Bitcoin Forum
February 25, 2020, 10:20:42 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5]  All
  Print  
Author Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings  (Read 1337 times)
BitBustah
Hero Member
*****
Offline Offline

Activity: 1232
Merit: 534



View Profile
May 25, 2019, 04:23:54 PM
 #81

Makes me sick how very few people are even held responsible for their actions.  They just forget about it and show no sympathy for the losses they caused.   I've gotten to a point where it is hard to trust anyone after seeing all these hacks, scams, and phishers.
1582626042
Hero Member
*
Offline Offline

Posts: 1582626042

View Profile Personal Message (Offline)

Ignore
1582626042
Reply with quote  #2

1582626042
Report to moderator
1582626042
Hero Member
*
Offline Offline

Posts: 1582626042

View Profile Personal Message (Offline)

Ignore
1582626042
Reply with quote  #2

1582626042
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1582626042
Hero Member
*
Offline Offline

Posts: 1582626042

View Profile Personal Message (Offline)

Ignore
1582626042
Reply with quote  #2

1582626042
Report to moderator
1582626042
Hero Member
*
Offline Offline

Posts: 1582626042

View Profile Personal Message (Offline)

Ignore
1582626042
Reply with quote  #2

1582626042
Report to moderator
1582626042
Hero Member
*
Offline Offline

Posts: 1582626042

View Profile Personal Message (Offline)

Ignore
1582626042
Reply with quote  #2

1582626042
Report to moderator
Anonylz
Hero Member
*****
Offline Offline

Activity: 1470
Merit: 514


View Profile
May 25, 2019, 06:36:56 PM
 #82

Such a horrible experience you must have had, this is bad if we can't be safe with our funds on exchange and now in wallets too? Till now, never thought something like this could happen with a personal wallet of which you hold the recovery phrase or key, but with this unfortunate situation of yours makes have a second thought about the wallet i keep my funds, i don't want to imagine this happening Shocked
I hope to you can recover your money sooner than later.
Spider A4
Full Member
***
Offline Offline

Activity: 661
Merit: 100



View Profile
May 25, 2019, 08:07:49 PM
 #83

Very sad for your life saving whole asset stolen. 60k$-70k$ is really massive amount i think it's your bad decision to hold in Coinomi wallet.
Because a lot of safe wallet if you can use like one of them hardware wallet is huge safe from coinomi wallet.
Coinomi
Newbie
*
Offline Offline

Activity: 44
Merit: 0


View Profile WWW
May 26, 2019, 01:19:29 AM
 #84

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

You can save readers a few steps by just posting the Medium article:

https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

It spends too much time talking about the behavior of the victim, which isn't necessarily relevant, though the article does provide some blockchain forensics to show that the coins may have been taken through malware. How do we know the malware doesn't exploit the bug identified by Al Maawali and patched immediately after by Coinomi? Were there apparent hackings conducted after the bug was fixed? The article doesn't mention this.

While it sounds like malware was likely involved, there could still have been an oversight error on the part of Coinomi.

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

I agree that the chances of Google being in on it are slim to nonexistent.


Actually it does: "Most crucially, however, the first two incoming transactions into the Consolidation Wallet happened in October 2018, well before the Coinomi desktop app was even released (which was December 31 2018).". In plain English, the hackers group that stole the OP's coins and the very wallet that they have used to consolidate funds has been active months before the 1st version of Coinomi Desktop was ever released. This alone is a proof that the OP has been lying all along about the circumstances under which his wallet was emptied.
ryap12
Member
**
Offline Offline

Activity: 546
Merit: 14

Your Friendly Friend on Friendsters


View Profile WWW
May 26, 2019, 01:32:04 AM
 #85

From what I see, I think Coinomi will not pay the stolen funds as they are only a wallet provider and it's up to the user how he uses it. Not sure who the hell it got hacked since I can't spend all my time watching the vid. I just went on reading their conversation with Coinomi. For the bounty reward, OP deserves that since it's major.

I never use these mobile wallets, like Coinomi, because I have a strong feeling from the very beginning that they are prone to attacks since everyone just gives permission whenever they install an application. Virus spreads easily too so I never store such amounts. I prefer using a brand new hardware wallet for full encryption and away from viruses and malwares.

CRYPTOXYGEN ▬▬▬▬▬▬▬◌ Website ▬◌ Whitepaper ▬◌ ANN Thread ▬◌ Twitter ▬◌ Telegram
◌▬▬ The World's First Cryptocurrency Exchange Integrated In Hardware Thomson Computing ▬▬◌
◌▬▬▬▬▬▬▬◌ ICO IS LIVE NOW‼ ◌▬▬▬◌ JOIN AND CLAIM YOUR BONUS‼ ◌▬▬▬▬▬▬▬◌
Novatech8
Member
**
Offline Offline

Activity: 378
Merit: 19


View Profile
May 26, 2019, 09:12:08 AM
 #86

I wonder how that happens because I've been using mine since 2016 and no issue at all but not the windows version though ,I'm using the mobile wallet only

► BLOCKBURN ◄ ★WHERE CRYPTOCURRENCY AND ONLINE GAMING MEET★ ► BLOCKBURN ◄
───●◉●───●◉●───●◉●───●◉●───●◉●─[   ABOUT US   ]─●◉●───●◉●───●◉●───●◉●───●◉●───
Website◂ | ▸Medium◂ | ▸LinkedIn◂ | ▸Telegram◂ | ▸Reddit◂ | ▸CoinMarketCap
Pon13
Full Member
***
Offline Offline

Activity: 647
Merit: 126



View Profile WWW
January 09, 2020, 01:39:07 PM
Merited by LoyceV (2)
 #87

Just noticed there is a third statement of warith  

Long story short, Coinomi hired a "cyber-security firm" named CipherBlade (that means Coinomi paid that firm money to make a report) and they concluded what Coinomi supports is right ( Grin Grin Roll Eyes )
haha how fuckin convenient is that.

If you actually read the objective  Grin Grin Grin report and have basic security knowledge you will....laugh hard or cry.
Its more like a paid article that shils a shitcoin than a technical paper explaining what happened or might happened while most of the arguments have already answered on the 1st and 2nd statements.

Its tragic that Coinomi still trying to spread lies and false reports while spending money on the latter instead of just saying sorry and pay back the man.

If CipherBlade is a cyber-security firm, i am manbearpig.

Anyway you can read the third statement of warith here and judge for yourselves --> https://www.avoid-coinomi.com/#overview-3rd-statement

its a free for all world afterall.



Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2282
Merit: 2345


Welt Am Draht


View Profile
January 09, 2020, 01:45:33 PM
 #88

Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.

Pon13
Full Member
***
Offline Offline

Activity: 647
Merit: 126



View Profile WWW
January 09, 2020, 02:04:10 PM
 #89

Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.

Sure, you look like you've read the story  Roll Eyes

If you want a real good bollocks story except from scientology or any other religion you can take Coinomi's replies and paid reports.

Anyway, i hope this ends to court cause the guy will surely win.

Facts are facts no matter how many lies and false reports you spread.
Coinomi was unlucky cause the guy is not a simple crypto user that would take the loss and didnt know what to do, say or support.
The guy is a security analyst and if you compare what both sides state and the way they do it, its clear who is wrong and who is right.
If you have the tech knowledge to understand what either side claims then i would say its crystal clear.

 Kiss love and hugs

Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2282
Merit: 2345


Welt Am Draht


View Profile
January 09, 2020, 02:10:18 PM
 #90

Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.

Pon13
Full Member
***
Offline Offline

Activity: 647
Merit: 126



View Profile WWW
January 09, 2020, 02:24:59 PM
Last edit: January 09, 2020, 02:40:08 PM by Pon13
Merited by gentlemand (1)
 #91

Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.

Well if you work at google and have access (physical or not) to where these data are being kept i believe you are capable of creating a script extracting the data you want.

The whole point was that their Desktop Wallet was sending clear text seed phrases, instead of saying sorry and fix this they responded like the older incident with their mobile wallet not using SSL.....blaming the guy who found the vulnerability and informed them....

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on their android wallet (if i recall right).

Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2282
Merit: 2345


Welt Am Draht


View Profile
January 09, 2020, 02:30:46 PM
 #92

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on ther android wallet (if i recall right).

Agreed. But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.

It's important their shitty practices get highlighted and addressed. It's everything that's come after I don't buy.

The Pharmacist
Legendary
*
Offline Offline

Activity: 1792
Merit: 3414



View Profile
January 09, 2020, 04:15:05 PM
Merited by JayJuanGee (1)
 #93

But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.
I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

And yeah, I agree with the other folks who are recommending hardware wallets, which would have been an infinitely better choice for storing altcoins than Coinomi--but bringing that up doesn't help OP in any way and I'm sure he knows it now.  This really sucks for him, and even though the hack happened a while back it's got to still sting.

gentlemand
Legendary
*
Offline Offline

Activity: 2282
Merit: 2345


Welt Am Draht


View Profile
January 09, 2020, 04:23:28 PM
Merited by JayJuanGee (1)
 #94

I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

Why would any desktop wallet be secure? They're on a machine that attracts keyloggers, screen capture stuff, remote takeovers and clipboard malware. If you can type it or see it that means someone else can too.

The sending address could be changed, someone might be watching you when it gives you the seed or when you reenter it, they might capture your passwords and empty the wallet.

Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

HardFacts
Member
**
Offline Offline

Activity: 98
Merit: 15


View Profile
January 09, 2020, 06:41:22 PM
 #95


Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

I Totally AGREE !!!  Finally someone that understands this concept.   With a non connected memory device to store my Bitcoins, I do not have worry about them ever being removed.   This allows me to back up my Seed Words here in the forum, and will never risk losing or forgetting my Seed Words as some people have.

mocacinno
Legendary
*
Offline Offline

Activity: 1862
Merit: 2081


https://unblur.ninja =>lightning network testsite


View Profile WWW
January 09, 2020, 07:02:15 PM
 #96


Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

I Totally AGREE !!!  Finally someone that understands this concept.   With a non connected memory device to store my Bitcoins, I do not have worry about them ever being removed.   This allows me to back up my Seed Words here in the forum, and will never risk losing or forgetting my Seed Words as some people have.



In case you were serious and this really is your seed: your wallet is now compromised because you posted a picture of your seed on a public forum.. empty this wallet and never use it again. Anybody can restore your wallet using electrum and sign transactions funding the addresses in this wallet from this point forward.

After you emptied this wallet, make sure you also move the funds you might have on the forks (like bch or bsv), the same seed can be used to steal those ones to.

Pon13
Full Member
***
Offline Offline

Activity: 647
Merit: 126



View Profile WWW
January 10, 2020, 08:03:45 AM
 #97

what the heeeeellll..... Huh  Shocked

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Bill Hicks was right about....everything
Baofeng
Hero Member
*****
Offline Offline

Activity: 1050
Merit: 820


View Profile
January 10, 2020, 09:15:31 AM
 #98

what the heeeeellll..... Huh  Shocked

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Obviously, he has been trolling you guys and you fall from it,  Smiley

That images is here: https://anonymous-proxy-servers.net/en/help/jondo-live-cd14.html

..bustadice..         ▄▄████████████▄▄
     ▄▄████████▀▀▀▀████████▄▄
   ▄███████████    ███████████▄
  █████    ████▄▄▄▄████    █████
 ██████    ████████▀▀██    ██████
██████████████████   █████████████
█████████████████▌  ▐█████████████
███    ██████████   ███████    ███
███    ████████▀   ▐███████    ███
██████████████      ██████████████
██████████████      ██████████████
 ██████████████▄▄▄▄██████████████
  ▀████████████████████████████▀
                     ▄▄███████▄▄
                  ▄███████████████▄
   ███████████  ▄████▀▀       ▀▀████▄
               ████▀      ██     ▀████
 ███████████  ████        ██       ████
             ████         ██        ████
███████████  ████     ▄▄▄▄██        ████
             ████     ▀▀▀▀▀▀        ████
 ███████████  ████                 ████
               ████▄             ▄████
   ███████████  ▀████▄▄       ▄▄████▀
                  ▀███████████████▀
                     ▀▀███████▀▀
           ▄██▄
           ████
            ██
            ▀▀
 ▄██████████████████████▄
██████▀▀██████████▀▀██████
█████    ████████    █████
█████▄  ▄████████▄  ▄█████
██████████████████████████
██████████████████████████
    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
    ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
       ████████████
......Play......
Pages: « 1 2 3 4 [5]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!