I get hacked, 2.4 bitcoin stolen from coinomi wallet

[minertalk]

Coinomi is awful. It is closed source, and sends seed phrases in plain text to third party Google servers to be spell checked. Your coins could have been stolen this way.

Windscribe is awful. It is a free VPN, which means it is probably spying on you. They are also very amateurish, going as far as failing to actually encrypt any of their servers meaning that all data could be intercept and read, as well as running long outdated software which had been deprecated because of critical security risks. For example: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/

You have unfortunately used a terrible wallet and a terrible VPN on a long outdated phone (which will also be vulnerable to security flaws), and it is also not a cold wallet as you state. Doesn't matter if you only go online once a week, once a month, once a year - as soon as you go online once, it is no longer a cold wallet.

There are lots of potential ways your coins could have been stolen here, and it is unlikely we will ever know the exact method.

Registered just to correct something here. That statement about Windscribe isn't correct and is dated. Windscribe disclosed voluntarily that they had servers seized and a potential vulnerability. It's a misconception due to poor reporting that "no servers were encrypted" as no data was stolen or left unencrypted. The comment by Yegor explains it in detail in that article you linked. Windscribe is a paid VPN service with free plan option.

Either way that sucks for OP. You must be going through a lot of emotional distress right now. You need to clean those devices and move services. If you don't trust Windscribe then look at these they recommended: https://blog.windscribe.com/how-to-pick-a-good-vpn/

All of them in that list are top-tier.

I trust Windscribe  I use it from 2017 , free account but I mine and my limit is 50gb per month more than enough , on the phone I have  an account without email with 2gb traffic/month
I don't think the VPN is the problem... if they hack my phone they have lots of opportunity since 2019 because Coinomi have enough updates in last  year.

[DaveF]

I have always used the theory that the coins on your phone should never be worth more then your phone.
But that's just me.
I use Coinomi on my phone to store a bunch of alts that I have accumulated over the years. Since my phone is older and worth less, and overall crypto is up in the last couple of days I am in violation of that but it's still under a couple of hundred dollars.

And as others have pointed out you are on a old phone with known vulnerabilities that were never fixed.

https://www.firstpost.com/tech/news-analysis/google-finds-11-vulnerabilities-in-the-samsung-galaxy-s6-edge-eight-fixed-3673083.html
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=galaxy

They, and it's not just Samsung its all phone makers, just let the old hardware sit forever with known issues because they just don't care.

-Dave

[vapourminer]

Now I am being a little concerned here because I have my coins stored on a smartphone wallet.
But I am using Mycelium which is an opensource wallet for storing bitcoin and Exodus for altcoins which is partiall open source.
At the same time the phone is completely separate and has no other apps installed. I don't use it for anything at all.

i wouldnt store any significant amount on a phone.

that being said ive used mycelium for years on my daily driver android phones that are on 24/7 (and that are always fully patched and running the latest OS that are supported) and never had a problem, but its just very small amounts of btc and im fully prepared to lose it at any time due to whatever reason (hacks/stolen/wallet goes bad/whatever).

hardware wallets for the win. paper is good but only use them if you know what youre doing.

[Sir Legend]

Hacked is a serious problem in cryptocurrencies, cases of hacked private keys, hacked accounts on exchanges and many more make us to be alert, few days ago my Google metamask was also hacked and made me lose around $500 and the best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

[Brenny_Coinomi]

Hi there, As we and other have explained here each and every transaction from the app requires confirmation of your password before being sent (your private keys are kept encrypted at all times with the password, so even if the app wanted, it would not be able to decrypt the keys without the password).

Unauthorized transactions can only be made by a) someone who has access to your seed phrase, or b) someone with access to your device and knows your password. There is no other way. We occasionally receive news of users having their email accounts hacked, giving attackers access to their seed backup files kept on their email or other cloud service. Please review your seed backup security, try to remember if you ever entered your seed on any other wallet, website, form, notes tool, etc; or check if anyone could have accessed the app on your device and knows your password.

One thing which concerns us the most is the use of the VPN on a device you claim is "connected to the network once a month to update" and is only used for coinomi. This does not ring true with the evidence you posted here, it shows you have 300+ applications on your device which would suggest some daily use on this device. With this many apps it is becoming increasingly likely that one or more of those apps are possibly stealing data from your device or logging some of your activity. This coupled with the age of your device OS is a huge cause for concern.

We highly recommend you file a report with your local police/cyber crime unit so they can begin the task of reaching out to exchanges and centralised services in the hopes of blacklisting the funds for you whilst investigation takes place.

Kind regards.

[o_e_l_e_o]

Windscribe disclosed voluntarily that they had servers seized and a potential vulnerability. It's a misconception due to poor reporting that "no servers were encrypted" as no data was stolen or left unencrypted.

The fact remains it shouldn't have happened at all. They were running out dated software, they left some servers unencrypted, the stored private keys on those unencrypted servers. There were a number of pretty basic mistakes that all had to made to lead to this situation.

I don't trust free VPNs as a rule of thumb. Combine this with the fact that Windscribe have only very recently open sourced their desktop application and their mobile and router applications remain closed source, and they have never been subjected to an independent audit (please correct me if I'm wrong), means I would not use them and would not recommend them. I'd be happy to reconsider my position in the future if and when these issues are addressed.

best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

Don't do this. As soon as you take a photo of your seed phrase, then you have opened it up to compromise. Your seed phrase should be written down on paper only, not stored electronically.

With this many apps it is becoming increasingly likely that one or more of those apps are possibly stealing data from your device or logging some of your activity.

Guess we'll never know since most of them will be closed source, just like your wallet.

[Brenny_Coinomi]

Coinomi is awful. It is closed source, and sends seed phrases in plain text to third party Google servers to be spell checked. Your coins could have been stolen this way.

This comment is complete FUD. There was an incident in 2019 with our initial DESKTOP beta release only (so irrelevant to this case) which was fixed and there is a report to confirm this as not a cause for any user to have lost funds: https:/[Suspicious link removed]/VZQAotXNrJ

We are reviewing our decision to be closed source and hope we can move to an opensource model in the near future. That being said opensource does not mean 'safe' it just means the code can be verified and compiled from source. We are open to any official request to review and verify our source code by reputable code reviewers.

[Brenny_Coinomi]

The seed is AES256 encrypted as coinomi said

Since Coinomi is closed source, shady and has a history of doing very insecure things such as sending your seed phrase to a remote server, we can not know what actually happened or whether your seed is correctly encrypted with AES256. Their implementation could be flawed which could allow decrypting the file easily by exploiting it. Or maybe they are sending your seed out to a remote server again that was stolen on its way out!

Given the number of users we have we would expect thousands of users to come forward with the same issue after this update if that was the case. We are more than happy to respond to any official request to review our source code by reputable companies. We are also reviewing our decision to be closed source with the preffered outcome to be open source again.

[bitmover]

Given the number of users we have we would expect thousands of users to come forward with the same issue after this update if that was the case. We are more than happy to respond to any official request to review our source code by reputable companies. We are also reviewing our decision to be closed source with the preffered outcome to be open source again.

I am happy to see you are reviewing your closed source policy.

Coinomi was the second wallet I ever used, since 2017, and I still use it today. It is a wallet that serve my needs in my mobile device.

IMO, a mobile wallet is always unsafe and I agree with DaveF, no one should keep coins that are worth more than the mobile device in a mobile wallet.

I will add one more suggestion to Coinomi: Make it hardware wallet compatible, like electrum/metamask/etc

If your wallet become open source and hardware wallet compatbile, it will make your wallet one of the best in the market.

[Kakmakr]

I hope you learnt some valuable lesson here ...

1. Use services that use OpenSource software that are Peer reviewed by independent developers. (They cannot hide backdoors)
2. Do not use FREE VPN's with unencrypted data
3. DO NOT use old phones with outdated software
4. Store large amounts of coins on hardware wallets (They are not expensive)
5. Do not store all coins on one platform or device (A single hack can clean you out)

I have to say one thing.... You did a lot of research and you were able to track the coins ....many people cannot even do that.  

[poldanmig]

I think what happened to the OP is no different from what happened to a coinomi user in 2019, a user named Warith Al Maawali has claimed that he lost nearly $60 thousand in assets due to a bug that occurred in coinomi, thus causing the user key or passwords are read in plain text and leaked to other parties so that they are easily accessed by third parties, I think coinomi might again need to review their current server security and if it does have a bug it's better to fix it immediately so that trust from user in coinnomi can be high again .

[o_e_l_e_o]

There was an incident in 2019 with our initial DESKTOP beta release only (so irrelevant to this case) which was fixed and there is a report to confirm this as not a cause for any user to have lost funds

We'll all just have to take your word on that, since your software is all closed source and we have absolutely no idea what it is doing with seed phrases. And if you are so sure that no user could possibly have lost funds via this method, then why did you tell everyone who might have been affected at the time to create a new wallet and send their funds to it? And how could you possibly say that seed phrases sent to Google definitely did not result in the loss of funds? Did Google let you audit their systems?

We are open to any official request to review and verify our source code by reputable code reviewers.

Plenty of people on this forum would love to take a look at your code. Please share some links.

[willoweb]

I express my deepest sympathy to you. It's very unfortunate that this happened to you, especially when the price of bitcoin is so high that you can really get depressed because of this event. But I'll tell you what - many people, for their own reasons, often threw away their old computers and laptops and then realized that there was a fortune left in bitcoins. I think that you should not think about it a lot - you need to live on and get the most out of your situation. Thanks for sharing your story.

[pawanjain]

If you have several thousand dollars in your wallet and you constantly trade from your mobile phone wallet, but I would not keep more than 10,000 dollars in a mobile wallet.
If you store coins, then you can use the Ledger or Trezor, and if you like trading, then read about SafePal. You will get the opportunity to trade without KYC on binance.

I don't trade much and even I do, I use binance for that purpose and have some balance left in the exchange for trading.
Although the amount is not more than $10,000 all the amount that I hold in the smartphone wallet is for long term.
I am planning to delete the smartphone wallet from my phone now since I already have the backup of the seed.
For monitoring the balance I will just look it up on the explorer.

[suzanne5223]

The Op makes a big mistake because mobile wallets are never going for long-term holding and most wallet providers may not tell you this but it's the truth. According to the research conducted by the Computer Science and Engineering - Michigan State University.
It shows that mobile wallets are deemed to face a lot of security threats of

 (1) Deanonymize of user real identities, Bitcoin addresses, and transactions,
(2) Introduce continuous unwanted Bitcoin spamming traffic towards victims
(3) launch Bitcoin fraud attacks to take advantage of Bitcoin wallet users
You'll find the pdf file here

Hacked is a serious problem in cryptocurrencies, cases of hacked private keys, hacked accounts on exchanges and many more make us to be alert, few days ago my Google metamask was also hacked and made me lose around $500 and the best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

It is just like the saying "there's no smoke without fire" what you just said now is another human error that will lead wallet hack and I believe this is one of the reasons why your Metamask wallet was hacked.

[virasog]

Do you already run an audit on your phone to look for a potential malware? There’s a lot of same issue like you with Coinomi especially wallet with huge amount of Bitcoin that dormant on there wallet but since Coinomi is a non-custodial wallet, its very hard to accused them stealing your money since you are the holding your private key. Jut follow there suggestion to report this to law enforcement so that they can easily request files the company that received your Bitcoin.

Invest on hardware wallet like trezor and ledger next time if you are holding huge amount of Bitcoin to a none open source wallet. Sorry for your loss mate.

This is a strange incident and i am really worried that if this could happen with Coinomi wallet, then other non-custodial wallet are also not save ?
Which non-custodial wallet is best for saving the bitcoins other than the hardware wallet ?

Also do you think that it is a flaw in the Coinomi wallet or was it something related to any malware/virus in the phone which caused this hack ?

[lixer]

Hacked is a serious problem in cryptocurrencies, cases of hacked private keys, hacked accounts on exchanges and many more make us to be alert, few days ago my Google metamask was also hacked and made me lose around $500 and the best thing is to create a wallet then we write private manually on paper, make sure there is no internet connection then we take a photo and save the data.

Wait, private key? The one which composed of a long characters? But, they are too much for you to write manually and what if you missed one letter or you didn't capitalize some of them? But, you're going to take a photo with it anyway though taking a photo or a screenshot of our private keys is not also recommended because someone can browse your gallery.

You have been hacked because maybe you have clicked on the random links which promise you to earn some money or maybe you are going to use a known website but you didn't check its url and you got phished. Storing your keys in an offline environment is much safer though.

[crwth]

The point of cold storage is to never ever go online. This also means no more updates.

Isn't it applicable to air-gapped laptops that you can update offline? Like, download it into a flash drive then just update the software? I was thinking of the same thing when it comes to air-gapped phones. So updates don't necessarily mean connecting online.

[BitcoinBarrel]

Good lesson for others not to use your phone as cold storage. Paper Wallets (private key written down) are the way to go.

[NeuroticFish]

The point of cold storage is to never ever go online. This also means no more updates.

Isn't it applicable to air-gapped laptops that you can update offline? Like, download it into a flash drive then just update the software? I was thinking of the same thing when it comes to air-gapped phones. So updates don't necessarily mean connecting online.

Updates usually happen online. I don't know if not rooted smartphones can be updated offline at all. So I find your case rather unlikely. Not wrong, but rather unlikely to be used.

Also, I don't see why would update be needed at all. If that's a cold storage, you most probably don't use it for anything else. Since it's offline, newer/safer versions of whatever are not needed.
Imho the only case an update would be needed is that the wallet software made a significant leap and the older transaction files no longer work.

And in such a case (you want to update anything) my advice is wipe the disk (not just reformat), reinstall everything fresh, go offline for good, then restore wallet from seed.
And this won't work with a smarphone-as-cold-storage since "reset to defaults" simply cannot be trusted it will properly clean, hence it's a risk. So for this case some cumbersome solution is needed, probably consisting in a separate safe cold storage and 2x fund transfers for the update to be done properly. And yes, this means the initial cold storage is considered compromised (again, this is only in case of smartphone).