Are you using Komodo’s Agama Wallet to store your KMD and BTC cryptocurrencies?
Were your funds also unauthorisedly transferred overnight to a new address?
If yes, don’t worry, it’s probably safe, and if you are lucky, you will get your funds back.
Here’s what exactly happened…
Komodo, a cryptocurrency project and developer of Agama wallet, adopted a surprisingly unique way to protect its customers’ funds.
The company hacked its customers and unauthorisedly transferred nearly 8 million KMD and 96 Bitcoins from their cryptocurrency wallets to a new address owned by the company.
Why? To secure funds of its customers from hackers.
This may sound weird, but it’s true.
Komodo recently learned about a malicious open source, third-party JavaScript library that the company was using in its Agama Wallet app.
The library, named “electron-native-notify,” two months ago received a update from its anonymous author who included a secret backdoor in the new code that was designed to steal and send seeds/private key and other login passphrases of Agama wallet users to a remote server.
So, if you have logged in to any version of Agama wallet downloaded from Komodo’s official website or their Android and iOS apps after 13 April this year, it’s likely you’ve had your wallet credentials stolen.
The malicious library update in question was initially detected by a security team at npm JavaScript package repository service, who then informed Komodo of the issue.
“The attack was carried out by using a pattern that is becoming more and more popular; publishing a useful package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” the npm blog said.
The npm blog also shared a brief video demonstration showing how the backdoored version of Agama wallet has been secretly sending a wallet’s private seed to a remote server in the background.
After discovering the vulnerability, Komodo decided to use similar password stealing technique against its users to gain access to as many affected wallets as possible and transferred their funds to a safe wallet before hackers could have stolen them.
“The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners,” Komodo said.
However, it’s important to note that not all affected user wallets have been emptied by the company.
So, if your wallet has not been swept, you are strongly recommended to immediately move all your funds from Agama to a new address.
Komodo also said that the Verus version of its Agama wallet is not affected by this vulnerability and is still completely secure, as it doesn’t include the malicious library in question. So, users of Verus version of Agama wallet are not affected by the security incident.
Leave a Reply