How Were the Funds Truly Compromised?
Warith Al Maawali contacted CCN and just about every news outlet he could find with the claim that because Coinomi had sent seed phrases to Google for spellchecking, he had lost his entire life savings. His goal was to pressure the company into reimbursing him for losses, but it appears that, after extensive research, it’s doubtful that Al Maawali lost his crypto through the fault of Coinomi. It’s more likely that he never lost it at all or that his seed phrase was compromised in another way.
We previously reported on those claims here. We then followed up with a response from Coinomi, who believed by that point that Al Maawali was attempting to extort the company.
Coinomi explicitly stated that the bug in question had never actually compromised seed phrase words, as they weren’t sent in plain-text. The inference to be drawn would be that in the event his funds were stolen in this way, Google or a Google employee did it.
“Upon review of the publicly available facts, it quickly became apparent to the CipherBlade team that Al Maawali’s conduct is grossly inappropriate to the situation. We receive multiple messages on a daily basis from people seeking help regarding scams or hacks, and so we understand very well that victims can be emotional and even irrational — in the worst case yet, we’ve been forced to prevent a fraud victim from attempting to murder a suspect. And indeed, even well-composed individuals are often at a loss as to what the proper course of action is when they become the victims of such crimes. Nevertheless, given the public nature of the present incident, it is worthwhile using it as a case study.”
CipherBlade finds that the most likely attack vector exploited by an attacker – assuming an attack ever took place, which is questionable – was through the storage of the seed phase itself.
“For one thing, it is not clear how the seed phrase was stored and whether any other person might have had access to it in either electronic or physical form. For another, it is particularly noteworthy that Maawali states that he copy-pasted the seed phrase into the Coinomi application. Malware that monitors a computer’s clipboard for contents that have the format of private keys or seed phrases are a well-known threat to cryptocurrency users, and while Al Maawali emphasizes that none of his other wallets were compromised, he may not have recently pasted their seed phrases or private keys anywhere.”
Where Did the Coinomi Funds End Up?
The researchers note that Al Maawali’s attempt at shaming Coinomi into giving him $70,000 were “inappropriate.” Had he followed the proper protocols, law enforcement and various exchanges could have conducted a real investigation into the lost funds.
The funds are still moving. As recently as two days ago, sizable transactions took place involving the stolen funds. The majority seem to have dissipated by now. Just 1.7 Ether remains of the more than 35 that were originally stolen, according to the Ethereum blockchain. The Ether and associated tokens were just part of his holdings. Coinomi allows for the storage of numerous cryptocurrencies.
At least one of the exchanges used to wash funds was Binance, though probably through an intermediary service like CoinSwitch, the researchers have found.
If we accept that Al Maawali is truthful, then it’s likely too late to recover the funds directly. However, a more prudent approach to reporting might have yielded better results with the help of a company like CipherBlade.