A crypto investor is crying foul after he allegedly lost $70,000 worth of his cryptocurrencies. The investor had stored the cryptos in his Coinomi wallet. According to him, the firm was either negligent in its role, or it actively worked to steal from him. However, Coinomi has released a statement refuting the claims. It claims that the investor attempted to blackmail it and that the vulnerability was on his side.
Warith Al Maawali is a crypto investor as well as a computer programmer. In a lengthy Reddit post, he outlined how he lost his $70,000, urging other Coinomi users to withdraw their cryptos before they lose them as well. Maawali has also launched a website, Avoid Coinomi, in which he urges Coinomi users to quit using the service.
It all apparently began when Maawali downloaded the Coinomi wallet and decided to integrate it with his Exodus wallet, his main crypto wallet. He inserted his Exodus wallet passphrase into Coinomi’s application, and this was when it all went wrong.
Being a programmer himself, he noticed that the wallet’s main application wasn’t digitally signed, unlike the setup file. He reached out to the Coinomi team through Twitter, pointing out the vulnerability to them. The team acted swiftly and uploaded a new version of the application.
That was on February 14. Six days later, Maawali discovered that more than 90 percent of his crypto assets had been moved out of his wallet. They had been transferred to multiple wallet addresses, with his bitcoins being the first to be moved. The culprits then allegedly moved his Ether, Litecoin, other ERC-20 tokens and lastly, his Bitcoin Cash.
Maawali decided to get to the root of the incident, and this is when he discovered the fatal flaw with Coinomi. The wallet’s ‘Restore Wallet’ functionality sends a user’s private passphrase to googleapis.com, a domain owned by Google. The wallet apparently sends the passphrases to googleapis.com for spell checking.
Who’s Telling the Truth?
Maawali claims that someone from Google, or anyone with access to the HTTP requests accessed his passphrase and emptied his wallet. Armed with the passphrase, wiping out the wallet was child’s play. He wrote:
Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!
He attached a screenshot of a sample HTTP request from the wallet.
Maawali claims he tried to resolve the issue with Coinomi, but the firm wasn’t of much help. He has promised to take legal action against the firm which is registered in the U.K.
On its part, Coinomi refuted the claims, instead stating that Maawali repeatedly asked for a ransom of 17 BTC or he would take the incident public.
Our official statement on the spell-check findings: https://t.co/o7Fmhn2FoI
— coinomi (@CoinomiWallet) February 27, 2019
The firm outlined a number of reasons why it’s impossible that the cryptos were stolen from Maawali’s wallet. One of them is that the Coinomi team never had access to his seed phrases or his funds. Google also apparently rejected all the requests initiated by Maawali and never processed them.
Coinomi reiterated its stand: it would not negotiate or compromise with blackmailers.
Going forward it should be noted that we are not negotiating with blackmailers and that we are totally open and transparent with the crypto community which we have been serving day and night for the past 5 years.