Posted on

Coinomi Used to Send Your Wallet Passphrase to Google for Spell Check, User Reveals

A vulnerability in the code of Coinomi’s desktop wallet sent the users’ passphrases to google for a spell check, potentially affecting all of those who decide to restore their wallets.

Warith Al Maawali, a wallet user who allegedly lost his life savings after restoring his wallet with an approximate 60 – 70 k in cryptocurrencies, disclosed the information.

User Finds that Coinomi Sends Your Wallet Passphrase to Google for Spell Check

Warith tried several times to communicate with Coinomi’s team, yet could not reach a satisfactory solution, so he decided to write a post and raise awareness through social networks.

In a Reddit post, Warith explains that after using the passphrase of his Exodus wallet, he noticed a strange series of transactions, losing almost 90% of his funds. The first thing he verified was that the Coinomi Wallet was not signed, something that led him to think that it could contain some backdoor.

Later he contacted Coinomi, and they proceeded to fix this error, signing the app. However, he was able to verify that the software was exactly the same.
Then, he ran a program to monitor https, and https traffic and the results were surprising:

“I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:

Then I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MOTHER******** (boom puzzle solved!)
The WHOLE passphrase in plain-text is sent to a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:

To see the whole “experiment” click the video below:

Coinomi Responds

After this, Coinomi issued an official statement. The team quickly patched the desktop app, confirming that it did not affect mobile wallets. They also explained that while Warith’s findings are accurate, it is improbable that a hack could have occurred.

The team explains that it looks more like a “bribe” since the communication goes directly from the wallet to the google server, without going through Coinomi. Likewise, Google automatically rejects the connection.

They explain that it is false that they have refused to solve the problem. According to Coinomi, they responded to Warith asking for more information; however, the user declined to collaborate:

During these days, Warith Al Maawali repeatedly refused to disclose his findings and kept threatened to take this public if we didn’t pay right away the ransom of 17 BTC which would make up for the “hacked” funds (stolen by Google, according to Warith Al Maawali) that are possibly still controlled by him and couldn’t have been hacked because of Coinomi for a series of reasons:

  • Coinomi Team never had access to these seed phrases or funds
  • No one else except from Google could read the contents of the encrypted packets that contained the seed phrases
  •  Google rejected these requests initiated by jxBrowser/Chromium as they were badly formed (didn’t contain a valid Google API key) and never actually processed them

To sum things up: was there an issue with our Desktop wallets? Yes, there was, and it was fixed hours only after it was disclosed to us. Could this issue have resulted in loss of funds?

  • Practically, no, it couldn’t have.

Warith has stated that he is considering taking “legal actions against the company behind Coinomi if they don’t act and take the responsibility”, but he has not provided any further information or comment on Coinomi’s statements.

The use of hot wallets, while safe, also carries significant risks that must be taken into account when storing large amounts of funds in crypto.
If users are going to store large sums of money, the best option is a cold wallet or hardware wallet that eliminates any possibility of interception.

The post Coinomi Used to Send Your Wallet Passphrase to Google for Spell Check, User Reveals appeared first on Ethereum World News.

Posted on

MyCrypto Ethereum (ETH) Wallet Solution Raises $4 Million In Funding Round

MyCrypto Raises $4 Million In Series A Funding Round

Although the retail crypto market may be in a slump, venture investors seem to be as interested as ever, with VC firms pouring millions of dollars of funds into promising crypto-centric projects, products, and services on a near-daily basis. Most recently, an amassment of prominent investors and venture capital firms have stood behind MyCrypto, a popular Ethereum-focused wallet solution.

As per a Medium post released by the team behind the product, the startup has just raised $4 million in a Series A funding round.

Leading the funding round was San Francisco-based Polychain Capital, which has become well-known after fund founder Olaf Carlson-Wee led Polychain and its investors to new heights. Other well-known investors that participated in the startup’s funding round include Boost VC, Shapeshift, Ausum Blockchain Fund, Mainframe’s Mick Hagen, Chance Du Of Coefficient Ventures, Albert Ni, Lily Liu, and Adam Draper, as per MyCrypto’s announcement.

What’s Next For MyCrypto?

For those who are unaware, MyCrypto’s ethos is to build what the crypto community needs, along with creating easy-to-use methods for accessing the blockchain and utilizing crypto assets. And so far, this ideology has stuck, with a talented team of over 15 individuals recently rebuilding the wallet product from the ground up, while also adding “a ton of new features” and introducing support for a native desktop app in the process.

Not only has the startup focused on a wallet, but, the firm also launched an open-source Monero (XMR) block explorer called Monero Vision. While this sounds like a monumental task on its own, as MyCrypto puts it “that’s not enough,” adding that a strong foundation has been laid, but preparing for the “next wave” of cryptocurrency adoption will be an absolute necessity. The press release noted:

These steps have laid a strong foundation for the MyCrypto platform. We need to prepare for the next wave of cryptocurrency users entering the space and help ensure they can interact with the blockchain, play with dapps, trade their coins and tokens, and do it safelysecurely, and with confidence.

So what’s next for MyCrypto? You may ask.

Well, although the startup didn’t highlight any specific products, the firm intends to “make crypto easier to get into.” Elaborating more on what this meant, the release noted that interfaces should be “less confusing, abstract away information that doesn’t need to be upfront” and most importantly, making the crypto experience as frictionless and seamless as any other modern technology.

Expressing excitement for her brainchild, Taylor Monahan, the Founder and CEO of MyCrypto stated:

The cryptocurrency market is always changing and evolving, which can make navigating and understanding it difficult and overwhelming for both new and seasoned users. We’re dedicated to designing an experience that can further simplify how people can access and store cryptocurrency and are thrilled to see the overwhelming support we’ve received from our partners, investors, and community.

So keep your eye out for MyCrypto, as the firm’s collaborative moves with its new partners will be sure to produce some world-changing crypto-centric products in the near future.

Photo by Vladimir Solomyani on Unsplash
Girl in a jacket


Posted on

Opera Introduces Built-In Crypto Wallet For Desktop Version

The popular Opera Browser has pushed forward on its quest to gain traction in the cryptocurrency community, recently announcing that it was extending its built-in wallet to users of the Opera Desktop Browser.

As reported by Ethereum World News, this isn’t Opera’s first move into the cryptosphere, as the Oslo-based firm introduced an Ethereum-centric crypto wallet to their mobile applications in mid-July. Opera hoped to enable “seamless transactions on the web,” and to break down the “biggest hurdles” which are preventing cryptocurrencies from seeing worldwide adoption.

After receiving raving reviews, or an “overwhelmingly positive response” as Opera puts it, for the mobile-based wallet, the web startup thought it would only make sense to integrate it into its popular PC browser, which is home to nearly 322 million users.  Speaking more on the matter, Charles Hamel, the Product Lead of startup’s crypto division, stated:

“By adding a crypto wallet directly into the browser, we removed the need for complex extensions or separate apps. Opening up the PC browser to crypto marks Opera’s second step towards making cryptocurrencies and Web 3.0 mainstream.”

Opera’s Crypto Wallet Hits Opera Desktop With Unique Features 

Opera’s foray into desktop wallets won’t be the ‘same old, same old’, with the firm outlining an array of features that make this new wallet attractive to consumers who may be looking for security and functionality.

The firm pointed out that this will be native to its desktop browser, with the wallet coming pre-installed.  Upon first opening the desktop wallet, users will be prompted to connect this iteration of the wallet to their “crypto Wallet-enabled Opera mobile browser,” which will “grant access to their mobile wallet with cryptocurrencies and collectibles.”

While connected wallets usually pose a security risk for users, Opera has introduced an innovative new feature that requires users to verify desktop and mobile transactions with their fingerprint on mobile, instead of using hard-to-use passphrases. As well, a fingerprint is unique to a user and has a higher level of security, whilst passphrases can be subject to attack by hackers.

Charles Hamel, the aforementioned executive at the software firm added:

“Some users prefer to perform crypto payments or interact with Dapps on their desktop. They can now do so in a simple way by using the same wallet they have on their mobile phone.”

It is important to note that users are always in 100% control of their funds, with close-to-zero pieces of vital and confidential information (like private keys) being routed through Opera-owned servers. Instead, all crypto assets are held on a user’s phone and “nowhere else,” through security methods which keep private keys under lock and key.

This move comes after Bitmain, the most valuable cryptocurrency-centric firm in the world, reportedly made a $50 million investment into Opera Software, the firm behind the ever so popular browsers. While the firm might be influenced by Bitmain’s recent investment, according to the aforementioned blog post, this is just one step in the firm’s aspirations to “stay at the forefront of innovation” and to bring cryptocurrencies to the “mainstream.”

Title Photo by João Silas on Unsplash


Posted on

Binance Buys Trust Wallet, Aims To Expand Operations

Despite posting losses of a couple of percent, development in the cryptocurrency industry has trudged forward, with Binance just announcing that they had acquired Trust Wallet in a recent deal.

Binance, the world’s largest crypto platform, has just made its first acquisition, buying out a Calfornia-based cryptocurrency wallet startup. Trust Wallet provides a reliable security solution for users, along with facilitating a so-called decentralized application browser. Unlike other mobile-based wallets, Trust allows users to “control 100 percent of their funds,” not holding the private keys or other confidential information on their servers. In fact, all of the information that will be stored on company-owned servers is just the user’s public addresses, contact information, and social media handles.

According to Bloomberg, the wallet provider was launched in November and is currently home to 10 employees. The Trust Wallet application is currently focused on providing security for Ethereum-based tokens, and supports upwards of 20,000 different cryptos as of the time of writing.

Speaking on the acquisition, Chengpeng Zhao, the well-known CEO and head of the exchange, stated:

“The Trust Wallet team shares the same values as us and the products are very complementary. For users who like to withdraw funds into a wallet now, we have a product they can use.”

The details of the deal were not revealed, but the firm noted that they acquired the startup using a combination of cash, Binance stock and some of its in-house token, the fittingly named Binance Coin. But it was noted that the deal was not of a high value, as the crypto service provider currently doesn’t support an expansive user base.

It is important to note that Trust Wallet will still operate as an independent entity, but the Malta-based Binance will assist in operating the “admin side of the business,” along with market campaigns. Zhao noted:

We plan to keep the app as independent as possible. There will be more features going into it but not so much from a Binance demand perspective. We are like the addition of a godfather for the baby… there’ll be some cooperation.

The CEO took to Twitter to issue a series of tweets, expressing his excitement for the deal which they had just closed. CZ wrote:

“A secure, easy to use, on-chain mobile wallet with full dapp support. The next gen mobile wallet begins.”

He also called it a “diamond in the rough,” alluding to the firm’s plans to expand and integrate the wallet solution into Binance’s services. It is likely that Trust will be the first to be integrated into Binance’s upcoming decentralized exchange, which will allow users to directly transact with one another through a permissionless system.

Closing off his talk with Bloomberg reporters, the CEO added that his firm is in “early-stage talks” with other firms that appeal to the Binance team for future acquisition. Taking into account that Binance made upwards of $500 million since the start of 2018, it makes sense how they have so much capital to spare.


Posted on

MyEtherWallet Gets Hit By CyberAttack From Google Chrome Store Hackers

MyEtherWallet (MEW), one of the most well-known services for managing Ether wallets, recently took to social media to relay an urgent message about a potential cyber attack. According to the Tweet, the Hola VPN extension was in a hacked state for five hours, allowing for the hackers to monitor the activity of some MyEtherWallet users through the extension.

Ironically enough, the VPN service meant to secure your online experience has slipped up again, with this most recent situation being Hola’s second case of bad press.

The wallet service advised that MEW users who had the Hola extension installed should immediately move their funds to a secure wallet, ensuring that the risk of attack is mitigated.

Unlike many other traditional third-party wallets, MEW takes a ‘you are your own bank’ approach, encouraging its users to take control over their own private keys. Although the MEW service has been lauded for the decentralized aspects it offers, the private key system increases the risk of fund loss/mismanagement on a user-to-user basis.

Hola VPN, a free virtual private network (VPN) service with almost 50 million users, later released a report, giving their take on the situation. The blog stated:

Yesterday our deployment team discovered that the Hola Chrome extension which was live for a few hours was not the one that our development team uploaded to the Chrome Store. After initial investigation, we found that our Google Chrome Store account was compromised, and that a hacker uploaded a modified version of the extension to the store.

The post went on to say that the version has since been taken down, and the Chrome Store account has been resecured. After ensuring that the fraudulent version was taken down, the Hola team set out to investigate the intent of the out of the blue attack.

After a few hours of investigative efforts, Hola determined that MEW users were the specific target for this attack. The cyber attack consisted of injected lines of JavaScript that allowed for the hackers to phish MEW account information, by re-directing MEW users to the hacker’s clone website.

Once figuring out the intent of the attack, Hola quickly contacted MEW and Google, making sure that the phishing website was unavailable to access.

The wallet’s team told TechCrunch that the attack seemed to originate from “Russian-based IP addresses.”

The most recent attack had some users think back to a similar situation which happened in April. Earlier this year, hackers hijacked “a couple of Domain Name System registration servers” that were linked to MEW, re-directing users to a phishing site. With this attack, the hacker was able to transfer over 215 Ethereum from unsuspecting users to his/her account.

It is still unclear how many users fell victim to the most recent attack, but one Reddit user noted that he/she lost 6000 VEN, worth around $12,000 at the time of press. MEW reaffirmed their commitment to the security and safety of its users, noting:

The safety and security of MEW users is our priority. We’d like to remind our users that we do not hold their personal data, including passwords so they can be assured that the hackers would not get their hands on that information if they have not interacted with the Hola chrome extension in the past day.


Posted on

Ethos Jumps Up 50% After U.S. Release of The ‘Universal Wallet’

The Ethos Project

Ethos Project – Ethos, the 60th largest cryptocurrency by market capitalization, is an infrastructure project that plans to create a comprehensive cryptocurrency ecosystem.

Whether it be through their Universal Wallet, or blockchain research papers, this infrastructure project hopes to bring cryptocurrencies and related technologies to a worldwide stage, offering reliable services for the public. 

The Ethos team’s mission was accurately related to their aspirations, with their mission statement being adequately put as:

Our mission is to build a financial ecosystem that is open, safe and fair for everybody. Ethos harnesses the power of design, technology and social intelligence to create a breakthrough solution that will enable everyone to participate in the New Economy.

The Universal Wallet

The Universal Wallet is an innovative piece of crypto infrastructure that aims to put control and ownership back in the hands of the consumer, rather than a centralized third party. An issue with cryptocurrency wallets is that wallet operations are often routed through a centralized server, with private keys not being held in the hands of the user.

This centralization in cryptocurrency storage is a slap to the face of the decentralized nature of cryptocurrencies, which is what makes this new asset class so revolutionary.

Etho plans to fix this issue by introducing a variety of cryptoassets into one ‘universal’ wallet, using a single so-called SmartKey to hold ownership over all of the assets.

The infrastructure project is also working on implementing cold storage options, portfolio tracking and cryptocurrency research and analysis into the Universal Wallet application. With these planned integrations, Ethos plans on becoming a one stop shop for all cryptocurrency users, introducing a variety of vital features in one easy-to-use and accessible platform.

Ethos Token Sees 50% Rise In One Day

Over the past 3 days, Ethos has announced that they will begin their global roll-out process for the Universal Wallet. With the first release coming in the Netherlands on Monday, followed by Germany the day after, and most importantly, the today’s announcement for United States of America support. 

In an apparent gesture towards the American Independence Day, the Ethos team decided to release the Android Universal Wallet to U.S. consumers on July 4th. 

A post from the project wrote:

In true Independence Day fashion, Ethos has released a new wave of financial freedom in the U.S. by way of the Universal Wallet! What better way to celebrate independence?

Upon the release of the U.S. announcement, the Ethos token immediately saw an influx in volume, seeing a five times increase in daily volume figures. A majority of this volume came from Bithumb, a popular exchange in the Asia cryptocurrency ecosystem. Prices on Bithumb quickly hit $3.5 in the first minutes of the price jump, but weirdly enough, other exchanges did not experience similar run-ups.

Chart Coutesy of CoinMarketCap

Leading some to speculate that this was actually an act of price manipulation on the KRW (Korean Wan)/ETHOS trading pair, that eerily correlated with the release of the U.S. Universal Wallet announcement.

Since the price jump, the average price for the token has dropped to $2.58, still posting a 50% increase on the daily chart. Volume has since slowed, with the token holding in the mid two dollar range. 

Although this pump may have been an act of price manipulation, the previous announcements for the Netherlands and Germany saw ETHOs take more relaxed moves upwards, signalling that Ethos prices should move upwards on Universal Wallet announcements. 

The Universal Wallet will be continued to rolled out to more countries, with the Ethos team holding plans for a global expansion within the upcoming months.

Title Image Courtesy of Pixabay


Posted on

Swiss-Based Company Offers Secure Cryptocurrency Storage In The Alps

In Comes Swiss Crypto Vault, Amidst The Growing Need For Cold Storage

Niklas Nikolajsen, the founder of the cryptocurrency infrastructure firm Bitcoin Suisse, has announced the creation of Swiss Crypto Vault. Nikolajsen, along with Phillip Vonmoos, his business partner, hopes to attract the cryptocurrency holdings of institutional investors and wealthy individuals.

SCV plans on securing crypto assets through the use of encryption, multi-sig authorization, and most importantly, the use of a ‘military-grade’ bunker that can stand the worst of conditions. It is reported that PricewaterhouseCoopers will review the security of the vault, ensuring that the most effective practices are set in place. 

The fact that Bitcoin Suisse has access to such a secure site is its biggest claim to fame, sporting the extreme levels of security a Swiss Alps bunker, established in the Cold War, accommodates.

This startup fills a growing gap in the industry, with institutional investors piling into the space looking for secure ways to store millions of dollars worth of cryptocurrencies.

Nikolajsen’s business partner, Vonmoos acknowledged the need for such a service, stating:

The next level for the crypto community is for additional institutions to enter the space. They will only do so if there is a super secure way of storing the assets or the private key.

The founder of Bitcoin Suisse, Niklas Nikolajsen also said:

It’s not millions anymore we’ve been moving to the bunker — it’s the next level.

Institutional investors, like banks or high net worth individuals, often lack the capability and knowledge to secure cryptocurrencies. However, SCV offers the expertise to institutional investors, charging fees for its indispensable service.

Nikolajsen has so much faith in the startup, that he moved all assets from Bitcoin Suisse to the bunker, attesting to his belief in the security of the service. SCV opens to the public today, offering a variety of secure storage services for a multitude of cryptocurrencies, like Ethereum and Bitcoin.

It is likely that SCV, along with Swiss-based Xapo, will become mainstays in this growing sub-industry, as cryptocurrency fortunes look to settle down for decades to come.

Cold Wallets V.S. Hot Wallets, The Debate Continues

Last week saw BitHumb, popular Asian-based exchange, get hacked for over $30 million worth of cryptocurrencies. It became clear the hack occurred on some of the hot wallets Bithumb has held. Although it is a common practice for exchanges to keep cryptocurrencies on hand, in hot wallets, it still doesn’t take away from the extreme levels of security cold storage offers.

Cold storage, A.K.A cold wallets, is a method of keeping cryptocurrencies away from an online environment, often generating and assessing your funds through offline services. The use of cold wallet storage mitigates most of the risk associated with online wallets, removing the fears of hackers remotely accessing your wallet.

Many cryptocurrency experts, along with cryptocurrency companies, advise users to keep all personal funds in cold wallets. Pieces of hardware, like the Ledger Nano S, offer affordable and easy-to-use cold storage options for normal consumers.

As the cryptocurrency space expands, it will make sense for consumers, along with established firms coming from outside the industry, to keep their cryptocurrency funds secure in cold storage.  

Title Image Courtesy of Artur Staszewski


Posted on

Ledger Wallet Desktop Edition Scheduled to July 9th

In an update posted on its official blog, Ledger has announced the release date of the Ledger Wallet Desktop Edition. The final date is scheduled for July 9th

This decision would make of Ledger a leading company not only in the manufacture of hardware wallets but also in the market of software-based wallets, an essential step in the expansion of its business vision.

A Preview of the Interface Ledger is Developing

The company -known for its famous Ledger Nano S- has gained fame within the community for the high quality of its products. According to official data, the Ledger Nano S boosted the company’s production to more than 1 million units sold.

Until now Ledger relied on google chrome plugins and similar solutions for its configuration and use. But just after they announced the development of a Ledger Wallet Desktop Edition in February 2018, it was easy to note the positive sentiment it generated among the crypto fans.

As a result, Ledger Wallet Desktop Edition was announced with a lot of features that make it – again – a formidable competitor compared to other options like Trezor:

  • Native desktop application (Windows, macOS, Linux)
  • Multi-currencies (28 cryptos including Bitcoin, Altcoins, Ethereum, Ripple…)
  • Multi devices (Ledger Nano S, Ledger Blue)
  • Read-only consultation of accounts without device (protected by optional password)
  • Dashboard view of all assets
  • Counter values: choice of currency & exchanges
  • Send, receive, account balances & history
  • On device verification of the receive address
  • Faster account synchronization engine
  • Easy onboarding for new users

Also, Ledger Wallet Desktop Edition’s support for such a wide range of operating systems, facilitates not only adoption but also ease of use for a growing user base.

Ledger Wallet Desktop Edition: The Beginning of a New Era

The French company behind the development of Ledger will not settle for the launch of a Desktop Edition. According to their blog it seems like they also have plans to increase very soon the features and products they offer so far.

According to the post in which they announced the Desktop Edition, these would be the promises of new developments for the near future.:

  • Mobile application version (Android & iOS)
  • Ledger Nano/HW.1 support
  • Install/uninstall apps on Ledger Nano S automatically to smoothly manage a non limited number of cryptos on one device
  • Ethereum ERC20 tokens & contract management
  • Third party apps integration (buy/sell cryptocurrencies, exchanges, swaps…)
  • Transaction tags & notes
  • Spotlight search
  • Generate more than one new address
  • 100+ cryptocurrencies support

The Ledger Wallet Desktop Edition will hit markets this July 9th 2018. The mobile version is planned for the end of Q4 2018; also, the Ledger team will announce all the other developments when they reach their final version; however, Ledger’s priority is to support ERC20 tokens.

Posted on

IDG Backs Crypto Wallet imToken with $10 Million Investment

China-based cryptocurrency wallet imToken announced Thursday that it has closed a $10 million Series A round fully funded by venture capital firm IDG Capital.

Founded in 2016, imToken first entered the industry as a dedicated ethereum wallet service, but has since expanded to support a claimed 30,000-plus tokens, including “airdrops” and ICO issuances.

The company said in a release that the new equity financing will be used to expand its overseas businesses and to hire more technical staff for product development.

ImToken’s CEO, Ben He, told CoinDesk that the company currently has fewer than 40 people and will primarily expand its team in Singapore, alongside building new presences in other Asian and African countries including Japan, South Korea, Vietnam and Nigeria.

In addition, He said the firm expects to launch a new security-related product at the end of June, though he refrained from disclosing further details.

IDG Capital has become notable in the cryptocurrency industry, having made a series of investments in industry startups.

As previously reported by CoinDesk, IDG participated in Coinbase’s notable $75 million series C round, as well as Circle’s $50 million funding, both of which took place in 2015. More recently, the VC firm also backed China-based cryptocurrency data firm BiKan as a participating investor in the startup’s 10 million fundraise.

Wallet image via Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.