How (Not) To React When Your Cryptocurrency Is Stolen

The Al Maawali/Coinomi Dispute

  • There are multiple factors to be observed that make it extremely unlikely that the Coinomi wallet bug was, in fact, the cause of Al Maawali’s loss of funds, and malware infection is much more likely.
  • Regardless of how the theft happened, the case presents multiple promising angles of attack that law enforcement, liaising with exchanges or other entities, could follow up on, were the case to (have been) reported in the proper fashion and in a timely manner.
  • The often incoherent nature of Al Maawali’s statements, which could easily constitute grounds for a defamation suit in many jurisdictions, makes it difficult to believe that they are motivated by a genuine desire to alert the public to a real risk, as they are more easily understood as an attempt to pressure the company into compensating him for his loss. This is an unproductive and ineffective course of action, and more could have been achieved if the same amount of effort (and, indeed, money —he paid for a Google Ads campaign purely to defame Coinomi) had been directed elsewhere.
  • Despite having no obligation to do so, Coinomi offered to utilize their own resources to assist Al Maawali with blockchain forensics (a time-intensive and often expensive endeavour) and in blacklisting addresses with exchanges. Coinomi had no liability to assist Al Maawali with this incident. These efforts exceed those made by many exchanges and ICOs after breaches, which actually have subsequent responsibility. Al Maawali’s misplaced sense of entitlement and misconceptions about responsibilities in a situation like his, as evidenced (among other places) in his support ticket correspondence with Coinomi, are a recurrent theme throughout this entire chain of events.

The Reported Coinomi Vulnerability

Cursory Blockchain Forensics


  • A direct deposit to Binance at the deposit address 0xa8d100f62dab0c7ecb156cf477bdcf96ed3a80dd.
  • A direct deposit to what is most probably at 0xcefcf283bf71054ad87de4a3f92272ff1355c5d5.
  • Indirect deposits to Binance at 0x2ea4979bb1fc2e0314fadc6893c75a5986d3bc00 and 0xc2c40013e24286a78ba8d8d55146727323cde1f3 via single-use intermediary wallets.
  • Multiple deposits via single-use intermediate wallets to 0xfde0e8207f0d29a659f318ffc0fa3e3eb1b4341a, which by all appearances belongs to a service that itself uses Binance with a deposit address at 0xe460167a64abc859869cc037caee2a3ab0ebfe70. There are further deposits via single-use intermediary wallets (likely belonging to the same service) to the same Binance address coming from the Consolidation Wallet. The same service also uses Huobi with a deposit address 0xbfc8a7da31c82a8a53ca34ae7969b8fbbe6bf86d.
Outgoing transactions from the Hacker’s Wallet provide plenty of potential attribution points for law enforcement to follow up on. (graph created with BlockSeer)
This graph has the appearance of a typical case of hackers consolidating funds from multiple victims of malware or phishing, indicating that Al Maawali was likely one of several victims.

ETH Tokens


  • 6 LTC were sent on to MT7jfqs6RJvXPnTk3FrKkMcTFtudAzDNKS, which sent them on in three outputs:
    - 1.35 LTC to YoBit at LfG8DAhXTRrwAvANxHkXp9gTXohZesGxts
    - 1.33 LTC to LS3xpKU8YsQSm76tqghT2fsfxaavGNcrAP
    - 3.32 LTC to MKmXDiuBVem1qP94M8XvsRstwsCuunHLHk (member of a large cluster of unclear nature, likely belonging to an unidentified exchange)
  • Change of 0.53 LTC was sent to MKgNM5r39cBJJRbiCd5A6yyzwzFExZ52f5. Together with an input from from MPveYx3s5gXWGLLanKPKD4be7tLZRKUAGd, a transaction of 15 LTC was made to Binance at LYakzX2jTNPfRESq5Vye3EQzY1TFUG9cXf.
  • Interestingly, the funds in MPveYx3s5gXWGLLanKPKD4be7tLZRKUAGd can be identified as change from two transactions from connected wallets to a large wallet cluster of unclear nature — possibly an exchange or service of some sort -, which were ultimately funded by a withdrawal from Binance. Given the pattern of coin spending we see, it is exceedingly likely that the account from which this withdrawal was made is also controlled by the hacker.
  • Change of 17.34 LTC from the Binance deposit transaction went to MMQ8VUFQCJkT4WwGfaQKv5a3wnD3tgHrKU. Following the trail of change further, we can find two more attribution points: a transaction to Coinpayments and one to



Blockchain Forensics Summary

  • Events on the Ethereum chain in particular show a pattern generally indicative of asset movement from multiple victims of spreading malware/phishing — a pattern than initiates well before the Coinomi desktop app was even published.
  • While BTC flows are relatively obscured in a manner that would likely require a much more sophisticated analysis to trace, strong attribution and capture opportunities are provided especially by LTC, but also ETH, and ERC20 tokens, which could easily be followed and exploited by law enforcement.
  • BCH is still dormant, and ERC20 tokens were for a considerable time and are now being sent to exchanges. Were the case properly reported and wallets monitored, interception of these assets at exchanges might have been (and partly still be) possible.

Off-Chain Forensics and Cyber Incident Response

How To Proceed When Your Cryptocurrency Is Stolen




-- — Blockchain Investigation, Forensics & Cybersecurity

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Here’s our 248 AMA recap!

The Bitcoin Must Return To The Original Vision Of Its Creator Satoshi Nakamoto

Greener Days Are Coming — 4 Reasons To Be Optimistic About Bitcoin for the Next Months

Stablecoins: The Aftermath

SmartMesh Weekly(2019.11.4–2019.11.8)

What are NFTs and why are people buying them?

An image that looks like a still from a metaverse.

Fidelis fintech

Ledger Nano X Review (2019) | The “Best” NEXT-GEN Wireless Hardware Wallet? — Bitcoin Lockup

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

CipherBlade — Blockchain Investigation, Forensics & Cybersecurity

More from Medium

Coinbase Analyst Spells Bull Case: Forcasts $1.26B Additional Revenue From NFTs Alone

*TK What is Crypto Payments? How does it work?

The Pros and Cons of Using a 1031 Exchange

9 Video and Book Recommendations to Start Your Crypto Journey