/wallet. In its simplest sense, OP lost his money because Coinomi has a backdoor which has been used by a hacker to get his passphrase. So whatever apps you use to generate the passphrase, you can fall for the same hack.

Thanks for the information and the tip.

I just wanted to point out that even hardware wallets can be vulnerable because you can't make sure that your hardware wallet does not get tampered with during shipping and someone installs predefined private keys in it. It's not about using hardware or software wallet. It's about having a well defined security policy and audit before you sell or promote your product to the end users especially when you deal with their money or crypto-currencies. At some point you have to trust the vendor otherwise and if they f***up you get f***edup too.

Regarding the access, you are right. Whoever controls googleapis.com can see your passphrase that are sent by Coinomi's wallet to them!

Companies purchase digital signatures from certificate authorities to sign their application so that when you download their application you know it's from the actual source. If anyone modifies the application (backdoors it for example) then the digital signature will be invalid. At first I thought their application was infected because it did not contain digital signature but later on I discover that they send the passphrase/seed to a remote server and that solved the puzzle.

So their signed and unsigned application are both vulnerable.

Yes it's totally alarming and the company behind Coinomi does not give a single f*** about the users. They patched the application without changing the version or updating the change log and they never informed their users' about the issue even after I gave them all the information they need.

You probably didn't read my post very well. Coinomi's wallet simply takes your passphrase and spell checks it with a remote server!

sorry about your losses, it really sucks.

i have never used any wallet on my phone so i don't really check these things but interestingly enough coinomi GitHub doesn't seem to be updated for more than 2 months[1] which makes me wonder whether their wallet is even open source because that is the first thing i checked after reading your topic, i wanted to see where the bug was and whether it was fixed or not (specially since this type of bug is so weird and obvious!). it seems like they have released a new version (yesterday) on google play but nothing is happening on their github.
comparing with other wallets (Electrum, Breadwallet, Mycelium, Samourai,...) they all are actively updating the source code and you can even compile it from source yourself.

[1] https://github.com/Coinomi/coinomi-android

They claim opensource but in reality their application is not opensource. Github account is inactive and they admitted that. Read the following links+comments (these are old articles/posts but it confirms the opensource thing):
https://bitsonline.com/coinomi-vulnerability-respond/
https://imnotdead.co.uk/blog/coinomi
 

damn you are right about the fact that they could preload the wallets with a backdoor from shipping a hard wallet... never thought about it like that... ffs that worries me lol. I'm going to do much more digging on hardware wallets now before I decide on one.

In regards to the man in the middle attack that got you... HFS man. Someone who works for a Google entity swiped you... what a shame. I wonder how many other people have suffered from this exploit... now that it is released into the light web it'll probably be replicated by other means at a higher rate... users beware please.

Did you have a passphrase set on your wallet to send and receive or just the seed code to recover the pub/priv keys? Reason why I ask is I am curious if you have a password on your wallet.dat and someone is able to type in your seed string, would they still be able to steal your coins without the wallet passphrase?

Apparently I'm not the only one who got wiped out check these reddit posts:
https://www.reddit.com/r/COINOMI/comments/av8rp0/was_i_hacked_im_not_sure_what_i_did_wrong_help/
https://www.reddit.com/r/COINOMI/comments/av01oz/coinnomi_hacked/
https://www.reddit.com/r/CryptoCurrency/comments/9cja43/half_my_coins_are_missing_from_verge_electrum/

This proves my analysis but yet the company denies the responsibility.


What I did was I used one of my main wallets passphrase/seed (recovery seed) in Coinomi's wallet and that was my awful mistake! If it was the password that protect the private key (wallet.dat) then the attacker/criminal would not be able to do anything because he must obtain the private key in order to use the password and steal the wallet.

What I do not understand is, why Coinomi need to spell check your seed phrase on googleapis.com? Is this done on purpose to blame external factors, when someone within the company used this "backdoor" and get caught?

I have always said that centralized wallet providers and exchanges should never be trusted with your life savings. DO NOT put all your eggs in one basket. <80%+ of my hoard are stored on Cold wallets & Hardware wallets and only 20% are stored on different centralized services for daily access>  ;)

Sort of since it's lengthy, lol. Well I really thought that it's exodus the importing that triggered everything, pardon me on that. So earlier, had checked those links in the OP since honestly I'm in coinomi's side ( sorry again ) but upon reading all those links I found out these are all true ( especially those reddit posts ). Maybe I trusted it too much and ain't aware those "backdoors".

I'm having my thoughts right now which wallets are safe since even a hardware wallet can be tampered upon shipping.

My big question is why you use Coinomi to safe your asset worth $60K-$70K? It doesn't make sense for me. With so much money inside the wallet, you can buy hardware wallet like Ledger S Nano even Ledger X Nano (which is the newest product from Ledger). I don't want to get any trouble to save all of my asset in the wallet online or offline.

You can buy 10 or even more Ledger X Nano to save all of your assets. The first mistake is because of yourself, and you do not realize about that, and now, you got the trouble for losing all of the assets because Coinomi compromised your passphrase. It's not about their mistake to get inside your wallet, but it's our responsibility to protect all of we had. Realize that thing first.

I think your computer was compromised with malware because you use Windows wallet installer which you don't know is it safe or not. But once again, next time if you have an asset worth for $1k or more, it is better you save it in the Ledger or Trezor.

Personally, I use Coinomi wallet to in my android phone, but I don't save all the asset inside the wallet, and I only save for 5-10 coins in there. The rest coin, I keep it in my ledger. I don't have any trouble so far.

It is an important lesson for you and for every people who have a large asset, never used a wallet in online or inside the computer, it is better to buy one hardware wallet which can save all of the assets so you don't have to worry about something bad that might happen.

I've never heard about this Coinomi wallet.Why didn't you just use one of the more popular and trusted crypto wallet services?Storing big amounts of coins into ONE wallet is always a big mistake...
This topic belongs to the Scam Acusasations forums,I think...

Those are some pretty damning evidence. If I had money in a Coinomi Wallet, I'd be sweating bullets as I transfer my funds right about now. I mean, transferring data in plaintext is one thing, but are you sure some random Google employee was able to see your seed? Wouldn't they have strict protocols to avoid scenarios like that? Maybe your traffic was intercepted or something.

But yeah I suppose that's not the main issue. This is yet another harsh reminder to trust no one.

As an addendum, I hope something comes out of your legal action. Pretty much every single wallet out there state that they won't be responsible for any losses on their ToS that they make you agree to. It's going to be an uphill battle.

  What a sad and pathetic thing to read.
 
As if these exit scams were not enough , now even companies doing so.

I m fed up of these scams.


May Ur steps end these incidents for ever.

Best luck.

This is a great heads up on an unsecure wallet. Majority of mine are on a hardware wallet with others split across a desktop software wallet and even some on several different exchanges.

Don't use closed source wallets.

If anything this incident increases my (nearly zero) estimate of this wallet's security: Someone looked and found at least at the moment it was sending the key material only to Google. That is more secure than should have been expected.

Don't use closed source wallets.

Don't use wallets that support a zillion different cryptocurrencies (just supporting one securely is a task too hard for basically anyone to get right...).

Don't used closed source wallets.

I'm sorry to hear about the OPs loss.

Don't used closed source wallets.

That guy you're talking about is full of sarcasm in his body and he's actually funny but OP has a serious issue, it's his life savings.
Probably if this will happen to me I will not be able to sleep nor eat and maybe be depress and even being sarcastic wouldn't help either way.

---

Perhaps who knows, out of frustration, OP will collab with this motherfuckercoin. We'll see then.

Coinomi is effectively a web wallet, it’s always a risk leaving a significant amount of coins in an online wallet. OP I feel for you, I really do but judging by how knowledgable you seem & how eloquently you type I think you were probably aware of the ridks.

Sadly you know yourself that this could have been avoided even by keeping your coins on a bitcoin core (QT) wallet.

i am sorry for your loss. i also read about ledger nano and there are also issues.
its hard to find a wallet to trust.

First saw this post on reddit. Suggest you move this to the Wallet Software (https://bitcointalk.org/index.php?board=37.0) section so people using the wallet can also be aware.

I can't technically say who or what's to blame for the loss of funds, but so many red flags with the way dev teams like Coinomi's that reminds me why I'm so reluctant to try these wallets. How Coinomi could ever not sign their main app is beyond me, for example.

I'd actually alert Google as well. It does sound like only someone on their team (as you saw with access to the HTTP requests to googleapis) took it.

I saw that on reddit and didn't talk about it anywhere because as of now, it's just one guy making a claim.
I'm not saying it's false but I'd wait for more information about the whole thing.

This is indeed SAD.

Although it was known from last year incident with Luke Childs (you have it in your article as well) that coinomi are either malicious or incompetent or a bit of both. I state the latter not only because of their childish security issues/mistakes (they just had to enable SSL back then or their unsigned main app now) but from their responses when you tell them that something is wrong.

I hope somehow you get back your stolen funds.  
Thanks for sharing this !

I have to give you the credit that you are dealing with this issue with a cool mind. I am really sorry to heart that this happened with you.

Thanks for sharing this with the community.


May be create a new wallet using Electrum, safest is to use 2/2 multiSig wallet. Transfer the balance to the new wallet. I hope no more people fall far this trick and lose their money.

Fucking hell, I would literally be sick if I had lost such a big amount of money.
It's easy for people to criticize you for not choosing a proper wallet, but yeah, hindsight 20/20 right...

I hope you share this across multiple social media websites and keep doing this for at least a couple of weeks.
People should absolutely know that Coinomi sent passphrases over plain text for X amount of years(?)!

Without trying to be a dick about it, I would seriously recommend that you keep your live savings in a secure cold storage wallet.
Figure out a solution to do this securely and mostly offline, there are some great tutorials out there on how to do this.

Looking at your post, you obviously have the technical know-how to pick a more secure, more technical crypto storage solution.
Please do so in the future, if you're not totally done with cryptocurrency.

Presently I'm using coinomi wallet and I've been using coinomi wallet since 2016 I guess ,the experience is always best than other wallets I've used so far ,I don't have answer to your claim but I'm using the mobile version ,since you using the windows version it might be true or your pc was already hijacked right before you import your passphrase ,I'm sorry for your loss

So, you haven't actually gone through the trouble of reading his post then?

Fact is that they sent passphrases in clear plain text to Google servers.
Whether you've personally have had any issues with Coinomi is besides the point AND you're doing everyone a disservice by bringing that up.

Next time, maybe don't comment when you have no clue what OP is talking about.

Disclaimer: Look, I don't mind uninformed people asking questions or adding to the discussion, but I do mind when they're spreading misinformation.

Coinomi's official response: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

I am really sorry to hear this. I have been using Coinomi for quite some time now and the reason I did was because they said that your keys and passphrase are stored in your own mobile and not a server. I thought it was safe alll this time, but after reading your post I am having second thoughts. Again, I am really sorry for your loss :(

Someone should tell me if IPHONE app could have the same vulnerability?

Sorry for your losses OP, I've got some altcoins sitting on my coinomi wallet and I'm just letting it there which I rarely visit. I have my life savings on crypto's too but I'm not storing it to a multi-wallet just like coinomi. I trust more ledger nano s than this kind of wallet. This is a very painful and expensive experience for OP, I hope you recover soon. I've decided to start moving those coins of mine.

The OP was using that wallet because there were some assets that were unsupported by the exodus wallet and he wanted to store those assets and he decided to use the coinomi wallet, it could have been a good idea to use a hardware wallet but now it is too late for him, so let this be a reminder, software wallets are not really the place to store huge amounts of money, if you have even just a few thousands of dollars worth of cryptocurrencies then you need to invest in a hardware wallet.

Please read Coinomi's official response on the incident: https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

Let me quote from the Official Statement:
Was it really necessary to mention warith (https://bitcointalk.org/index.php?action=profile;u=2552460)'s full name 8 times?
Coinomi calls him a "blackmailer", "irresponsible", and claims funds are "possibly still controlled by him". The entire Official Statement reads like damage control to me.

I know LoyceV already mentioned it above, but I'd like to reiterate what he said:

Did you really have to use his full name? Pretty unethical behavior at your end IMO.
That said, I am curious how OP's funds got stolen exactly. Seems unlikely that it was someone at Google's end.

Wouldn't the more likely scenario be that his own PC was already compromised?

Still doesn't make up for the vulnerability though.

regardless of how OP lost funds or whether he is telling the truth or Coinomi, in the end this has been a very irresponsible design on their side! they are sending the most secretive information of your wallet (which is your seed that is used to generate ALL your private keys) out to a third party server! there is absolutely no reason for a wallet to even have such options in it.
"spell check" should be done locally and versus the fixed 2048 words that the seed is chosen from.

Coinomi should quickly take action on this issue. This is a huge damage to their company and it may be a result of their customers moving to a more trusted wallet.

I understand your explanation and I'm sad that it happened to you.

I am a coinomi user ever since but had never experienced something like that though I only have smaller amount of funds compared to OP's compromised value of funds. This issue should be explained and solved immediately by coinomi for their user's safety. This is really alarming as all of our funds might be compromised in just a single passphrase as it supports a lot of coins and tokens but I stored my Bitcoins in Mycelium wallet only Altcoins are placed on my Coinomi wallet.

I thought the Bitcoinist article about you said they gave you funds eventually and a 'bug-finding' bounty. Is that not true?

everyone donate 1 dollar to get his funds back  :)
65000 people

Actually OP posted about more than one person having this happen to them and posting about it on reddit

This issue is out of the open already:

https://cryptoslate.com/security-consultant-reveals-coinomi-wallet-vulnerability-60000-in-crypto-allegedly-hacked/

Anyways, I have nothing against the OP, so maybe he can shed light to this:

Your response is a joke (again).

You give fault at the users that found critical mistakes on your end and warned you about them.
I guess it was the users fault that you hadn't configure SSL on your systems by default and it was the users fault that you had enabled spell checkin plug in where you restore your seed phrase resulting in sending the seed online.

fuckin users how could they configure your systems so fuckin wrong eh??  ::)

It is weird that they wouldn't offer him some sort of basic solace by saying something along the lines of "We will reimburse you the market value of your coins as a bug bounty if it is demonstrated that the coins were moved as a result of third party-related wrong-doing."

I can see why the guy would be upset and its pretty unprofessional that they would just say, "oh, he's a blackmailer so we're just not dealing with him any more." Sounds like things will indeed get ugly and it will be interesting to see if a Google employee indeed had something to do with this.

I am really sorry for your loss OP and hope you will be able to get your funds back.

Still, don't understand why OP used this same password/seed words for two different wallets?

From what I know rule number one is to use different passwords/seed words always.

If Coinomi wallet seed words would be different then OP exodus wallet would never be hacked. Am I right?

How they managed to find that these seed words are from Exodus wallet? Do they check all wallets out there? Strange.

Exactly, the way Coinomi treated their customer is not what we expected them to do. Of course how can the guy cooperate with them when he just lost all of his savings from their incompetency. And now their turning tables and blaming the person for being non-cooperated and now they wanted him to be the bad actor here? Not professional @Coinomi.

According to Coinomi and other testing (including a quick and dirty wireshark test by me) it was / is a SSL transmission to Google

-Dave

That would be because giving away money when you don't actually have to is bad business. It's possible that they would have compensated him if things didn't get this ugly, but there's absolutely no way they would give him anywhere near the amount he lost. They would spend a lot less money by simply letting it out on the open and then doing damage control than by fully reimbursing him.

It sucks but this is our current reality. Being your own bank is incredible but it has drawbacks. The only real safe way to store your coins is offline.

You might have seen LoyceV's quote from your official statement. It pretty much sums up how most of us would feel about this. I'm not even concerned about whose fault it is (without fully understanding the evidence) but it concerns me every time someone in this space responds the way you guys did.

You really think as wallet users, we'll say ah, this was "not a bug but a bad config option"?

Hi Dave,

My SSL comment is about 2017 incident on their mobile client. They hadn't enable SSL connection resulting in a clear text communication between the client app and the servers. They only thing they had to do back then is to just turn it on in their configuration. Another's user fault eh?

You can do your own research of what i'm talking about.
https://cryptoble.win/2017/09/30/vulnerability-coinomi-devs-retaliate/

Funny fact? their reaction is pretty much similar with today's reaction.
They attacked Luke Childs instead of thanking him and they stated that he spreads FUD while they enabled SSL connection on their mobile app.
Now, where is the suicide emoticon when you need it.  ::)

yeah that official response was extremely unprofessional. just based on that alone i will never use a coinomi wallet. 

and they use a plugin? on something that could hold huge amounts of money? and then not even bother to check it and its configuration thoroughly before releasing it? seriously??

this is what I think happened.  They are using google as someone to blame when they are really just using the backdoor themselves.  I doubt someone from google would be be responsible for this.  I'm not saying its impossible but very unlikely.

Re-read the OP's post... He had some tokens (probably ERC20 tokens) that were sent to him but were not supported by his exodus wallet. Since he wanted to manipulate these tokens, he had to enter his seed phrase in a compatible wallet that did support these tokens. If he would have created a new seed phrase in coinomi he wouldn't have been able to manipulate the tokens that were sent to an address generated by his exodus wallet.

As for the second part of your question: there are 2048 words in the dictionary... A simple parser looking for a 12 or 24 words phrase consisting of solely words from this dictionary would suffice.

I used coinomi to keep some spending money, but i have moved everything but tBTC and tLTC from coinomi and i'll never use the application again, ever... It's not just the fact that they had a vulnerability, it's the way they behaved afterwards.

Gotcha, I was only looking at what was going on now, did not even remember the 2017 issue.
 
Some people are saying that the desktop wallet did connect w/o SSL others are saying yes. All I can say is what I saw.

-Dave

I think the fault is from your end ,spyware is already on your pc and the moment you type in your passphrase the spyware hijacked your keys ,I'm using coinomi wallet presently with huge funds inside,but the actual real safest way is storing coins offline

Basically, I have long felt unsure about coinomi security. After reading this, my distrust became stronger. Hopefully this can be a warning for anyone to be more careful in storing crypto assets

So don't be supprised and say you weren't warned when your wallet gets drained some day...

This example is just showing that security is on the key issues you should be aware of. Unfortunately many users ignore safety issues and don't pay enough attention what kind of wallets and exchanges they use and how can they protect themselves. Learn from such mistakes and take care of your coins, don't think such things happen to someone else.

Thank you very much for this explanation. Of course, a little merit for you.

This is something new for me despite I am using tokens from start and have multiple holdings. Maybe because I have never used wallets like Coinomi so far.
Never trusted them and from what I see I am totally right.

Even the best online wallet today can be vulnerable tomorrow because of a service update he depends on. Even such one as spelling check. This is something to think about if anybody will try to use these wallets. I haven't even mention dangers like malicious insiders or hackers.

Unquestionably slack on Coinomi's part, but I don't believe anyone at Google helped themselves to the seed and I don't think this thread would exist if this vulnerability hadn't been sprayed all over the news.

Either this thread is fantasy or the seed was picked up by someone else by other means.

As you know Coinomi has announced their official sloppy response and it was very clear how they diverted they whole situation into "blackmailing" thing.

They focused on my personal image and hired some of their trolls to trash-talk me on social media (especially Twitter because it's less moderated).

They tried to run away from responsibility and portray that the vulnerability is "harmless" (based on their hired trolls). Moreover, they kept deleting some of their tweets when got striked by facts.

Here are some examples of how childish, unprofessional and misleading their tweets are:
https://twitter.com/warith2020/status/1101054666232745984
https://twitter.com/warith2020/status/1101055824368148480
https://twitter.com/warith2020/status/1101057557010006016
https://twitter.com/warith2020/status/1100898781598531591
https://twitter.com/warith2020/status/1101135909481861120

They even literally blackmailed a know community member by legal actions to limit his freedom of speech because he expressed his "technical" thoughts:
https://twitter.com/warith2020/status/1101048089626984449

I have never ever seen a company with that kind of attitude and to me they lost all credibility. If you still trust them with your crypto-assets then I wish you all the best luck.

Finally, I will be posting my official response to their official announcement very soon. It will answer all the questions raised by the community and will contain some exciting evidences on my claims.

To stay calm and have some LOLs check out this Coinomi's Meme (classic & original):
https://twitter.com/dukeleto/status/1100696093673824256

I don't know who controls that Twitter account, but their response is really unprofessional imo. Starting from threatening to framing people just because they take part in how their vulnerability spread out to the public. I think any sane person won't use their wallet anymore, not only it's a closed source, but also because they have a terrible PR.

Probably their management (founders). As I said in my original post:

They took everything at personal level and that's very clear in their tweets!

I read about this vulnerability online, and one article was skeptical about your claims, but I take no side in this dispute as I am not involved. I hope, if your story is true, that you will be able to get your funds back through litigation. I think one lesson we all can learn from this is not to trust the Google cloud for storing highly sensitive financial or personal information.

Ivan on Tech - ALL HODLERS BEWARE! INSIDER JOB?
Programmer explains

https://www.youtube.com/watch?v=5WgD8YOqfLM

The replies from coinomi are very conercning and I would recommend that no one use this wallet anymore.  There is just too much risk at this point, please keep your funds stored offline for optimal safety.

Coinomi reply to this disheartening loss is worrisome and it calls for grave concern for professionalism in financial management, trying to bully one in other not to cry out is circumventing. Sorry for the enormous loss, I hope you seek a refund through a calculated litigation, and hope you get justice quick. Just a word "It is good not to leave huge fund in a single wallet".

I have published my second official statement regarding Coinomi "Spell Check" scandal

You can read the new statement from the following link (video included):
https://twitter.com/warith2020/status/1102445902353043456

Damm all your life savings gone very sad thing to happen. But as you said you were used to software wallets since 2013 which costed you this seriously you could've used a better alternative such as an offline wallet by ledger of some other then you wouldn't have had to face this. Hope you get a satisfactory answer from coinomi.

Nice way to get back and reply at Coinomi's Medium post, I wasn't convinced on how they answered the vulnerability issues especially when they have evaded a lot of your points in your blog post, they haven't even mentioned anything about the "legal implications" they are threatening you if you disclose the vulnerability issue to the web. So far you have 114 views in your video maybe if this goes viral Coinomi will be pressured to reimburse your loss fund and the rest of the users who are affected.

Your video response is decent and fully explanatory. Even kids can understand this.
Maybe coinomi should hire you to handle not only their incompetence but learn a few things as well.
I hope this will go to the authorities.

Security first in Crypto world.

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

All the same it's pisspoor practice and I wouldn't keep anything other than shitcoins on there. You don't know what'll pop up next.

You can save readers a few steps by just posting the Medium article:

https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

It spends too much time talking about the behavior of the victim, which isn't necessarily relevant, though the article does provide some blockchain forensics to show that the coins may have been taken through malware. How do we know the malware doesn't exploit the bug identified by Al Maawali and patched immediately after by Coinomi? Were there apparent hackings conducted after the bug was fixed? The article doesn't mention this.

While it sounds like malware was likely involved, there could still have been an oversight error on the part of Coinomi.


I agree that the chances of Google being in on it are slim to nonexistent.

Makes me sick how very few people are even held responsible for their actions.  They just forget about it and show no sympathy for the losses they caused.   I've gotten to a point where it is hard to trust anyone after seeing all these hacks, scams, and phishers.

Such a horrible experience you must have had, this is bad if we can't be safe with our funds on exchange and now in wallets too? Till now, never thought something like this could happen with a personal wallet of which you hold the recovery phrase or key, but with this unfortunate situation of yours makes have a second thought about the wallet i keep my funds, i don't want to imagine this happening :o
I hope to you can recover your money sooner than later.

Very sad for your life saving whole asset stolen. 60k$-70k$ is really massive amount i think it's your bad decision to hold in Coinomi wallet.
Because a lot of safe wallet if you can use like one of them hardware wallet is huge safe from coinomi wallet.

Actually it does: "Most crucially, however, the first two incoming transactions into the Consolidation Wallet happened in October 2018, well before the Coinomi desktop app was even released (which was December 31 2018).". In plain English, the hackers group that stole the OP's coins and the very wallet that they have used to consolidate funds has been active months before the 1st version of Coinomi Desktop was ever released. This alone is a proof that the OP has been lying all along about the circumstances under which his wallet was emptied.

From what I see, I think Coinomi will not pay the stolen funds as they are only a wallet provider and it's up to the user how he uses it. Not sure who the hell it got hacked since I can't spend all my time watching the vid. I just went on reading their conversation with Coinomi. For the bounty reward, OP deserves that since it's major.

I never use these mobile wallets, like Coinomi, because I have a strong feeling from the very beginning that they are prone to attacks since everyone just gives permission whenever they install an application. Virus spreads easily too so I never store such amounts. I prefer using a brand new hardware wallet for full encryption and away from viruses and malwares.

I wonder how that happens because I've been using mine since 2016 and no issue at all but not the windows version though ,I'm using the mobile wallet only

Just noticed there is a third statement of warith  

Long story short, Coinomi hired a "cyber-security firm" named CipherBlade (that means Coinomi paid that firm money to make a report) and they concluded what Coinomi supports is right ( ;D ;D ::) )
haha how fuckin convenient is that.

If you actually read the objective  ;D ;D ;D report and have basic security knowledge you will....laugh hard or cry.
Its more like a paid article that shils a shitcoin than a technical paper explaining what happened or might happened while most of the arguments have already answered on the 1st and 2nd statements.

Its tragic that Coinomi still trying to spread lies and false reports while spending money on the latter instead of just saying sorry and pay back the man.

If CipherBlade is a cyber-security firm, i am manbearpig.

Anyway you can read the third statement of warith here and judge for yourselves --> https://www.avoid-coinomi.com/#overview-3rd-statement

its a free for all world afterall.

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.

Sure, you look like you've read the story  ::)

If you want a real good bollocks story except from scientology or any other religion you can take Coinomi's replies and paid reports.

Anyway, i hope this ends to court cause the guy will surely win.

Facts are facts no matter how many lies and false reports you spread.
Coinomi was unlucky cause the guy is not a simple crypto user that would take the loss and didnt know what to do, say or support.
The guy is a security analyst and if you compare what both sides state and the way they do it, its clear who is wrong and who is right.
If you have the tech knowledge to understand what either side claims then i would say its crystal clear.

 :-* love and hugs

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.

Well if you work at google and have access (physical or not) to where these data are being kept i believe you are capable of creating a script extracting the data you want.

The whole point was that their Desktop Wallet was sending clear text seed phrases, instead of saying sorry and fix this they responded like the older incident with their mobile wallet not using SSL.....blaming the guy who found the vulnerability and informed them....

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on their android wallet (if i recall right).

Agreed. But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.

It's important their shitty practices get highlighted and addressed. It's everything that's come after I don't buy.

I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

And yeah, I agree with the other folks who are recommending hardware wallets, which would have been an infinitely better choice for storing altcoins than Coinomi--but bringing that up doesn't help OP in any way and I'm sure he knows it now.  This really sucks for him, and even though the hack happened a while back it's got to still sting.

Why would any desktop wallet be secure? They're on a machine that attracts keyloggers, screen capture stuff, remote takeovers and clipboard malware. If you can type it or see it that means someone else can too.

The sending address could be changed, someone might be watching you when it gives you the seed or when you reenter it, they might capture your passwords and empty the wallet.

Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

I Totally AGREE !!!  Finally someone that understands this concept.   With a non connected memory device to store my Bitcoins, I do not have worry about them ever being removed.   This allows me to back up my Seed Words here in the forum, and will never risk losing or forgetting my Seed Words as some people have.

https://i.imgur.com/C1qWPII.png

In case you were serious and this really is your seed: your wallet is now compromised because you posted a picture of your seed on a public forum.. empty this wallet and never use it again. Anybody can restore your wallet using electrum and sign transactions funding the addresses in this wallet from this point forward.

After you emptied this wallet, make sure you also move the funds you might have on the forks (like bch or bsv), the same seed can be used to steal those ones to.

what the heeeeellll..... ???  :o

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Obviously, he has been trolling you guys and you fall from it,  :)

That images is here: https://anonymous-proxy-servers.net/en/help/jondo-live-cd14.html

1) Why has anybody got their  'life savings' on a fucking desktop wallet.. Use a goddam Trezor with a passphrase and a compatible desktop wallet like electrum
 
2) What were you doing using  Exodus wallet if you were concerned about security, As soon as i tested that wallet it was clear that it is a 'style over substance' wallet

3) Use a passphrase. Coinomi offers you the option of using a bip39 passphrase which would have protected your 'life savings'

4) With all your analasis of Coinomis behaviour try analysing your own shortcomings when it comes down to protecting your crypto assets..  Personel responsibility is about accepting that all software has potential flaws and not blaming a free wallet that you were not forced to use.. i have used a coinomi mobile wallet since 2015 with zero issues and commonsense dictates that you would not have more than a few hundred dollars on a mobile or desktop wallet.
  

so you just bumped a 7 month old topic with mostly bad advice huh!

1) hardware wallets don't magically give you security. there are still lots of ways that you could lose money using them and lots of exploits that keep being found that lead to fund loss.

2) Exodus is closed source and that means it has 0 security because nobody knows what really happens under the hood.

3) that is not meant for security and it doesn't give you meaningful security either. in fact the term "passphrase" should not have been used in first place. the more appropriate term is "mnemonic extension".
not to mention similar to Exodus, Coinoni is also closed source which means this wallet also has 0 security.

4) that is only true when the wallet's source code can be reviewed by experts and its transparency becomes apparent. but when it is closed source then it should not even be used let alone waste time thinking about what you did wrong that led to losses.

I have been recommending newbies to review this list by Veriphi before choosing a wallet, https://docs.google.com/spreadsheets/d/1aZ1zbaUEzCo9NCctN8-eL2VLIiSdY009tTJvRXDUWEw/edit?usp=sharing

Newbies can use Coinomi, or Exodus, but they should know not to use them for HODLing.

7 month old topic is as applicable today as it was then.. at the end of the day you have to have a wallet of some description and if he had used a 'mnemonic extension' he would still have his funds.. i have used paper wallets to bitcoin core wallet and everything in between and you settle for a wallet that suits your use case.We all know that their is not a 100% secure wallet..so name names and tell me what is the most secure wallet instead of just pontificating

all discussions are already made in this topic and elsewhere and can easily be found. better wallets are also introduced in this very same topic. in fact the comment right above yours has a decent wallet comparison list that addresses many of the flaws in a lot of the currently available wallets.

Crap, I think this same problem just happened to me.  :|  I lost 115 BSV, ie $16,000. 

Using Coinomi desktop app for Win10, I was sweeping an old paper wallet that had unsplit BTC in it.  I swept the BTC just fine, then swept the BCH, but when I swept to my BSV wallet the Coinomi app threw an error "A generic error has occurred."

Right away I opened ElectrumSV to try the sweep again.  The sweep worked, but the wallet was empty - the 115 BSV was sent to another wallet.  Then another wallet, then another... and I wasn't doing the sending. :(

Judging from this dirty-dog "spellcheck" fiasco, I'm pretty sure when I got that "generic error", Coinomi sent the error over some insecure server, and the BSV got sniffed. 

Come on Coinomi!!!  Test yur stuff we are losing our life savings out here!  Ok maybe not life savings but I could have bought a nice Honda Civic!!

Let's see if this story can be true: I checked all funded Bitcoin addresses (https://bitcointalk.org/index.php?topic=5254914.0) from 5 weeks ago.
That gives these potential addresses:

Importing in Electrum shows that these addresses are currently (almost) empty:
I don't expect an old paper wallet to be multisig, so that leaves only the first 2 addresses. None of those are old.
Can you share your paper wallet's address? Or is your nickname "CW_Fanboy" just created for trolling?

If you're really holding $1M+ in Bitcoin on a paper wallet, why would you ever use a hot wallet to sign a transaction? All of this can be done offline and thoroughly checked before broadcasting.

The paper wallet address is: 1LuP7CEC6Hnkd1jfLQVrikhcrpFR5MLAt4

For what it's worth, I can see the 115 BSV sitting in this wallet... https://blockchair.com/bitcoin-sv/address/19bmMog453CaqL2k76tNXzGzy4qNAmQnHb

I didn't send them there, nor did I send them to the 1Bs6J9GFRHavZCsBqK5ryQ1GAmxMeMMVyS address.  

Thanks for the help LoyceV!  If you lead me to the coins, I'll give you 10 of the BSV, promise!

And no, I'm not a troll!  I'm a genuine CW fan.  I believe CW is the smartest man alive today, just ahead of Jim Rickards.  I know that makes me a tomato target, but that's life in the logic lane.  

:|

Well, I'm an economist, not an engineer.  I knew about the offline transaction method, but it didn't feel safe to me due to the complexity.
I'm lucky because I could have lost my BTC and BCH as well, had I tried to sweep the BSV first.  

Btw, all my crypto is now moved to hardware wallets.  Phew!  

Hi CW_Fanboy, your issue has nothing to do with the long-fixed problem described in this post (which was found to have been an attempt (https://twitter.com/kimionis/status/1131945228506738688) to extort (https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af) Coinomi, by the way). As you said it yourself, you didn't split the BCH from the BSV. This means that transactions you make with one coin also happen with the other. This is described on our article here: https://coinomi.freshdesk.com/support/solutions/articles/29000026274-bch-abc-bsv-fork-information-splitting

When you swept the BCH, the transaction was replayed on the BSV network. You can see both transactions with ID 148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c on the BCH (https://blockchair.com/bitcoin-cash/address/qpmj570h6579su4uvuu6dschea37k40rm5zw6e305t) and BSV (https://blockchair.com/bitcoin-sv/transaction/148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c) chains.

Then when you sent the BCH to your hardware wallet, the same thing happened, and you can see both transactions with ID d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67 on the BCH (https://blockchair.com/bitcoin-cash/transaction/d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67) and BSV (https://blockchair.com/bitcoin-sv/transaction/d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67) chains again.

So your BSV is now in your hardware wallet's BCH address. If the only BCH you have in your hardware wallet is this one you swept, you can send it back to your Coinomi BCH address. The transaction will be replayed the same way as before, and the BSV will be sent too. Then you can follow the instructions on the first link we sent above to properly split your coins. After that you will be able to make transactions with one without affecting the other. Feel free to continue discussion on the support ticket you opened with us.

Ah.  Duh.  Sorry about that, my mistake.  I didn't realize there were hoops to jump through to sweep the BSV wallet, as I had done the same type of operation through ElectrumSV. 

Unfortunately I sent the BCH to an exchange, not my hardware wallet.  So that means it's unrecoverable then?



To reiterate on Coinomi's behalf, I was mistaken.  This was not a bug in the Coinomi software, I just didn't take the time to understand how to execute the sweep properly. 

Carry on!  :P

In this case the BSV in in the exchange's address now. Please contact their support and explain that you sent unsplit BSV along with a BCH deposit to them. Technically it's possible for them to retrieve the BSV, since they control the private keys to their addresses. Practically, getting that private key and making a transaction may be difficult depending on how their system is set up, but only they are going to be able to answer that.

Yup.  Thanks again, and sorry for the unwarranted blame.  At least you guys got to show how good your support is. :P

That explains why I couldn't find it: the total balance was 160 Bitcoin, not 115. The BSV amount was a bit lower indeed, but I didn't have data on those chains. I'm sorry for insinuating you're trolling :(

Let's see :)

Let's keep that out of this topic :)

Too late for you, but it might help others: This could have easily been prevented by sending some BCH-dust (that doesn't exist on the BSV chain) to your address before withdrawing all BCH-funds.

This is correct. Some exchanges offer a cross-chain recovery service at a fee, some don't do it at all, and some do it once in a while. When you contact them, make sure to clearly explain what happened, I've seen people get rejected by customer service employees who either don't understand it, or don't read carefully. Keep it short and concise.

BSV doesn't have replay protection, which means any transaction that occurs on the BCH-chain can also be replayed on the BSV-chain, as long as all inputs exist on both chains.

Transactions:
BCH:
148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c (https://blockchair.com/bitcoin-cash/transaction/148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c)
d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67 (https://blockchair.com/bitcoin-cash/transaction/d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67)
This last address (https://blockchair.com/bitcoin-cash/address/qp09gtvpzx9d9nyl2smk7ey7pf6rclze4vx77276rn) has 2 exactly similar transactions incoming. Does this mean you did the same thing twice (also from 1JJ34cfu51rKxWbVPsuu5Ri1iqTiWRz1xM), but only one of the transactions got replayed on the BSV chain?

BSV:
148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c (https://blockchair.com/bitcoin-sv/transaction/148696fae3d9b84c4031dd2ebd84037c5f22cd6419209f3815dea8d4dc8a341c)
d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67 (https://blockchair.com/bitcoin-sv/transaction/d2ad02be15b06dbea03be743dcb1d6cdcc84414de05f254eec88615a1283ff67)

On those 2 addresses, you're also looking at ~$500 in Bitcoin Diamond, $300 in Bitcoin Gold (although the addresses don't show up in the explorer's I've tried) and $10 in Bitcore.
There are more but they're mostly worthless and/or only traded on shady exchanges, plus I haven't figured out yet how best to extract them.
If you're interested, I offer my Bitcoin Fork claiming service (https://bitcointalk.org/index.php?topic=2836875.msg29086320#msg29086320) at a 10% fee.

You can lose all your gold easily via a variety of methods depending how you store it.   In theory gold is a fine idea but dont put everything in there definitely, its best suited to those with perfect personal security obviously its often used with vaults and national deposits in countries with standing armies and so on.   Its really very different in its objective to crypto and how easily usable BTC can be with far lower standing costs.
   SInce we're repeating events of a century ago, some history knowledge is never a bad idea tbh: https://en.wikipedia.org/wiki/Executive_Order_6102