Komodo exploited a vulnerability in its app Agama Wallet to protect its customers from cryptocurrency theft worth of $13 million
A very unusual thing happened in the cryptocurrency world in the past few days – Komodo, a cryptocurrency wallet provider, hacked its own customers! However, the firm is not trying to rob its own clientele – it is trying to protect them from money loss. Komodo was forced to take such a drastic action after discovering a critical vulnerability in its Agama Wallet application.
If Komodo had not transferred around 8 million KMD and 96 BTC (worth $13 million combined) to its own wallet address, this money might have been stolen by malicious actors. The organization is using the Versus variant of Agama which does not include the vulnerability and says that those who did not have their funds transferred and if he/she is not using the Versus version, all money needs to be taken out immediately.
The flaw allows hackers to steal important credentials and send keys through remote servers
Komodo states that every user can be refunded and receive their money back. Furthermore, the organization provided the two wallet addresses the transferred cryptocurrency is kept: 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk for Bitcoins, and RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF for Komodo cryptocurrency. Komodo also claims that the refund process will start with those who have less than 7777 KMD in their accounts:
The reclaim process will begin with wallets that had less than 7777 KMD in them and are undisputed (meaning that only one missing funds claim was made for that wallet).
The flaw in Agama wallet was spotted during the audit of npm security team
This crucial security vulnerability has been first spotted by the npm cybersecurity organization which was the one to inform Komodo about its findings and is also largely responsible for saving $13 million of users funds:
Yesterday, the npm, Inc. security team, in collaboration with Komodo, helped protect over $13 million USD in cryptocurrency assets as we found and responded to a malware threat targeting the users of a cryptocurrency wallet called Agama.
The company said that all the users who logged into their Agama Wallet account past April 13 this year, hen the new Agama 0.3.5 variant had been released, most likely had their wallets compromised and credentials have been exposed to cybercriminals. The risk applies to both Android and iOS mobile phone operating systems.
Luckily for those who used the Verus version of the app, their credentials are safe. This Agama wallet version is not affected by the vulnerability and does not contain the malicious library.
Komodo has reported on its official website that the investigation of this malicious attack is still ongoing and the company will post relevant updates and information about new findings. Additionally, the organization is looking forward to releasing some instructing steps for users whose funds were stolen during the malicious attack.