I get hacked, 2.4 bitcoin stolen from coinomi wallet

[minertalk]

I scan my phone with 4 anti viruses app , no viruses at all







with "no root firewall" app  I check where coinomi connect, on which ip's.



the ip  https://whatismyipaddress.com/ip/188.144.96.7  looks kinda strange

ps:one of coinomi moderator from  reddit ask me to remove the ip address from the comment!

[1713875395]

1713875395

[1713875395]

1713875395

[1713875395]

1713875395

[1713875395]

1713875395

[1713875395]

1713875395

[btcjoe99]

The funds have moved to Binance is a bit of a claim.
yes, one part of the funds have gone eventually to this wallet https://glasschain.org/btc/wallet/111462198
and from there have been moved to binance. However, this wallet was used way before your coins were stolen and much more bitcoin has been moved to binance.

It doesn't mean this wallet owner is the thief. It can be that he just sold something to someone and actually in this case, it can be likely as again, this wallet had other coins in it for years. Btw this can be true before for the hopping. Yes it looks like hopping but you just never know.
In this case though I would say it was just "hopping". which i still don't understand why users do that?

Is there any benefit from hopping? I can't see how this would help to disguise stolen funds. Please someone educate me.

[minertalk]

The funds have moved to Binance is a bit of a claim.
yes, one part of the funds have gone eventually to this wallet https://glasschain.org/btc/wallet/111462198
and from there have been moved to binance. However, this wallet was used way before your coins were stolen and much more bitcoin has been moved to binance.

It doesn't mean this wallet owner is the thief. It can be that he just sold something to someone and actually in this case, it can be likely as again, this wallet had other coins in it for years. Btw this can be true before for the hopping. Yes it looks like hopping but you just never know.
In this case though I would say it was just "hopping". which i still don't understand why users do that?

Is there any benefit from hopping? I can't see how this would help to disguise stolen funds. Please someone educate me.

I contact binance on the chat and they said:


Greetings from Binance security team! We are very sorry to hear about your situation. Upon checking we have found that the funds are in Fixed Float wallet.
The funds appear in the blockchain to have been sent to Binance because Fixed Float is a Binance Broker, this means it is another company that has a wallet with Binance for its liquidity and order book. This broker has many users, so we don't know the exact end user who received your stolen funds, we only know the funds were transfer to the Fixed Float hot wallet.

I know fixedfloat is a noKYC exchange own by russians and many bitcoins come and go to  the Hydra Market.

[DeathAngel]

Probably try reporting to the authorities. You've probably lost enough money to make hiring a lawyer worth it.

But really mate. I wouldn't want to kick you down as you've already lost money, but with 2.4 BTC why don't you have a hardware wallet? And worse — of all choices, you've decided in using a closed source wallet software.

^^
This

Or at the very least, an encrypted wallet.dat
OP I am sorry for your loss, I hate reading these kind of things but you could have avoided this with better security practises.

[Odusko]

There is a high possibility of an inside hack from the wallet source as the update may have been built with bugs that allow access to users' wallet security key or phrase, going by ops explanation haven't stored the Bitcoin on that wallet for over three years and losing it shortly after an update of the app is an obvious cause. You need to report this issue to the appropriate security for proper investigation and possible action to prevent future occurrences of similar hacking.

[Jeralhong]

Coin is hard to recover，Buy a lesson. You can't use this wallet to save money. The more functions, the lower the security performance，This is common sense.

[o_e_l_e_o]

I am planning to delete the smartphone wallet from my phone now since I already have the backup of the seed.

Note that that doesn't really make your coins any safer. The seed phrase was already generated in a hot wallet and has been stored on a device with internet access for a period of time. Deleting the wallet app might also not actually delete the wallet file or other data, and it certainly won't overwrite those sectors of your phone's storage. If you want your coins in an offline wallet with the seed phrase only stored on paper, then you need to create the seed phrase and wallet using an airgapped device in the first place.

This is a strange incident and i am really worried that if this could happen with Coinomi wallet, then other non-custodial wallet are also not save ?

No wallet can guarantee 100% safety, and every wallet will only be as safe as the person using it. However, any open source software which is extensively and continuously examined by thousands of people, such as Bitcoin Core or Electrum, is likely going to be far more secure than some closed source wallet like Coinomi which makes basic errors such as sending your seed phrase to third parties and not encrypting its communications.

[pawanjain]

I am planning to delete the smartphone wallet from my phone now since I already have the backup of the seed.

Note that that doesn't really make your coins any safer. The seed phrase was already generated in a hot wallet and has been stored on a device with internet access for a period of time. Deleting the wallet app might also not actually delete the wallet file or other data, and it certainly won't overwrite those sectors of your phone's storage. If you want your coins in an offline wallet with the seed phrase only stored on paper, then you need to create the seed phrase and wallet using an airgapped device in the first place.

Yeah I agree with you. But don't you think Mycelium and Exodus are relatively safer than other smartphone wallets?
Also, the smartphone is going to stay with me forever. Now since I have deleted the apps I will be completely wiping the data by doing a factory reset.
I guess that will lower the risks when compared to it's previous state.

Wanted to ask you one thing. Even if we buy a hardware wallet from the ledger nano or trezor official website how can we be sure that the device is not compromised on it's way to the customer.

[o_e_l_e_o]

But don't you think Mycelium and Exodus are relatively safer than other smartphone wallets?

Exodus is also closed source, so no, another poor choice. Mycelium maybe "relatively" safer, as you say, but all hot wallets and inherently more risky than cold wallet or hardware wallet alternatives.

Even if we buy a hardware wallet from the ledger nano or trezor official website how can we be sure that the device is not compromised on it's way to the customer.

Each hardware wallet has their own way of verifying that it has not been tampered with, from tamper-proof packaging to cryptographically secure handshakes with the manufacturer's servers. It all depends on which hardware wallet you have purchased.

[DaveF]

...
3. DO NOT use old phones with outdated software
...

I'm going to take this a step further and go with, don't use phones that have a ton of manufactures bloat and customization on them.
It's just too easy for bugs to be found years after support from Samsung / Motorola / Nokia / whoever has ended.

Stock basic Android is just that, there will be vulnerabilities found over the years after support has ended. But, they will probably not be as big a show stopper as all the added manufacturer and carrier bloat.

https://eprint.iacr.org/2022/208.pdf

-Dave

[o_e_l_e_o]

I'm going to take this a step further and go with, don't use phones that have a ton of manufactures bloat and customization on them.

Just don't use mobile wallets for amounts you are not willing to lose.

Are you comfortable carrying around $50-100 in cash in your wallet? Yes? Then you should be comfortable carrying around 0.001 - 0.002 BTC in your mobile wallet.
Are you comfortable carrying around $10,000 in cash in your wallet? No? Then why are you carrying around 0.25 BTC in your mobile wallet?

I use an open source mobile wallet several times a week. How else am I going to spend bitcoin when out and about? They are a necessity. But I also don't store my entire stash in one, just like I don't carry around all the fiat I own in my pocket at all times, which would be plainly moronic. Put your funds in cold storage, and transfer small amounts to your mobile wallet as and when required.

[DaveF]

I'm going to take this a step further and go with, don't use phones that have a ton of manufactures bloat and customization on them.

Just don't use mobile wallets for amounts you are not willing to lose.

Are you comfortable carrying around $50-100 in cash in your wallet? Yes? Then you should be comfortable carrying around 0.001 - 0.002 BTC in your mobile wallet.
Are you comfortable carrying around $10,000 in cash in your wallet? No? Then why are you carrying around 0.25 BTC in your mobile wallet?

I use an open source mobile wallet several times a week. How else am I going to spend bitcoin when out and about? They are a necessity. But I also don't store my entire stash in one, just like I don't carry around all the fiat I own in my pocket at all times, which would be plainly moronic. Put your funds in cold storage, and transfer small amounts to your mobile wallet as and when required.

No, its not just BTC using older phones with all the bloat leaves you with tons of other security issues too.
Password leaks, PII being sent who knows where, etc.

-Dave

[Odusko]

Hack and phishing attack is one of the attacks that we need to protect ourselves against be careful on the site you visit as per time if you receive any link make sure to check before you click on them, coinomi is an open-source wallet that guarantees some level of security unless someone has access to your private key and have used it to gain access to the wallet.

[o_e_l_e_o]

coinomi is an open-source wallet that guarantees some level of security

Please actually read the thread before hitting reply. There is extensive discussion in the previous posts about how Coinomi absolutely is not open source and has had a number of very significant vulnerabilities in the past (transmitting seed phrases to third parties, not encrypting communications, etc). Further, no wallet can guarantee your security since even the best hardware wallets or cold storage can be used in an insecure way if the user does not know what they are doing.

[BitcoinsGreat]

coinomi is an open-source wallet that guarantees some level of security

Please actually read the thread before hitting reply. There is extensive discussion in the previous posts about how Coinomi absolutely is not open source and has had a number of very significant vulnerabilities in the past (transmitting seed phrases to third parties, not encrypting communications, etc). Further, no wallet can guarantee your security since even the best hardware wallets or cold storage can be used in an insecure way if the user does not know what they are doing.

In a nutshell, if coinomi wallet is used properly and in a secure manner, it is still vulnerable and we can lose our funds? If you can give a short summary on this , it will be really help because i do have coinomi wallet in my phone with little funds. 
 

[DaveF]

coinomi is an open-source wallet that guarantees some level of security

Please actually read the thread before hitting reply. There is extensive discussion in the previous posts about how Coinomi absolutely is not open source and has had a number of very significant vulnerabilities in the past (transmitting seed phrases to third parties, not encrypting communications, etc). Further, no wallet can guarantee your security since even the best hardware wallets or cold storage can be used in an insecure way if the user does not know what they are doing.

In a nutshell, if coinomi wallet is used properly and in a secure manner, it is still vulnerable and we can lose our funds? If you can give a short summary on this , it will be really help because i do have coinomi wallet in my phone with little funds.  
 

Short Version:

coinomi is closed source so there is no way to know what it is doing in the backgroud
Their desktop version also had a major whoops at one point in time and was sending your seed phrase out to google to be spell checked

Long version, no matter what people tell you phone wallets are vulnerable. Some more then others, but in the end you are reliant on the security of Android or iOS to be safe.

Both have had many many issues over the years are are still shown to be vulnerable to attacks.

Android is a bit worse in some ways since it allows for phone manufacturers to put whatever they want on it, better in other ways since you as the user have a lot more control in what the phone has on it.  iOS is a bit more locked down, but Apple has had their share of security issues over the years and for the most part deny it's a problem till they are forced to fix it.

So in the end they both suck.

Don't store more on your phone then you are prepared to loose.
Or as I said above, as a rule that works for me, I don't store more on my phone then the phone itself is worth.

-Dave