Bitcoin Forum
October 31, 2024, 09:42:01 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
Author Topic: WARNING - Coinomi Wallet CRITICAL Vulnerability Made Me Lose My Life Savings  (Read 2100 times)
BitBustah
Hero Member
*****
Offline Offline

Activity: 1218
Merit: 534



View Profile
May 25, 2019, 04:23:54 PM
 #81

Makes me sick how very few people are even held responsible for their actions.  They just forget about it and show no sympathy for the losses they caused.   I've gotten to a point where it is hard to trust anyone after seeing all these hacks, scams, and phishers.
Anonylz
Hero Member
*****
Offline Offline

Activity: 2562
Merit: 577



View Profile
May 25, 2019, 06:36:56 PM
 #82

Such a horrible experience you must have had, this is bad if we can't be safe with our funds on exchange and now in wallets too? Till now, never thought something like this could happen with a personal wallet of which you hold the recovery phrase or key, but with this unfortunate situation of yours makes have a second thought about the wallet i keep my funds, i don't want to imagine this happening Shocked
I hope to you can recover your money sooner than later.

██▄     ▄▄░
▀██▄ ▄██▀
▄▄███████████████████▄▄
▄█████▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀█████▄
████▀                   ▀████
████       ▄▄█████▄▄  ▀▄   ████
████      ▄██████████▄▀    ████
████      ████████▀▀       ████
████  ▄▀ ▄██▀▀▀   ▄██      ████
████   ▀▀     ▄▄███▀       ████
████▄                   ▄████
▀█████▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█████▀
▀▀███████████████████▀▀
.
SECONDLIVE
.
CHOOSE LIFE      CHOOSE SPACE      CHOOSE FRIENDS
.
                           Twitter       Telegram      Medium      YouTube      Discord        TikTok         GitHub               
        ▄▄███████▄▄▄
    ▄▄████████████████▄▄
   ████████████████████▄
  ███████▀▀▀█████████████
 ██████▌     ▀████████████
███████▀ ▀▀▄▄██▀▀▀█████████
██████             ▀███████
██████▄             ███████
 ███████▄▄        ▄███████
  ███████████▄▄▄▄█████████
   ▀███████████████████▀
     ▀████████████████▀▀
   ██████████████████████
Spider A4
Full Member
***
Offline Offline

Activity: 657
Merit: 100



View Profile
May 25, 2019, 08:07:49 PM
 #83

Very sad for your life saving whole asset stolen. 60k$-70k$ is really massive amount i think it's your bad decision to hold in Coinomi wallet.
Because a lot of safe wallet if you can use like one of them hardware wallet is huge safe from coinomi wallet.
Coinomi
Newbie
*
Offline Offline

Activity: 52
Merit: 0


View Profile WWW
May 26, 2019, 01:19:29 AM
 #84

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

You can save readers a few steps by just posting the Medium article:

https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af

It spends too much time talking about the behavior of the victim, which isn't necessarily relevant, though the article does provide some blockchain forensics to show that the coins may have been taken through malware. How do we know the malware doesn't exploit the bug identified by Al Maawali and patched immediately after by Coinomi? Were there apparent hackings conducted after the bug was fixed? The article doesn't mention this.

While it sounds like malware was likely involved, there could still have been an oversight error on the part of Coinomi.

We would like to update anyone reading this post, with the Blockchain analysis report. Please take a moment to find the details of the report at this link: https://twitter.com/kimionis/status/1131945228506738688

Not surprised. It read like a load of shit to me. As if there's someone in the bowels of google rubbing their hands as they wait for the seeds to roll in. Gimme a bleedin' break.

I agree that the chances of Google being in on it are slim to nonexistent.


Actually it does: "Most crucially, however, the first two incoming transactions into the Consolidation Wallet happened in October 2018, well before the Coinomi desktop app was even released (which was December 31 2018).". In plain English, the hackers group that stole the OP's coins and the very wallet that they have used to consolidate funds has been active months before the 1st version of Coinomi Desktop was ever released. This alone is a proof that the OP has been lying all along about the circumstances under which his wallet was emptied.
ryap12
Member
**
Offline Offline

Activity: 700
Merit: 14


View Profile
May 26, 2019, 01:32:04 AM
 #85

From what I see, I think Coinomi will not pay the stolen funds as they are only a wallet provider and it's up to the user how he uses it. Not sure who the hell it got hacked since I can't spend all my time watching the vid. I just went on reading their conversation with Coinomi. For the bounty reward, OP deserves that since it's major.

I never use these mobile wallets, like Coinomi, because I have a strong feeling from the very beginning that they are prone to attacks since everyone just gives permission whenever they install an application. Virus spreads easily too so I never store such amounts. I prefer using a brand new hardware wallet for full encryption and away from viruses and malwares.
Novatech8
Member
**
Offline Offline

Activity: 700
Merit: 27

Sovryn - Brings DeFi to Bitcoin


View Profile
May 26, 2019, 09:12:08 AM
 #86

I wonder how that happens because I've been using mine since 2016 and no issue at all but not the windows version though ,I'm using the mobile wallet only

Pon13
Full Member
***
Offline Offline

Activity: 670
Merit: 130



View Profile WWW
January 09, 2020, 01:39:07 PM
Merited by suchmoon (4), LoyceV (2)
 #87

Just noticed there is a third statement of warith  

Long story short, Coinomi hired a "cyber-security firm" named CipherBlade (that means Coinomi paid that firm money to make a report) and they concluded what Coinomi supports is right ( Grin Grin Roll Eyes )
haha how fuckin convenient is that.

If you actually read the objective  Grin Grin Grin report and have basic security knowledge you will....laugh hard or cry.
Its more like a paid article that shils a shitcoin than a technical paper explaining what happened or might happened while most of the arguments have already answered on the 1st and 2nd statements.

Its tragic that Coinomi still trying to spread lies and false reports while spending money on the latter instead of just saying sorry and pay back the man.

If CipherBlade is a cyber-security firm, i am manbearpig.

Anyway you can read the third statement of warith here and judge for yourselves --> https://www.avoid-coinomi.com/#overview-3rd-statement

its a free for all world afterall.



Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2590
Merit: 3014


Welt Am Draht


View Profile
January 09, 2020, 01:45:33 PM
 #88

Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.
Pon13
Full Member
***
Offline Offline

Activity: 670
Merit: 130



View Profile WWW
January 09, 2020, 02:04:10 PM
 #89

Just noticed there is a third statement of warith  

I thought it was a load of bollocks at the time and I still do.

OP's story, that is.

The simplest option is that using any wallet on any Windows PC is a licence to get boned. And it happened to OP just like thousands of others.

Sure, you look like you've read the story  Roll Eyes

If you want a real good bollocks story except from scientology or any other religion you can take Coinomi's replies and paid reports.

Anyway, i hope this ends to court cause the guy will surely win.

Facts are facts no matter how many lies and false reports you spread.
Coinomi was unlucky cause the guy is not a simple crypto user that would take the loss and didnt know what to do, say or support.
The guy is a security analyst and if you compare what both sides state and the way they do it, its clear who is wrong and who is right.
If you have the tech knowledge to understand what either side claims then i would say its crystal clear.

 Kiss love and hugs

Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2590
Merit: 3014


Welt Am Draht


View Profile
January 09, 2020, 02:10:18 PM
 #90

Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.
Pon13
Full Member
***
Offline Offline

Activity: 670
Merit: 130



View Profile WWW
January 09, 2020, 02:24:59 PM
Last edit: January 09, 2020, 02:40:08 PM by Pon13
Merited by gentlemand (1)
 #91

Sure, you look like you've read the story  Roll Eyes

It's not Coinomi's technical flaw I doubt. It's the idea of a little caretaker in the Google server centre idly browsing the trillions of words per minute pouring in during his tea break, spotting the seed and thinking 'I'll fuckin' have some of that'.

If you have a wallet on a PC, any wallet, if someone's already on there then whatever is typed and displayed is already in plain text waiting to be taken away.

Well if you work at google and have access (physical or not) to where these data are being kept i believe you are capable of creating a script extracting the data you want.

The whole point was that their Desktop Wallet was sending clear text seed phrases, instead of saying sorry and fix this they responded like the older incident with their mobile wallet not using SSL.....blaming the guy who found the vulnerability and informed them....

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on their android wallet (if i recall right).

Bill Hicks was right about....everything
gentlemand
Legendary
*
Offline Offline

Activity: 2590
Merit: 3014


Welt Am Draht


View Profile
January 09, 2020, 02:30:46 PM
 #92

Whether was a man in the middle attack (stealing the plain text info that was transmitted) or someone at google i dunno but sending such critical info as passwords or seed words plaint text, no matter how you dont want to see it, its a critical security flaw and the fault is on the developer not the user, just like with the non activated SSL connection on ther android wallet (if i recall right).

Agreed. But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.

It's important their shitty practices get highlighted and addressed. It's everything that's come after I don't buy.
The Sceptical Chymist
Legendary
*
Offline Offline

Activity: 3500
Merit: 6984


Top Crypto Casino


View Profile
January 09, 2020, 04:15:05 PM
Merited by JayJuanGee (1)
 #93

But in this case the likelihood of this particular loss being a common or garden PC hijack is infinitely higher than what is OP claiming.
I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

And yeah, I agree with the other folks who are recommending hardware wallets, which would have been an infinitely better choice for storing altcoins than Coinomi--but bringing that up doesn't help OP in any way and I'm sure he knows it now.  This really sucks for him, and even though the hack happened a while back it's got to still sting.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
gentlemand
Legendary
*
Offline Offline

Activity: 2590
Merit: 3014


Welt Am Draht


View Profile
January 09, 2020, 04:23:28 PM
Merited by JayJuanGee (1)
 #94

I've been reading this thread in horror, and my understanding is that it's not clear exactly how OP lost his coins.  You seem to be saying it was an attack on his PC rather than some insider at Google, right?  And here I have to profess severe ignorance as to technical matters, but are you saying that even software wallets like Electrum aren't secure on PCs?

Why would any desktop wallet be secure? They're on a machine that attracts keyloggers, screen capture stuff, remote takeovers and clipboard malware. If you can type it or see it that means someone else can too.

The sending address could be changed, someone might be watching you when it gives you the seed or when you reenter it, they might capture your passwords and empty the wallet.

Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.
HardFacts
Member
**
Offline Offline

Activity: 434
Merit: 29


View Profile
January 09, 2020, 06:41:22 PM
 #95


Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

I Totally AGREE !!!  Finally someone that understands this concept.   With a non connected memory device to store my Bitcoins, I do not have worry about them ever being removed.   This allows me to back up my Seed Words here in the forum, and will never risk losing or forgetting my Seed Words as some people have.

mocacinno
Legendary
*
Offline Offline

Activity: 3556
Merit: 5187


https://merel.mobi => buy facemasks with BTC/LTC


View Profile WWW
January 09, 2020, 07:02:15 PM
 #96


Electrum with a hardware wallet is fine. Electrum on a wiped and air gapped machine that never sees the internet is fine. I've never understood why anyone recommends any Windows PC based wallet for a connected machine. You never know what'll be hiding.

I Totally AGREE !!!  Finally someone that understands this concept.   With a non connected memory device to store my Bitcoins, I do not have worry about them ever being removed.   This allows me to back up my Seed Words here in the forum, and will never risk losing or forgetting my Seed Words as some people have.



In case you were serious and this really is your seed: your wallet is now compromised because you posted a picture of your seed on a public forum.. empty this wallet and never use it again. Anybody can restore your wallet using electrum and sign transactions funding the addresses in this wallet from this point forward.

After you emptied this wallet, make sure you also move the funds you might have on the forks (like bch or bsv), the same seed can be used to steal those ones to.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pon13
Full Member
***
Offline Offline

Activity: 670
Merit: 130



View Profile WWW
January 10, 2020, 08:03:45 AM
 #97

what the heeeeellll..... Huh  Shocked

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Bill Hicks was right about....everything
Baofeng
Legendary
*
Offline Offline

Activity: 2772
Merit: 1678



View Profile
January 10, 2020, 09:15:31 AM
 #98

what the heeeeellll..... Huh  Shocked

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Obviously, he has been trolling you guys and you fall from it,  Smiley

That images is here: https://anonymous-proxy-servers.net/en/help/jondo-live-cd14.html

 
 RAZED  
███████▄▄▄████▄▄▄▄
████▄███████████████
██▄██████▀▀████▀▀█████▄
████
██████████████
▄████████▄████████████▄
████████▀███████████▄
██████████████▐█▄█▀████████
▀████████████▌▐█▀██████████
▀███████████▌▀████████████
█████████▄▄▄
█████▄▄██████
████████████████████████
█████▀█████████████████▀
██████████████
▄▄███████▄▄
▄███████████████
▄███████████████████▄
█████████████████████▄
▄███████████████████████▄
████████████████████████
█████████████████████████
██████████████████████
▀█████
█████████████████▀
▀█
████████████████████▀
▀█████
█████████████
▀███████████████▀
█████████
 
RAZED ORIGINALS
SLOTS & LIVE CASINO
SPORTSBOOK
|
 NO 
KYC
 
 RAZE THE LIMITS   PLAY NOW 
broadhurst
Jr. Member
*
Offline Offline

Activity: 160
Merit: 4


View Profile
July 10, 2020, 04:59:31 AM
Last edit: July 10, 2020, 05:24:20 AM by broadhurst
 #99

what the heeeeellll..... Huh  Shocked

HardFacts i hope you're trolling
else
check and read the bold WARNING message on the image you posted and do what mocacinno suggests immediately.

Obviously, he has been trolling you guys and you fall from it,  Smiley

That images is here: https://anonymous-proxy-servers.net/en/help/jondo-live-cd14.html
1) Why has anybody got their  'life savings' on a fucking desktop wallet.. Use a goddam Trezor with a passphrase and a compatible desktop wallet like electrum
 
2) What were you doing using  Exodus wallet if you were concerned about security, As soon as i tested that wallet it was clear that it is a 'style over substance' wallet

3) Use a passphrase. Coinomi offers you the option of using a bip39 passphrase which would have protected your 'life savings'

4) With all your analasis of Coinomis behaviour try analysing your own shortcomings when it comes down to protecting your crypto assets..  Personel responsibility is about accepting that all software has potential flaws and not blaming a free wallet that you were not forced to use.. i have used a coinomi mobile wallet since 2015 with zero issues and commonsense dictates that you would not have more than a few hundred dollars on a mobile or desktop wallet.
  
pooya87
Legendary
*
Offline Offline

Activity: 3626
Merit: 10993


Crypto Swap Exchange


View Profile
July 10, 2020, 07:57:12 AM
Merited by TheArchaeologist (2), Wind_FURY (1)
 #100

1) Why has anybody got their  'life savings' on a fucking desktop wallet.. Use a goddam Trezor with a passphrase and a compatible desktop wallet like electrum
 
2) What were you doing using  Exodus wallet if you were concerned about security, As soon as i tested that wallet it was clear that it is a 'style over substance' wallet

3) Use a passphrase. Coinomi offers you the option of using a bip39 passphrase which would have protected your 'life savings'

4) With all your analasis of Coinomis behaviour try analysing your own shortcomings when it comes down to protecting your crypto assets..  Personel responsibility is about accepting that all software has potential flaws and not blaming a free wallet that you were not forced to use.. i have used a coinomi mobile wallet since 2015 with zero issues and commonsense dictates that you would not have more than a few hundred dollars on a mobile or desktop wallet.

so you just bumped a 7 month old topic with mostly bad advice huh!

1) hardware wallets don't magically give you security. there are still lots of ways that you could lose money using them and lots of exploits that keep being found that lead to fund loss.

2) Exodus is closed source and that means it has 0 security because nobody knows what really happens under the hood.

3) that is not meant for security and it doesn't give you meaningful security either. in fact the term "passphrase" should not have been used in first place. the more appropriate term is "mnemonic extension".
not to mention similar to Exodus, Coinoni is also closed source which means this wallet also has 0 security.

4) that is only true when the wallet's source code can be reviewed by experts and its transparency becomes apparent. but when it is closed source then it should not even be used let alone waste time thinking about what you did wrong that led to losses.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: « 1 2 3 4 [5] 6 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!