I get hacked, 2.4 bitcoin stolen from coinomi wallet

[minertalk]

hello,


On 28feb2022 I get hacked, 2.4bitcoin  from coinomi android wallet got  stolen.
It's an old Android 7, Samsung Galaxy s6edge (no root).
In 2017-2019 I use Coinomi wallet to store my bitcoin because was simple  easy to use.
In summer 2019 I decide to use that phone only like a "cold storage" I have coinomi app, windscribe vpn and google apps. I choose that because was simple , once a month I power the phone do the update on coinomi and the other apps  checking the wallet and shut it down.
The Coinomi wallet do not have the BIP39 passphrase implement ate at that time but I secure the wallet with a passowrd , with a pin number in case somebody had the phone to be hard to unlock it.

At the end of February2022 I update the coinomi wallet to version 1.25.2 build 430 core 220 all work fine update done, I check the wallet   the bitcoin was there (I also choose the feature " Mark do-not-spend " in case somebody open  the wallet   no amount was display ) but today I check the address of my wallet (I have it saved in tor browser  to be simple to check the utxo ) and I see the coins  were moved https://oxt.me/transaction/812f73d94bc1eb029e72930427ea27bee4e668accaad4d3fc167a24f1de364a5 how can this happen ? since nobody have access to the phone.
The seed was stored on paper ,nobody  see it ,plus I wrote the words  in other order so only I  can  know the right order.

I'm sure something was wrong with the update since is noot an open source wallet  nobody knows what that wallet can  send out butt I think the wallet send the seed out to somebody because  passed 3 and half years  and  the seed was safe inside it only know happen..only after the update.



After 5 hops I saw the bitcoin Is sent to Binance exchange address https://oxt.me/transaction/2984598d66601f7cf922f819b32da464733ec00bd5e71ce76ca6627fdc97e38f   I do not have a binance account but I chat with them to the live chat:

Greetings from Binance security team! We are very sorry to hear about your situation. Upon checking we have found that the funds are in Fixed Float wallet.
The funds appear in the blockchain to have been sent to Binance because Fixed Float is a Binance Broker, this means it is another company that has a wallet with Binance for its liquidity and order book. This broker has many users, so we don't know the exact end user who received your stolen funds, we only know the funds were transfer to the Fixed Float hot wallet.

I know fixedfloat is a noKYC exchange own by russians and many bitcoins come and go to  the Hydra Market.





I talk on telegram with the support guy named  Angelo and via  support ticked but they say that the wallet is working perfect and they are on the market since 2014 and  nobody have issues, some years ago I remember a guy that also lose funds from coinomi desktop wallet was a big fuss then but nobody believe it neither I  but now I think something is not ok.

My question is  how can somebody take  the seed from the wallet if that wallet was shut down 95%  of the time since summer 2019 ?

I was careful  with the coinomi app , always FORCE STOP and only open the app if  the VPN was on.

For me is very strange that my bitcoin was stolen after the update.
That update had something that read the seed and sent it out, I can't see other explication.

I just wanna share my experience , I do blame the guys that work on Coinomi , they always say the wallet is safe nobody lose funds it's impossible to be able to see your seed but the app is not open source so how can this be true ?

Via support ticket they wrote me this:

After looking through the details given we can confirm the transaction was sent from a device where Coinomi was installed. However, due to the nature of cryptocurrency transactions we cannot say 'whom' made this transaction since we are a non-custodial wallet software which means we do not track any sort of user data.

Coinomi is one of the most widely known multicoin wallets and also one of the easiest to use. This means it is more likely than you think for someone to select to restore any seed into Coinomi
Please could you tell me, do you access the app from the same IP all the time? Do you use a VPN?




FixedFloat reply via email:

We're sorry that you were subjected to theft of funds.

FixedFloat is an instant non-custodial exchanger. After the receipt of funds and the receipt of the required number of confirmations, the exchange takes place immediately.

We do not require any personal data for the exchange. We can only request a search of the server logs (IP, user-agent, language) from our technical specialists. But we need an official request from your regional police or other representative, from their official email address in order to issue confidential information.
After receiving an official request from law enforcement, we will be able to send server log data and order data.

Unfortunately, this is the maximum we can help in this situation.


I post this  story on reddit they close the post, If i wrote on they telegram group they tell me to stop because the wallet is good.

I think was an inside job.. or can somebody tell me how the hacker get the seed from a wallet that is  power off almost  all the time?




One of the biggest loss of my life.


Here you can see how the hacker move the bitcoin








Binance support




And the wallet screenshots

[Beparanf]

Do you already run an audit on your phone to look for a potential malware? There’s a lot of same issue like you with Coinomi especially wallet with huge amount of Bitcoin that dormant on there wallet but since Coinomi is a non-custodial wallet, its very hard to accused them stealing your money since you are the holding your private key. Jut follow there suggestion to report this to law enforcement so that they can easily request files the company that received your Bitcoin.

Invest on hardware wallet like trezor and ledger next time if you are holding huge amount of Bitcoin to a none open source wallet. Sorry for your loss mate.

[minertalk]

Do you already run an audit on your phone to look for a potential malware? There’s a lot of same issue like you with Coinomi especially wallet with huge amount of Bitcoin that dormant on there wallet but since Coinomi is a non-custodial wallet, its very hard to accused them stealing your money since you are the holding your private key. Jut follow there suggestion to report this to law enforcement so that they can easily request files the company that received your Bitcoin.

Invest on hardware wallet like trezor and ledger next time if you are holding huge amount of Bitcoin to a none open source wallet. Sorry for your loss mate.

The law enforcement don't work where I am from east europe.

I don't accuse them of stealing but something is shady

the bitcoin was moved after the update , ~3years was all fine if somebody have the seed  they they took it at that time when they get it not after some time.
This happend after the update, somehow the seed was send out from the wallet.


I scan the phone with Malwarebytes   no issues.



I do have a ledger but not I don't have coins to put on it .

[Sarah Azhari]

I was careful  with the coinomi app , always FORCE STOP and only open the app if  the VPN was on.

Maybe this, i never believe a VPN because they can access our hanphone and internet trafic to keep your data. You have also ask the VPN provider, and let me know what VPN do you use?

[minertalk]

I was careful  with the coinomi app , always FORCE STOP and only open the app if  the VPN was on.

Maybe this, i never believe a VPN because they can access our hanphone and internet trafic to keep your data. You have also ask the VPN provider, and let me know what VPN do you use?

windscribe.com  VPN I use
they do see the traffic of my  account but how can they enter in wallet and see the seed ?
The seed is AES256 encrypted as coinomi said

[Beparanf]

I scan the phone with Malwarebytes   no issues.

I do have a ledger but not I don't have coins to put on it .

I totally understand your point since the fund was safe for over 3 years of being dormant. If you are sure that you didn't browse any malicious website before the hacking event then Coinomi system has some bug on there update which we can't verify since they are not an open source code. The best thing to do is to gather all the complainants in different forum and social media outlet  to raise concern to Coinomi, The way they are using there Company as answer to your complaint is a bit shady for me. They should give you a technical investigation report to prove that there system has no bug for a potential leak of data.

[pooya87]

The seed is AES256 encrypted as coinomi said

Since Coinomi is closed source, shady and has a history of doing very insecure things such as sending your seed phrase to a remote server, we can not know what actually happened or whether your seed is correctly encrypted with AES256. Their implementation could be flawed which could allow decrypting the file easily by exploiting it. Or maybe they are sending your seed out to a remote server again that was stolen on its way out!

[mk4]

Probably try reporting to the authorities. You've probably lost enough money to make hiring a lawyer worth it.

But really mate. I wouldn't want to kick you down as you've already lost money, but with 2.4 BTC why don't you have a hardware wallet? And worse — of all choices, you've decided in using a closed source wallet software.

[minertalk]

Probably try reporting to the authorities. You've probably lost enough money to make hiring a lawyer worth it.

But really mate. I wouldn't want to kick you down as you've already lost money, but with 2.4 BTC why don't you have a hardware wallet? And worse — of all choices, you've decided in using a closed source wallet software.

in 2017-2018 when I stas that bitcoin was not a big deal.. I DCA each month..bitcoin was under 10k
I keep it there because I think was safe..and it was till the shit happen.

[minertalk]

I scan the phone with Malwarebytes   no issues.

I do have a ledger but not I don't have coins to put on it .

I totally understand your point since the fund was safe for over 3 years of being dormant. If you are sure that you didn't browse any malicious website before the hacking event then Coinomi system has some bug on there update which we can't verify since they are not an open source code. The best thing to do is to gather all the complainants in different forum and social media outlet  to raise concern to Coinomi, The way they are using there Company as answer to your complaint is a bit shady for me. They should give you a technical investigation report to prove that there system has no bug for a potential leak of data.

This is what I try to do...just tell what happen to me.

To open a wallet a PIN is needed   , before sending a transaction there is a password that need to be input, the hacker somehow bypass all those..I conclude that the wallet sent the seed out to those who make the upgrade.

[mk4]

in 2017-2018 when I stas that bitcoin was not a big deal.. I DCA each month..bitcoin was under 10k
I keep it there because I think was safe..and it was till the shit happen.

So your 2.4 BTC was worth like 24k back then because bitcoin was cheaper. But then, I assume you invested your money because you think bitcoin was going to be more expensive in the future? And then it actually did. You should've taken a lot of extra safety precautions.

But yea, what's done is done. Hopefully you've learned your hard lesson mate; make sure it doesn't happen again in the future if it's the case that you want to invest again. Lot's more future opportunities so don't bring yourself down too much on this. Best of luck!

Also, probably read about wallets: https://cryptosec.info/wallets

[crwth]

Better to invest in something more secure, like what mk4 has said; having a hardware wallet would be the best decision you'll make when you invest in the cryptocurrency world.

Thanks for sharing this OP; I was pretty comfortable knowing that air-gapped phones are safe, but I'm not so sure now. It's hard when you do updates. It might have become the entry point of hackers etc. I hope somehow you can recover some of it or something.

[NeuroticFish]

I was pretty comfortable knowing that air-gapped phones are safe, but I'm not so sure now. It's hard when you do updates. It might have become the entry point of hackers etc.

The point of cold storage is to never ever go online. This also means no more updates.
So airgapped cold storage going online for updates is a total mistake and a complete misunderstanding on how cold wallets should work.


I remember another hacked user some time ago claiming that he was having a cold wallet which he used to go online only for short time when making transactions.
This case is not much different.

As soon as the cold storage is online, it's hot wallet and no longer cold wallet, never ever.

It needs only a millisecond of being online to get all the funds lost, especially if certain malware was operating there for long time before and nobody knew. In the (milli)second it went online it could "call home" and expose private keys, seed, or even transfer the funds away (but the hacker can transfer the funds himself later after receiving the seed or private key)

[Lucius]

The only way you can find out what happened is to have very professional people inspect your phone, but such things are very expensive and I don't believe you could afford the extra cost after all.

By analyzing the things you did on the phone, maybe we can go in the direction that during the update Coinomi picked up some malware/keylogger that took advantage of a flaw in your relatively outdated OS and remotely emptied your wallet, and you only realized it when you reopened it. Yet you may have shared the fate of those who also claim to be victims of the senseless business policies that Coinomi has (or had). If you had at least been aware of it before, you might have acted differently.

Coinomi multi-asset wallet poor implementation leads to sharing your plain-text passphrase with a third-party server. My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed... To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text!

[o_e_l_e_o]

Coinomi is awful. It is closed source, and sends seed phrases in plain text to third party Google servers to be spell checked. Your coins could have been stolen this way.

Windscribe is awful. It is a free VPN, which means it is probably spying on you. They are also very amateurish, going as far as failing to actually encrypt any of their servers meaning that all data could be intercept and read, as well as running long outdated software which had been deprecated because of critical security risks. For example: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/

You have unfortunately used a terrible wallet and a terrible VPN on a long outdated phone (which will also be vulnerable to security flaws), and it is also not a cold wallet as you state. Doesn't matter if you only go online once a week, once a month, once a year - as soon as you go online once, it is no longer a cold wallet.

There are lots of potential ways your coins could have been stolen here, and it is unlikely we will ever know the exact method.

[sobeyharker]

Coinomi is awful. It is closed source, and sends seed phrases in plain text to third party Google servers to be spell checked. Your coins could have been stolen this way.

Windscribe is awful. It is a free VPN, which means it is probably spying on you. They are also very amateurish, going as far as failing to actually encrypt any of their servers meaning that all data could be intercept and read, as well as running long outdated software which had been deprecated because of critical security risks. For example: https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/

You have unfortunately used a terrible wallet and a terrible VPN on a long outdated phone (which will also be vulnerable to security flaws), and it is also not a cold wallet as you state. Doesn't matter if you only go online once a week, once a month, once a year - as soon as you go online once, it is no longer a cold wallet.

There are lots of potential ways your coins could have been stolen here, and it is unlikely we will ever know the exact method.

Registered just to correct something here. That statement about Windscribe isn't correct and is dated. Windscribe disclosed voluntarily that they had servers seized and a potential vulnerability. It's a misconception due to poor reporting that "no servers were encrypted" as no data was stolen or left unencrypted. The comment by Yegor explains it in detail in that article you linked. Windscribe is a paid VPN service with free plan option.

Either way that sucks for OP. You must be going through a lot of emotional distress right now. You need to clean those devices and move services. If you don't trust Windscribe then look at these they recommended: https://blog.windscribe.com/how-to-pick-a-good-vpn/

All of them in that list are top-tier.

[zasad@]

This is another proof that you cannot use a cell phone to store bitcoins. If you like wallets on your cell phone, then you need to use through a hardware wallet. Any software wallet is unreliable and can be hacked. I don't use my mobile phone to store cryptocurrencies at all.

[bitmover]

hello,


On 28feb2022 I get hacked, 2.4bitcoin  from coinomi android wallet got  stolen.
It's an old Android 7, Samsung Galaxy s6edge (no root).
In 2017-2019 I use Coinomi wallet to store my bitcoin because was simple  easy to use.
In summer 2019 I decide to use that phone only like a "cold storage" I have coinomi app, windscribe vpn and google apps. I choose that because was simple , once a month I power the phone do the update on coinomi and the other apps  checking the wallet and shut it down.
The Coinomi wallet do not have the BIP39 passphrase implement ate at that time but I secure the wallet with a passowrd , with a pin number in case somebody had the phone to be hard to unlock it.

At the end of February2022 I update the coinomi wallet to version 1.25.2 build 430 core 220 all work fine update done, I check the wallet   the bitcoin was there (I also choose the feature " Mark do-not-spend " in case somebody open  the wallet   no amount was display ) but today I check the address of my wallet (I have it saved in tor browser  to be simple to check the utxo ) and I see the coins  were moved https://oxt.me/transaction/812f73d94bc1eb029e72930427ea27bee4e668accaad4d3fc167a24f1de364a5 how can this happen ? since nobody have access to the phone.
The seed was stored on paper ,nobody  see it ,plus I wrote the words  in other order so only I  can  know the right order.

I'm sure something was wrong with the update since is noot an open source wallet  nobody knows what that wallet can  send out butt I think the wallet send the seed out to somebody because  passed 3 and half years  and  the seed was safe inside it only know happen..only after the update.

There are many misconceptions here, and a small research could have saved your money.

First of all, VPN do not increase security, but a bad VPN might even be bad for it as o_e_l_e_o pointed out. Aditionally,  this is more than  enough money just to buy a hardware wallet (less than 50 usd) which  was designed to secure your coins

A cold wallet is just a wallet which never connects to internet.

You never had a cold wallet. Once your your was created using coinomi,  that seed was already exposed to an online environment.  Installing it in a new phone, downloading a VPN, etc just reduced it security.

The correct procedure would be to buy a hardware wallet (or create a paper wallet  , but you lack knowledge for that) and then transfer your funds from coinomi to that new wallet 

[pawanjain]

Oh my god, now that's something we don't get to read everyday. OP, are you sure you updated the wallet from a genuine source ?
You should always updated your apps only from playstore/app store and I hope you did the same.
But in that case how can one possible hack your coins. Are you sure you didn't visit any maliciuos website through your phone.

This is another proof that you cannot use a cell phone to store bitcoins. If you like wallets on your cell phone, then you need to use through a hardware wallet. Any software wallet is unreliable and can be hacked. I don't use my mobile phone to store cryptocurrencies at all.

Now I am being a little concerned here because I have my coins stored on a smartphone wallet.
But I am using Mycelium which is an opensource wallet for storing bitcoin and Exodus for altcoins which is partiall open source.
At the same time the phone is completely separate and has no other apps installed. I don't use it for anything at all.

[zasad@]

Oh my god, now that's something we don't get to read everyday. OP, are you sure you updated the wallet from a genuine source ?
You should always updated your apps only from playstore/app store and I hope you did the same.
But in that case how can one possible hack your coins. Are you sure you didn't visit any maliciuos website through your phone.

This is another proof that you cannot use a cell phone to store bitcoins. If you like wallets on your cell phone, then you need to use through a hardware wallet. Any software wallet is unreliable and can be hacked. I don't use my mobile phone to store cryptocurrencies at all.

Now I am being a little concerned here because I have my coins stored on a smartphone wallet.
But I am using Mycelium which is an opensource wallet for storing bitcoin and Exodus for altcoins which is partiall open source.
At the same time the phone is completely separate and has no other apps installed. I don't use it for anything at all.

If you have several thousand dollars in your wallet and you constantly trade from your mobile phone wallet, but I would not keep more than 10,000 dollars in a mobile wallet.
If you store coins, then you can use the Ledger or Trezor, and if you like trading, then read about SafePal. You will get the opportunity to trade without KYC on binance.