How (Not) To React When Your Cryptocurrency Is Stolen

CipherBlade
16 min readMay 23, 2019

--

Warith Al Maawali, much to his dismay, found his Coinomi wallet compromised and the funds contained in it stolen. Alleging a vulnerability in the wallet app as the culprit, he attempted to extort from Coinomi compensation for his loss and has since been conducting a publicity campaign against the company. Upon Coinomi’s request, CipherBlade has reviewed the situation and found it to be highly illustrative of wrong-headed and unproductive cryptocurrency theft victim behavior.

The Al Maawali/Coinomi Dispute

Extensive discussion regarding a vulnerability of the Coinomi wallet circulated Twitter, Reddit, Bitcointalk, and other platforms late February 2019. An individual, Warith Al Maawali, made numerous postings alerting the public to a vulnerability with the Coinomi wallet, which he alleged was the cause of his loss of approximately $65,000 in various cryptocurrencies. Al Maawali’s postings resulted in a mixture of responses, ranging from sentiment echoing “you deserved to lose your money for being irresponsible,” to “that vulnerability doesn’t make sense, and you likely lost your money due to something else,” and, on the other end of the spectrum, applauding Al Maawali for bringing this vulnerability to the public’s attention.

Al Maawali has continued his public campaign against Coinomi, launching a website (avoid-coinomi[.]com) and varying social media accounts dedicated to the purpose and seems to have focused on delivering on threats to Coinomi of taking the incident public unless they compensate him for his loss. In response to the large-scale public discussion, Coinomi issued their own response to Al Maawali’s allegations. The public has been left to interpret the facts of this situation, with both sides presenting their version of events. Blockchain media outlets reported extensively on this case, most often with neutrally-themed articles, an expected stance from journalists expected to be objectively unbiased.

Upon review of the publicly available facts, it quickly became apparent to the CipherBlade team that Al Maawali’s conduct is grossly inappropriate to the situation. We receive multiple messages on a daily basis from people seeking help regarding scams or hacks, and so we understand very well that victims can be emotional and even irrational — in the worst case yet, we’ve been forced to prevent a fraud victim from attempting to murder a suspect. And indeed, even well-composed individuals are often at a loss as to what the proper course of action is when they become the victims of such crimes. Nevertheless, given the public nature of the present incident, it is worthwhile using it as a case study.

What we find is the following:

  • There are multiple factors to be observed that make it extremely unlikely that the Coinomi wallet bug was, in fact, the cause of Al Maawali’s loss of funds, and malware infection is much more likely.
  • Regardless of how the theft happened, the case presents multiple promising angles of attack that law enforcement, liaising with exchanges or other entities, could follow up on, were the case to (have been) reported in the proper fashion and in a timely manner.
  • The often incoherent nature of Al Maawali’s statements, which could easily constitute grounds for a defamation suit in many jurisdictions, makes it difficult to believe that they are motivated by a genuine desire to alert the public to a real risk, as they are more easily understood as an attempt to pressure the company into compensating him for his loss. This is an unproductive and ineffective course of action, and more could have been achieved if the same amount of effort (and, indeed, money —he paid for a Google Ads campaign purely to defame Coinomi) had been directed elsewhere.
  • Despite having no obligation to do so, Coinomi offered to utilize their own resources to assist Al Maawali with blockchain forensics (a time-intensive and often expensive endeavour) and in blacklisting addresses with exchanges. Coinomi had no liability to assist Al Maawali with this incident. These efforts exceed those made by many exchanges and ICOs after breaches, which actually have subsequent responsibility. Al Maawali’s misplaced sense of entitlement and misconceptions about responsibilities in a situation like his, as evidenced (among other places) in his support ticket correspondence with Coinomi, are a recurrent theme throughout this entire chain of events.

The Reported Coinomi Vulnerability

According to Al Maawali, he downloaded the Coinomi wallet on February 14th 2019 and noticed that while the installer file was digitally signed, the resulting installed Windows application was not. He reported this to Coinomi (who have since added the signature) and nevertheless opted to use the application based on his trust in ‘several reputable websites’ that mention Coinomi and entered the seed phrase of his Exodus wallet into Coinomi to access the associated addresses.

Digital signatures are employed to enable the user to verify that the file they have downloaded is indeed the file shipped by the developer and has not been spoofed or replaced with a potentially malicious version. Since the installer was correctly signed, Al Maawali could be sure that he had indeed downloaded the file intended by Coinomi’s developers. And yet he continues to speak as though the lack of a digital signature on the application file (the result of running the installer) were in itself indicative of a security vulnerability. The circumstances under which a genuine install file can lead to a compromised installed application are extremely limited (and depending on the workings of the installer, it may even be impossible), and there is no allegation that this was in fact the case here. Al Maawali’s continuing to harp on the missing signature on the application file is therefore merely an attempt to discredit Coinomi.

On February 22nd 2019, assets from cryptocurrency wallets associated with Al Maawali’s seed phrase were observed to have been transferred elsewhere. Al Maawali discovered that when a user of the Coinomi desktop wallet enters a seed phrase for wallet recovery, the app sent the text of that seed phrase to the Google API for spell-checking, and claims that this was the cause of his loss of funds. Coinomi acknowledges that the version of the wallet installed by Al Maawali had that feature (which has since been removed), but points out that (i) the seed phrase was sent encrypted via an HTTPS connection and (ii) Google’s API rejected the request as ill-formed for lack of an API key. Al Maawali’s contention is therefore that (i) Google stores information about such rejected API requests and that (ii) someone at Google must have had access to these records and recognized a 12-word seed phrase among them, which they then exploited to steal his funds.

This is an improbable scenario a priori, and despite Al Maawali’s vigorous publicization of the matter, which would surely have enabled other victims to recognize the relevant features (such as the entry of a seed phrase into the desktop app) in their own situation, no such victim has yet come forward, either by contacting Coinomi or in a public forum, with a case where loss of funds is suspected to be attributable to the same assumed vulnerability; but if a Google employee had somehow obtained seed phrases, he would in all probability have looked for, and found, more than one. The hypothesis is further discredited by what we shall see on the blockchain later on. Nevertheless, this remote possibility could have been pursued and assessed further if appropriate actions had been taken. In particular, the unique constructive course of action in this scenario is to involve law enforcement agencies as soon as possible who can expect cooperation and obtain records from Google.

Meanwhile, other avenues of compromise do not appear do have been investigated or ruled out. For one thing, it is not clear how the seed phrase was stored and whether any other person might have had access to it in either electronic or physical form. For another, it is particularly noteworthy that Maawali states that he copy-pasted the seed phrase into the Coinomi application. Malware that monitors a computer’s clipboard for contents that have the format of private keys or seed phrases are a well-known threat to cryptocurrency users, and while Al Maawali emphasizes that none of his other wallets were compromised, he may not have recently pasted their seed phrases or private keys anywhere.

Cursory Blockchain Forensics

This section presents a first-pass review of the blockchain-forensic elements of the situation to demonstrate how a situation like this would be productively approached.

ETH

Al Maawali’s Hacked Wallet: 0x8d99443b0f4a92762a0e8bbc60a2140377678720

Hacker’s Wallet: 0x006d5aab4059e79734e216f96ca4a7cfbd3a99e4.

The majority of funds are sent on, in multiple transactions over time, to a Consolidation Wallet at 0x48382307c965927016f16584a7ed1426b8d5fcfb. This wallet displays several characteristics of a wallet used by a fraudster or hacker to process funds from multiple victims, typical of keylogger cases, and provides multiple angles of attack on the case.

Outbound transactions provide multiple potential capture points, such as:

  • A direct deposit to Binance at the deposit address 0xa8d100f62dab0c7ecb156cf477bdcf96ed3a80dd.
  • A direct deposit to what is most probably exmo.com at 0xcefcf283bf71054ad87de4a3f92272ff1355c5d5.
  • Indirect deposits to Binance at 0x2ea4979bb1fc2e0314fadc6893c75a5986d3bc00 and 0xc2c40013e24286a78ba8d8d55146727323cde1f3 via single-use intermediary wallets.
  • Multiple deposits via single-use intermediate wallets to 0xfde0e8207f0d29a659f318ffc0fa3e3eb1b4341a, which by all appearances belongs to a service that itself uses Binance with a deposit address at 0xe460167a64abc859869cc037caee2a3ab0ebfe70. There are further deposits via single-use intermediary wallets (likely belonging to the same service) to the same Binance address coming from the Consolidation Wallet. The same service also uses Huobi with a deposit address 0xbfc8a7da31c82a8a53ca34ae7969b8fbbe6bf86d.
Outgoing transactions from the Hacker’s Wallet provide plenty of potential attribution points for law enforcement to follow up on. (graph created with BlockSeer)

Note that none of these exchange accounts necessarily belong to the hacker, and some of them clearly don’t. Nonetheless, they provide a strong point of attack, and as investigators, we would immediately lay out this situation to law enforcement and ask for them to contact these exchanges to acquire information about the owners of these accounts, who are either suspects or services that the hacker used and that may have information about him or her.

Incoming transactions to the Consolidation Wallet, on the other hand, paint a picture indicative of a greater number of victims (such as the transaction leading to the Consolidation Wallet being the last outgoing transaction from the source wallets), and again provide multiple exchange connections, which could be either compromised exchange accounts, or exchange accounts withdrawing to a wallet that was later compromised. Again, law enforcement would be able to obtain contact data from exchanges, and communication with other victims may provide further insight into the way the theft was perpetrated.

This graph has the appearance of a typical case of hackers consolidating funds from multiple victims of malware or phishing, indicating that Al Maawali was likely one of several victims.

Note that the transactions into the consolidation wallet are spaced out in time, which fits the hypothesis of malware spreading around. If, on the other hand, a Google employee had somehow managed to access Coinomi seed phrases in (hypothetical) stored rejected API requests, it would most likely be a one-time event with several wallets being compromised at once. Most crucially, however, the first two incoming transactions into the Consolidation Wallet happened in October 2018, well before the Coinomi desktop app was even released (which was December 31 2018).

ETH Tokens

The Hacker moved all tokens from Al Maawali’s hacked ETH address to 0x241eb1560fd282f06ec59c0dab913b6a9034af5a, where they were sitting for a while.

This wallet was recently funded from the Hacker Wallet with 0.045 ETH, in addition to receiving about 60 ETH in withdrawals from HitBTC. The tokens were then sent on to single-use wallets, where they are still, with the exception of Blockport tokens which were deposited to Kucoin at 0x4da99b6038a3ea89c81b19c4b159cd382bff8ff7. This, again, is a capture point eminently usable by law enforcement, and proper monitoring of the hacker’s wallets might even have enabled freezing of the funds on the exchange.

Towards the end of closing out this report (between May 15th and 16th,) the person controlling wallet 0x241eb1560fD282f06eC59C0DaB913b6a9034AF5a sent varied ERC-20 tokens to other wallet addresses.

These outbounds include a current destination of KuCoin while other assets are dormant. KuCoin (as well as any other applicable exchange for this matter) would have account information available for law enforcement if requested.

The same wallet also receives several inbounds from HitBTC.

These inbound Ethereum transactions could be indicative of further compromised accounts or a consolidation of assets after the individual responsible liquidated other asset types on HitBTC.

LTC

Al Maawali’s Hacked Wallet: LSLSFXsQrGipH2wtkhgoKdDurJCAMNGXTi

Hacker’s Address: MR7ugXbnB4knarmWexGPETbnmSDijmtYSj

6.53 LTC were found to have reached the Hacker’s Address, which were then sent on.

  • 6 LTC were sent on to MT7jfqs6RJvXPnTk3FrKkMcTFtudAzDNKS, which sent them on in three outputs:
    - 1.35 LTC to YoBit at LfG8DAhXTRrwAvANxHkXp9gTXohZesGxts
    - 1.33 LTC to LS3xpKU8YsQSm76tqghT2fsfxaavGNcrAP
    - 3.32 LTC to MKmXDiuBVem1qP94M8XvsRstwsCuunHLHk (member of a large cluster of unclear nature, likely belonging to an unidentified exchange)
  • Change of 0.53 LTC was sent to MKgNM5r39cBJJRbiCd5A6yyzwzFExZ52f5. Together with an input from from MPveYx3s5gXWGLLanKPKD4be7tLZRKUAGd, a transaction of 15 LTC was made to Binance at LYakzX2jTNPfRESq5Vye3EQzY1TFUG9cXf.
  • Interestingly, the funds in MPveYx3s5gXWGLLanKPKD4be7tLZRKUAGd can be identified as change from two transactions from connected wallets to a large wallet cluster of unclear nature — possibly an exchange or service of some sort -, which were ultimately funded by a withdrawal from Binance. Given the pattern of coin spending we see, it is exceedingly likely that the account from which this withdrawal was made is also controlled by the hacker.
  • Change of 17.34 LTC from the Binance deposit transaction went to MMQ8VUFQCJkT4WwGfaQKv5a3wnD3tgHrKU. Following the trail of change further, we can find two more attribution points: a transaction to Coinpayments and one to Huobi.pro.

Note that all these attribution points can be found with publicly available tools, such as https://chainz.cryptoid.info/ltc/ and could already have been included in a report of the crime to law enforcement. Even from this cursory look, the case does not present an unsolvable face.

BTC

Hacker’s Wallet: 15BtjrCKuUkUTb9XmaoLrjeNrAGkTn3cCL

Al Maawali’s Hacked Wallet: 16bGvnMSNEPPpsoye2btfUpq51gi5UaJej

Al Maawali’s Hacked Wallet is part of a cluster he has had in use since 2014. In light of the information published by him and the transaction timestamps from this cluster, the transaction of 3.75 BTC from 16bGvnMSNEPPpsoye2btfUpq51gi5UaJej to the Hacker’s Wallet indeed constitutes the entirety of the hack at issue.

Prior to the hack, outbound transactions from Al Maawali’s wallet generally reached an exchange or business’ wallet within one or two hops; the chain of transactions starting with the Hacker’s Wallet, however, does not reflect a similar style and represents a mixing service that was used in an attempt to obfuscate the trail. This is identified via numerous indicators, including a disproportionately large mixture of terminal exchange destinations, outbound transactions from wallets 3+ hops in with various receiving addresses such as dark web markets, and transaction times.

BCH

The stolen funds were moved to qqq4t85vlgw9x20czjvd0ayryv20d2dtpq4rjuh8ue, where they are still sitting at the time of this writing. From the information available to us, it is not entirely clear whether qzx84dlq2y7p5ce30dqfdp3efaga6vhvhcsgd2yhkh — the address which funded the above — also belongs to the hacker or whether it is Al Maawali’s hacked address, which, however, makes no difference.

Blockchain Forensics Summary

By no means does this rudimentary analysis of the blockchain trail regarding this incident constitute a thorough treatment, but even so it establishes several key observations:

  • Events on the Ethereum chain in particular show a pattern generally indicative of asset movement from multiple victims of spreading malware/phishing — a pattern than initiates well before the Coinomi desktop app was even published.
  • While BTC flows are relatively obscured in a manner that would likely require a much more sophisticated analysis to trace, strong attribution and capture opportunities are provided especially by LTC, but also ETH, and ERC20 tokens, which could easily be followed and exploited by law enforcement.
  • BCH is still dormant, and ERC20 tokens were for a considerable time and are now being sent to exchanges. Were the case properly reported and wallets monitored, interception of these assets at exchanges might have been (and partly still be) possible.

Off-Chain Forensics and Cyber Incident Response

Criminal attribution — the determination of the identity of the culprit — is a crucial factor in any cybercrime case, and is usually accomplished by a combination of approaches.

Blockchain forensics, as indicated above, are often a first step. Perpetrators’ laundering attempts are often of limited sophistication, and connections with exchanges or other services are, for the trained eye and with appropriate tools, frequently relatively easy to uncover. A timely reaction can ensure that funds are frozen in the associated exchange accounts, and even failing that, exchanges can provide valuable data to law enforcement that can help pinpoint the perpetrator.

Additionally, however, there are multiple types of off-chain forensics that are essential. Their precise nature varies case by case, but could include raw .eml files from e-mails, chat logs, or a phishing site or suspicious file or program submitted for analysis. For that reason, it is fundamental to always create a full backup of any implicated device for a potential forensics review.

As someone working on a privacy-centric Linux distribution, Al Maawali is surely familiar with such notions, and, if acting in good faith, can be expected to have retained appropriate data copies. Of course, none if this is to suggest that he should publish his device backup, browser history, or any personal account credentials; but they can nonetheless be essential for law enforcement, and for them to be confirmed harmless would strengthen his own case against Coinomi. We therefore challenge Al Maawali to provide CipherBlade with a device backup and browser history for analysis, and would be happy to sign an NDA or take other measures required to make him comfortable doing so.

How To Proceed When Your Cryptocurrency Is Stolen

We observe that victims of keyloggers, phishing sites, and the likes often do not file law enforcement reports. This may be due to a lack of knowledge of where to report these incidents or (more typically) a belief that the amount of assets stolen is too low for it to be worth reporting. The lack of reporting of these incidents is a negative feedback loop which enables the perpetrator(s) of such crime to continue to operate. If individuals befallen by this type of crime, regardless of the level of asset loss, reported these incidents to authorities, it would provide investigators with valuable intelligence that could lead to the takedown of the perpetrator(s) of the incident (and, in likelihood, other incidents as well).

Hence, upon the realization that assets have been stolen from you, an absolute must is filing a law enforcement report in your respective jurisdiction. Note, however, that this is not without pitfalls: even among the incidents that are reported, the vast majority is presented in a way that does not provide law enforcement professionals with sufficient information to act on, frequently omitting essential data (such as wallet addresses, or, in a case like this, a device backup), which may result in the case never reaching a desirable conclusion or, in the worst case, even being taken up in the first place.

Law enforcement around the globe is still adapting to the unique challenges of cryptocurrency theft, and the amount of trained personnel, as well as their level of training, is unfortunately far below the current industry needs. Nevertheless, law enforcement professionals are doing their best, despite often being thrown into such cases with minimal relevant training. While some individuals, with the right background and training, may be able to compile and present in a suitable format the relevant information law enforcement would require to take action, many cryptocurrency hobbyists and investors may not be as knowledgeable. In this case, consulting with a firm such as CipherBlade, or, at a minimum, soliciting advice and conducting the proper research in order to collect the information for a sensible and actionable law enforcement report, are the appropriate steps to take when faced with an incident like the one Al Maawali experienced.

Victims of cryptocurrency theft should, under no circumstance, presume they know who or what is responsible for their theft. Fraudsters exist at various levels of sophistication and may be quite skilled at covering their tracks or even providing false trails to deceive victims and armchair investigators, and a lack of requisite experience makes one liable to be confused or altogether misled by what one sees on a blockchain explorer website. Furthermore, reluctance to admit (to oneself or others) one’s own mistakes that could have led to a security breach is not to be underestimated as a psychological factor.

Even in the event that a victim of cryptocurrency theft is, indeed, correct in their conclusions, involvement of law enforcement is essential to achieve a favorable resolution. Not only are many kinds of data easily obtained by law enforcement, but inaccessible to the average (or even the well-connected) citizen — exchange account data being a prime example, as many major exchanges are happy to comply with legal requests, but are, in fact, prevented by regulations from giving out information without law enforcement contact. But even in the event that the perpetrator can be identified without such, a private individual’s means for actually effecting seizure or return of assets as minimal, and attempts to deal with criminals directly are liable to be executed with a lack of skill and hence remain ineffective.

A well-written law enforcement report, providing ample data for authorities to take the necessary steps, would usually require no more than three hours of time from an affected party in a case similar to Al Maawali’s. Despite this, we see on a daily basis attempts by individuals to take matters into their own hands in one way or another, resulting in countless hours of wasted time and effort that lead nowhere as they not infrequently (as in this case) get stuck on a wrong-headed path.

Therefore, we also challenge Al Maawali to provide any form of proof that he contacted authorities regarding this incident, and extend the same offer of signing an NDA. If we receive such proof, we will be happy to donate a few hours of our team’s time to assist law enforcement professionals in the jurisdiction the report was filed as an external consultant for this case. Our assistance to law enforcement on cases like this often expedites investigations and asset recovery, and there is far more demand than supply for this assistance, for which reason we usually take on only cases with significantly greater amounts of money lost. If Al Maawali really wants his money back, and has been truthful this entire time, he should jump at this offer.

Disclaimer

CipherBlade’s review of this situation was requested by Coinomi, and we were compensated for our time. Our conclusions, however, are independent and have not been influenced by this fact.

First, the security of our industry is our primary concern, and had we judged it likely that the Coinomi wallet bug was, indeed, responsible for a loss of funds, or had we determined that Coinomi handled the situation inappropriately, we would have taken no shame in publishing our findings to that effect, no matter their protests.

And second, the fact that Al Maawali’s course of action is improper and ineffective is entirely independent of the question of the cause of his loss of funds. For it to be called out as such is not only in Coinomi’s interest, but also in the interest of every other person and company in the cryptocurrency world.

--

--