Komodo hacked its own clients to protect them from cryptocurrency theft

Komodo exploited a vulnerability in its app Agama Wallet to protect its customers from cryptocurrency theft worth of $13 million

Komodo hacks its own clients due to a flaw in Agama Wallet appKomodo hacks its clients' Bitcoin and KMB cryptocurrency wallets to save them from being stolen by hackers

A very unusual thing happened in the cryptocurrency world in the past few days – Komodo, a cryptocurrency wallet provider, hacked its own customers![1] However, the firm is not trying to rob its own clientele – it is trying to protect them from money loss. Komodo was forced to take such a drastic action after discovering a critical vulnerability in its Agama Wallet application.

If Komodo had not transferred around 8 million KMD and 96 BTC (worth $13 million combined) to its own wallet address, this money might have been stolen by malicious actors.[2] The organization is using the Versus variant of Agama which does not include the vulnerability and says that those who did not have their funds transferred and if he/she is not using the Versus version, all money needs to be taken out immediately.[3]

The flaw allows hackers to steal important credentials and send keys through remote servers

Komodo states that every user can be refunded and receive their money back. Furthermore, the organization provided the two wallet addresses the transferred cryptocurrency is kept: 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk for Bitcoins, and RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF for Komodo cryptocurrency.[4] Komodo also claims that the refund process will start with those who have less than 7777 KMD in their accounts:

The reclaim process will begin with wallets that had less than 7777 KMD in them and are undisputed (meaning that only one missing funds claim was made for that wallet).

The malicious open-source library, based on JavaScript, is known by the name of “electron-native-notify.” This source was compromised a couple of months ago by a bad actor who installed a backdoor into it. Such component permitted to steal various login information from Agama Wallet accounts and also receive the private key (seed). The exact same technique was used by Komodo to transfer all the vulnerable funds to a safe wallet.

The flaw in Agama wallet was spotted during the audit of npm security team

This crucial security vulnerability has been first spotted by the npm cybersecurity organization which was the one to inform Komodo about its findings and is also largely responsible for saving $13 million of users funds:[5]

Yesterday, the npm, Inc. security team, in collaboration with Komodo, helped protect over $13 million USD in cryptocurrency assets as we found and responded to a malware threat targeting the users of a cryptocurrency wallet called Agama.

The company said that all the users who logged into their Agama Wallet account past April 13 this year, hen the new Agama 0.3.5 variant had been released, most likely had their wallets compromised and credentials have been exposed to cybercriminals. The risk applies to both Android and iOS mobile phone operating systems.

Luckily for those who used the Verus version of the app, their credentials are safe. This Agama wallet version is not affected by the vulnerability and does not contain the malicious library.

Komodo has reported on its official website that the investigation of this malicious attack is still ongoing and the company will post relevant updates and information about new findings. Additionally, the organization is looking forward to releasing some instructing steps for users whose funds were stolen during the malicious attack.[6]

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions