Disclaimer: The information provided on this webpage is based on personal experiences and independent research. It is not intended as legal or professional advice. Readers are advised to seek independent legal counsel before making decisions based on the information provided here.

If you believe you have been a victim of a similar situation, it is strongly recommended that you seek legal counsel. Every situation is unique, and a legal professional can provide advice tailored to your specific circumstances.

Video Announcement

Please first watch my official video response to Coinomi’s “Spell Check” scandal before you continue reading:


Table of Contents

First Statement

Second Statement

Third Statement


Based on my personal experience and careful research, I've discovered potential security vulnerabilities with the Coinomi multi-asset wallet. Its design could lead to plain-text passphrases being sent to a third-party server for spell-checking, potentially compromising the security of your digital assets. In my case, I believe this issue led to a loss of approximately $60K-$70K worth of cryptocurrency.

During the process of investigating this issue, I encountered CipherBlade, a company with a limited history that is potentially operating through a chain of offshore shell companies. This company also publicly disclosed my private cryptocurrency wallet addresses without consent, a clear violation of privacy norms.

In light of these experiences, I urge anyone using or considering using Coinomi or engaging CipherBlade's services to be aware of these potential risks. Despite the claims of both companies, critical scrutiny is advised before engagement.

For a deeper understanding, please review the following links:

Articles detailing CipherBlade's questionable practices:

  • Blockchain analytics firm CipherBlade steps in to launder ShapeShift’s image" by Amy Castor: Link here​
  • The case of CipherBlade, ShapeShift’s PR saviour" by Ben Munster: Link here​
  • ShapeShift and CipherBlade: money laundering accusations, and shells within shells" by David Gerard: Link here​

Based on my experiences, I would caution potential users to carefully consider the potential risks before using Coinomi. This post provides further details to help understand my concerns.

The Incident

In retrospect, I acknowledge that it may not have been wise to place trust in the Coinomi wallet by using it with my Exodus wallet passphrase. This decision was based on the fact that I downloaded the software directly from the Coinomi website, the setup file was digitally signed, and the wallet had been mentioned by several reputable websites, such as bitcoinwiki.org. My aim was to transfer assets that were not supported by the Exodus wallet, using the same passphrase/seed.

The incident occurred on 14th February 2019. Upon downloading and installing the Coinomi application (Windows version), I observed that while the setup file was digitally signed, the main application was not signed after the installation process had been completed.

I publicly contacted Coinomi via Twitter (@warith2020) about this issue, and they acknowledged it. Subsequently, they uploaded a new version with the main application signed. By this point, I had already entered my Exodus wallet passphrase into the Coinomi application.

On 22nd February 2019, I discovered that a significant proportion (over 90%) of my Exodus wallet assets had been transferred to various wallet addresses. The first transaction, involving Bitcoin (BTC), commenced on 19th February 2019 around 3:30 am UTC. This was followed by transfers of Ethereum (ETH), including ERC20 tokens, Litecoin (LTC), and finally Bitcoin Cash (BCH).

Technical Analysis

I began by retracing my steps and analysing the sequence of events. The only new action I had taken was the installation and use of the Coinomi wallet. This led me to my initial hypothesis: the unsigned version of the application might contain a backdoor.

Subsequently, I conducted a more thorough investigation, comparing both the unsigned and signed versions of the setup file. The only difference between the two was the addition of a digital signature to the main executable file and the Java file (the main application).

At this point, I suspected that there might be something amiss with the application, beyond the lack of a digital signature on the main executable. To test this theory, I replicated my actions in a new virtual machine, this time installing "Fiddler," a software tool that enables the monitoring and debugging of HTTP/HTTPS traffic from all applications running on a machine.

While running Fiddler in the background, I started the Coinomi wallet. The first thing I noticed was that the Coinomi application began to download a dictionary wordlist from the following web address:

When I clicked on 'restore wallet' and pasted a random passphrase, an alarming discovery was made: the entire passphrase, in plain text, was sent to googleapis.com—a domain owned by Google—as part of a spell-check function! Here is a screenshot of the HTTP request for reference:

To substantiate my findings, I have uploaded a video, allowing anyone to test and replicate what I did:

Anyone can verify this by pasting any random sentence with a spelling mistake into the textbox in Coinomi's 'Restore Wallet' page. It will be underlined with a red line after being sent in clear text to googleapis.com.

Technically speaking, Coinomi's core functionality is built using the Java programming language. The user interface is designed using HTML/JavaScript and rendered using an integrated Chromium-based browser (Google's open-source project).

The whole process uses JxBrowser to build cross-platform applications. And before anyone (like Coinomi's CTO) suggests this is an issue with JxBrowser, they acknowledged this spell-checking behavior on their website back in 2016 and provided instructions on how to disable it:

In essence, the textbox where you enter your passphrase is actually an HTML file run by a Chromium browser component. Any text typed or pasted into this box is instantly and discreetly sent remotely to googleapis.com for spell-checking.

The consequence of this flaw is that someone—potentially a member of Google's team or anyone else with access to the HTTP requests sent to googleapis.com—was able to find the passphrase and use it to steal my crypto assets worth approximately $60K-$70K at the current market price. It's widely known among those involved in technology and cryptocurrency that a sequence of 12 random English words separated by spaces could well be a passphrase for a cryptocurrency wallet.

Coinomi’s Response

It appears that the team behind Coinomi may have either overlooked a significant security flaw or possibly, though it seems less likely, intentionally incorporated a backdoor into their software.

Upon learning about the potential for a deliberate backdoor and considering recent news about a founder of a cryptocurrency exchange who had sole access to crypto assets prior to a suspicious death, I began to wonder about the intent behind the flaw in Coinomi's system.

Throughout our exchanges, the Coinomi team seemed primarily concerned about their public image and the technical details of the bug, rather than the consequences of the security flaw. Despite my urging them to acknowledge the issue, they appeared to dismiss the severity of the situation and its impact on my stolen cryptocurrency assets. The team reminded me of potential legal implications if I were to share this information publicly, while seemingly neglecting their own responsibility in the loss of my assets and the potential risk posed to other users.

I noticed that Coinomi's team seemed to have deleted their response to my tweets about their unsigned main executable, which they had previously confirmed was an issue. Their lack of response to my requests can be seen in these screenshots:
This behavior raised my suspicions about their intentions and their willingness to be transparent about potential issues with their wallet.

Before I publicly disclosed my findings, I sent a comprehensive report to Coinomi, giving them ample time to respond. Their CTO assured me that he would review the report promptly. However, it took several hours longer than promised for them to download the report. Screenshots of our private conversation can be seen here:
https://avoid-coinomi.com/files/coinomi_cto_private_messages.pdf and https://avoid-coinomi.com/files/cto_chat.zip.

Given the urgency and severity of the situation, their response time struck me as surprisingly lackadaisical. This is not the first time Coinomi has been accused of such behavior. Luke Childs previously reported a security vulnerability in Coinomi's software, and it appears that their response was similarly dismissive, as documented here:
https://bitsonline.com/coinomi-vulnerability-respond/ and https://imnotdead.co.uk/blog/coinomi.


In summary, for the purpose of further investigation, here are the key events:

  • On February 14, 2019, I entered my passphrase into the Coinomi wallet for the first time. This passphrase was subsequently sent to googleapis.com.
  • Between February 14 and February 19, 2019, an individual who had access to the data sent to googleapis.com - potentially an employee of Google - processed the data that included my passphrase.
  • On February 19, 2019, beginning at approximately 3:30 am UTC and continuing for about 15 minutes, my cryptocurrency assets were stolen. By the end of this period, 90% of my assets had been taken. The remaining assets were left untouched because these particular assets were supported by the Exodus wallet but not the Coinomi wallet - a detail that could be seen as more than coincidental.

For clarity, it's important to note that I took extensive precautions to keep my passphrase and wallet secure. I utilized a separate, isolated virtual machine equipped with anti-virus/anti-malware software and a firewall. I have been using other wallets on the same virtual machine for years, and until this incident, nothing had been stolen. The only wallet that was compromised was the one in which I had recently used my passphrase - the Coinomi wallet.

What's Next

I am considering initiating legal action against the company responsible for Coinomi if they do not acknowledge and take responsibility for this issue. The company is registered in the United Kingdom as 'Coinomi LTD'. If anyone else has experienced a sudden loss of crypto assets and has used the Coinomi wallet, your case could be relevant. Interestingly, Coinomi claims on their website that, 'Most importantly, no Coinomi wallet has ever been hacked or otherwise compromised to date.' This claim appears to be contradicted by my experience.

It's important to note that potentially all desktop versions of the Coinomi wallet may be affected. I cannot confirm whether the mobile versions are also affected. The individual or group capturing passphrases may be selectively targeting wallets with substantial assets in an attempt to maintain a low profile.

For reference and verification, I have uploaded copies of the latest version of the Coinomi application. This is to ensure availability of the versions in question, even if they are removed from official sources:

  • Download the UNSIGNED version (this is evidence that the main application was not originally signed)
  • Download the SIGNED version (this version demonstrates that the wallet sends passphrase to a remote server)
  • Screenshot of the SHA256SUM hashes before the patch

Final Thoughts

This ordeal has proven to be a costly and emotionally taxing learning experience, and I share it in hopes that others may avoid a similar fate. From this, I've gleaned the following lessons:

  • Be wary when entrusting any multi-asset crypto wallet. Make sure they have undergone an external security audit by a reputable third-party, and that this audit is publicly accessible.
  • Exercise caution when dealing with Coinomi and your hard-earned cryptocurrencies. In my experience, they did not assume responsibility when issues arose.
  • Be careful when entrusting sensitive information to Google services/products. They have a vast amount of control over data, and it appears that their policies may not be stringent enough to prevent misuse of data by employees or others with malicious intentions.

I want to reiterate the purpose of this publication:

  • To raise awareness among users who are using or have used the Coinomi wallet.
  • To demand restitution for my stolen cryptocurrency assets from Coinomi, either in the form of cryptocurrency or fiat currency. The longer they delay, the greater the potential value of the assets.
  • To urge Google to initiate an investigation into this issue. I believe this to be a serious matter, not only in terms of my stolen cryptocurrency assets but also in terms of user privacy and the potential malicious use of data by Google employees or others with access to this data.

Finally, I encourage readers to share this information to increase awareness. I firmly believe that this will help protect hundreds of thousands of crypto assets and enable many users to safeguard their hard-earned cryptocurrency assets.

In the future, if you need to spell check your passphrase/seed and ensure it adheres to the English dictionary, think twice before using Coinomi wallet.

Second Statement Overview

Coinomi, under the pressure of the community (to whom I extend my special thanks), has finally released an official statement concerning the incident. You can find their statement at this link (I've also provided a screenshot for reference):


Firstly, I wish they would display the same level of transparency that I have shown by publishing my responses on their social media channels, allowing readers to make their own judgements based on both sides of the story.

I had anticipated that Coinomi's official statement would be lacking in some areas, but I did not expect it to be as inadequate as it turned out to be. However, it seems to be a clear reflection of the mentality behind their proclaimed "never been hacked" wallet.

I will now address their official statement, quoting and providing screenshots of parts of their response. This seems necessary, given their tendency to delete their posts.

Coinomi’s Statement

Starting with their announcement title:


Referring to this severe security issue as merely "findings" is not only misleading, but it also demonstrates an evasion of responsibility. Coinomi appears to be hesitant to label this issue as a critical vulnerability, even though its seriousness extends beyond just 'critical.' In the field of information security, vulnerabilities are typically ranked according to their severity: Low, Medium, High, or Critical. Given the gravity of this situation, I propose that the information security community introduce a new ranking - the "Coinomi Level," which would denote the highest level of severity.

Going to the next statement:


"The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient"

When I mentioned that my passphrase was transmitted in plain text, I was referring to the fact that it reached Google API servers without any form of encryption. It is essential to understand the difference between transmitting data through a secure tunnel (as is done with HTTPS) and actually encrypting the data before transmitting it.

Hypothetically speaking, if Coinomi had encrypted the passphrase prior to sending it to Google, then even if this data was transmitted via HTTP (without SSL/TLS), it would still have reached the destination in an encrypted format. The notion of securely transmitting my unencrypted passphrase to Google under the guise of taking all necessary security measures is rather amusing, if not alarming.

“The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets”

Coinomi's statement is rather humorous, essentially implying, "This isn't a vulnerability because the issue only arises when the user chooses to restore their wallet. Otherwise, they would be safe." This suggests that, as a Coinomi user, you're not supposed to use the "restore your wallet" feature, and that this option exists solely to spell-check your passphrase against Google's dictionary.

"The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google"

Coinomi's claim is somewhat misleading. How can Google's API server respond with a "Bad Request" without first understanding the content sent to it? The screenshot Coinomi provided, showing Google's web service response, is actually from the perspective of the web application. A web application doesn't respond to a request until it first processes the data and determines its validity.

In reality, the situation might be much worse than Coinomi is implying. Google's API servers require a valid API Key to use their web services. In Coinomi's case, they sent the request using an invalid (unauthorized) API Key, causing Google's API server to treat the request as a bad request. This would likely alert Google's team to investigate the cause of the bad request. Upon seeing the 12 English words separated by spaces (which looks like a passphrase to a cryptocurrency wallet), they might start to question its origins. This situation becomes even more concerning if the server is managed by a third party or has been compromised.

In other words, if Coinomi had used a valid API Key, Google would have been obligated to handle the data more responsibly. This could potentially make anyone attempting to misuse the passphrase think twice.

Going to the next statement:


"Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only."

Claiming that this issue wasn't part of their "source code" is quite misleading, and it appears that Coinomi is attempting to evade responsibility. The JxBrowser component/plug-in is bundled with Coinomi’s wallet at the source code level, and developers have the ability to enable or disable any undesired feature of JxBrowser directly from the source code. Essentially, this was a feature that Coinomi misused, and it consequently turned into a critical security bug.

Coinomi’s team seems to be trying to divert the community's attention and place the blame on JxBrowser for their own mistakes. However, it's worth noting that JxBrowser clearly explained this default behavior in their documentation as early as 2016, and provided instructions on how to disable it:


The original link can be found here:

To make it simple for the readers, Coinomi could have avoided the “spell check” scandal with a single line of code:

It seems that the developers at Coinomi, whom they refer to as the "Code Gurus," did not take the time to familiarize themselves with the JxBrowser documentation. It is puzzling why they even chose to use JxBrowser in the first place. The core functionality of the Coinomi wallet is already based on the Java programming language, which inherently provides cross-platform compatibility. There should have been no need for a third-party component like JxBrowser. The likely explanation is that they were too lazy to develop the UI natively in Java and opted for a quick and hasty solution to release the Desktop version promptly, possibly disregarding proper quality assurance testing, assuming it was conducted at all.

The interesting aspect of the "spell check" vulnerability, when viewed from a legal perspective, is that it could be considered a "feature" or, more specifically, a hidden feature. Coinomi did not disclose this feature anywhere in their "Terms of Use," their wallet application, or their documentation.

Now, let's discuss the terms and conditions of using the Google API. You can find these terms in the following links:

Quoting some of their terms:

coinomi coinomi

It is evident that Coinomi has violated several terms and conditions in their actions. For instance, they utilized the Google API without a valid API Key, which constitutes (unauthorized usage) usage, and they failed to inform their users about this practice. In essence, they deceived Coinomi wallet users by implementing a hidden "spell check" feature that relies on Google API servers to verify their passphrases/seeds.

Coinomi stated in their official announcement that the data they sent to Google API servers were not “processed, cached or stored”. Don’t take my words for it and let’s see what Google says in their terms:


Based on our analysis, it can be concluded that the utilization of Google API to "spell check" users' passphrases/seeds was a hidden feature that was not disclosed in the "Terms of Use" that I agreed to before installing the application. Had I been aware of this feature, I would not have used the application unless my intention was specifically to enhance my passphrase vocabulary. The omission of this information deprived users of the opportunity to make an informed decision about the potential risks associated with using the application.

It appears that there is a need for a change not only in their CTO but also in their legal representation.

Support Ticket Deception & Privacy

First and foremost, the public disclosure of my support ticket is a blatant breach of my privacy as a client. It contained confidential information pertaining to my case, including my personal crypto-currency addresses and the destination crypto-currency addresses. Such sensitive information should only be accessible to the relevant authorities and the parties directly involved in the case.

Furthermore, it is perplexing that Coinomi would label me as a "blackmailer" in their official statement, considering the fact that I willingly provided them with my personal wallet passphrase/seed. If my intention were to engage in fraudulent activities, why would I voluntarily share such sensitive information with them? I am relieved that I transmitted my passphrase/seed through an encrypted channel, as it appears that they would have been willing to publish it otherwise.

Additionally, it is worth noting that Coinomi failed to upload the entire support ticket and conveniently deleted the portion where they acknowledged that my assets were indeed stolen. They also stated their intention to blacklist the addresses associated with the stolen assets, in an effort to prevent the perpetrator from utilizing the assets on exchanges. This selective deletion of information raises questions about their transparency and willingness to address the issue at hand:

You can download the full support ticket from here (sensitive information blurred):

Key Facts & Evidences

I will recap the events to understand why I was affirmative with my conclusion that my assets were stolen because of Coinomi wallet and not because any other reason:

  • Downloaded and installed Coinomi wallet on 14th February 2019.
  • Pasted Exodus wallet passphrase/seed into Coinomi's wallet on the same day.
  • Opened a new Coinomi wallet with a different passphrase and transferred crypto assets from an exchange to the wallet.
  • Crypto assets were stolen on 19th February 2019.
  • The only compromised wallet was the Coinomi wallet where the Exodus passphrase was pasted.
  • Multiple wallets on the same virtual machine were not affected.
  • Assets in the new Coinomi wallet were not stolen.

Based on these facts, it is evident that the only wallet that was compromised was the Coinomi wallet into which the Exodus passphrase was pasted. This wallet had a vulnerability or feature that allowed spell checking of passphrases/seeds using Google API servers.

Misleading, Contradictory & Unprofessional Tweets

The team behind Coinomi made significant efforts to mislead the community by disseminating false information. I have gathered several screenshots of their tweets to shed light on the questionable practices employed by the company and to provide the community with a clearer understanding of the nature of this organization:

Patient Zero

In their official statement, Coinomi argued that they had received no reports of hacked Desktop wallets, using this as a justification. However, it is important to note that there have been multiple reports on Reddit of stolen assets from Coinomi wallets. Despite this, I would like to outline several reasons why I may have been one of the first victims of this incident:

  • The Desktop wallet is new and it's less than 3 months old (announcement screenshot).
  • Desktop users are a lot less compared to the mobile version of the wallet.
  • To trigger the bug, the user has to restore his wallet.
  • My address had decent amount of crypto assets that attracted the criminal who stole my crypto assets.

Who’s Behind Coinomi?

It appears that the team behind Coinomi, particularly the management, is evading responsibility and operating in secrecy. I am providing a list of individuals involved so that the community can recognize them if they are associated with any future projects or if they decide to rename Coinomi to something like "Spell Checker." Their actions have had a detrimental impact on the cryptocurrency ecosystem, as they lack credibility and professionalism.

Final Thoughts

Based on my second statement and the YouTube video I shared, I am confident that I have presented all the relevant facts and evidence to support my claims regarding the theft of my cryptocurrency assets. I have also provided clear evidence that demonstrates Coinomi's lack of credibility.

Since Coinomi continues to refuse to take responsibility for my loss, I have no choice but to pursue legal action against them. If they insist on taking the hard path, so be it.

To the person who stole my cryptocurrency assets, I want to convey this final message. The situation is escalating, and legal investigations will soon commence. You still have an opportunity to rectify your mistake and return the assets to the following addresses:




ETH (including ERC20 tokens):

Third Statement Overview

Coinomi made desperate attempts to salvage its tarnished public image following the “Spell Check” scandal. Despite their unsuccessful social media tactics, they resorted to hiring a third-party company called CipherBlade to defend them and discredit my case against them.

It is important to note that Coinomi has a history of engaging in cheap practices (check my previous statements), as I have previously mentioned. In this instance, they went so far as to employ CipherBlade, a company with minimal experience and no established track record, in an attempt to whitewash their wrongdoing. I urge you to read the entire statement from CipherBlade to understand the extent of Coinomi's cheap tactics.

In their report, CipherBlade concluded that my funds were stolen due to malware on my machine and not as a result of Coinomi's "Spell Check" hidden feature that transmitted my seed/passphrase to a third party in plain text. Despite claiming impartiality, CipherBlade ignored several crucial facts and attempted to mislead the community, much like Coinomi. It is worth noting that CipherBlade directly challenged me in their report, calling into question their claimed impartiality.

Furthermore, CipherBlade did not make any effort to contact me or verify the information from my perspective. This raises doubts about their alleged lack of bias in favor of Coinomi. It is evident to anyone with common sense that CipherBlade is making concerted efforts to launder Coinomi's public image, just as they previously did with ShapeShift.

A Reminder

First of all, let me remind you of the following tweet that Coinomi posted after my first statement:
Blockchain Analysis Firm Feedback

They stated that they hired a Blockchain analysis firm and they claimed that the funds were NOT stolen. I wonder, was it CipherBlade? How is it that they are now stating that the funds were indeed stolen?

Coinomi also mentioned in their their support ticket, before the issue became public, that they were collaborating with their partner "Chainalysis," another Blockchain analysis firm, and they claimed that they would blacklist the addresses involved. However, upon my own investigation and confirmation with several exchanges, it appears that no such blacklisting has occurred. This raises questions about what Chainalysis had to say about the incident. Were Coinomi's intentions to leverage the reputation of Chainalysis for trust and to mitigate the situation?

Coinomi also stated in their official statement that they have contacted Google, but there is no update regarding their claim since 27th February:


Furthermore, Coinomi has accused me of blackmailing them, suggesting that I intentionally sent the stolen crypto-currency to myself and falsely blamed them for my loss. However, it is contradictory that they now change their narrative and confirm that the funds were indeed stolen. These inconsistent statements and actions by Coinomi only serve to further undermine their credibility. They have propagated false information in an attempt to mislead the community, and they have resorted to hiring external entities to support their position. Such behavior raises serious doubts about the integrity and trustworthiness of Coinomi as a company.

Making Things Clear

CipherBlade was hired by Coinomi to write the report, and they clearly stated that in their report:


It is interesting to observe how Coinomi carefully chooses their words to present a more favorable picture. Their use of the phrase “we were compensated for our time” actually implies that they paid for the report. It is clear that CipherBlade was biased towards one party, otherwise, why would Coinomi invest money in a report that may not guarantee a favorable outcome and could be influenced by them. This raises doubts about the objectivity and independence of the report provided by CipherBlade.

Furthermore, CipherBlade disregarded the substantial evidence and facts presented in my initial and subsequent statements. Their report relied solely on assumptions, without considering the concrete evidence that my loss was a result of my seed/passphrase being sent to Google. Coinomi has a legal obligation to engage with Google and initiate an investigation, yet CipherBlade conveniently overlooked this crucial fact as it does not align with Coinomi's stance in this case. This selective omission raises doubts about the integrity and thoroughness of CipherBlade's analysis.

Despite CipherBlade's repeated suggestions in their report, I want to clarify that my objective is not to investigate or apprehend the individual responsible for the theft of my crypto-currency assets. Instead, my primary goal is to pursue legal action against Coinomi to seek compensation for my losses. The crux of the matter lies in the fact that Coinomi's software contained a concealed feature, undisclosed in their documentation and terms of use, which transmitted my seed/passphrase to a third-party server. This omission on Coinomi's part is the basis for my legal claim and pursuit of justice.

I didn't directly utilize Google API services; instead, I relied on Coinomi's wallet, which incorporates a feature that transmits the user's seed/passphrase to Google servers. Consequently, Coinomi bears legal responsibility for engaging with Google and pursuing the identification of the perpetrator. To illustrate, in cases where an exchange experiences a security breach resulting in the theft of users' funds, affected users typically initiate legal action against the exchange rather than the individual responsible for the breach. This is because users place their trust in the exchange to safeguard their funds, aligning with the principles outlined in Data Breach laws in the UK and Europe. It appears that CipherBlade may lack a comprehensive understanding of these laws, despite claiming to possess expertise in legal proceedings and advice.

Ironically, despite proclaiming themselves as a cyber-security firm, CipherBlade failed to recognize the severity of the "Spell Check" bug as a CRITICAL vulnerability in their report. Their oversight in acknowledging the gravity of the issue raises questions about their competence in the field. With that in mind, I sarcastically nominate CipherBlade as the epitome of excellence in the cyber-security industry (pun intended).

CipherBlade’s Report

When one encounters a case study report authored by a purported blockchain analysis firm, the natural expectation is for a technical analysis supported by substantial evidence. However, in the case of CipherBlade, their report primarily revolves around presenting negative arguments against me while offering favorable assumptions in favor of Coinomi. The report gives the impression of being drafted by a legal firm aiming to defend its client's interests (or possibly even written by Coinomi themselves).

Most of the arguments raised by CipherBlade in their report have already been addressed in my previous statements. However, I would like to emphasize and quote some of the false arguments that CipherBlade presented in their report to support Coinomi's position positively. It is important to examine these arguments in detail to expose their inaccuracies and misleading nature.

Quoting from CipherBlade’s report:


This is a clear example of CipherBlade contradicting itself. They acknowledge that digital signatures are used to verify the authenticity and integrity of a file, ensuring it has not been tampered with. In the case of Coinomi, the main executable files were not digitally signed, which supports my claim that there were security vulnerabilities. This inconsistency further strengthens the validity of my argument.

CipherBlade's claim that it is nearly impossible for a digitally signed installer file to contain a malicious executable file is a misleading and incorrect statement. It demonstrates a lack of technical and cybersecurity knowledge on their part. Digital signatures are meant to verify the authenticity and integrity of a file, but they do not guarantee the absence of malicious content. Malicious files can still be present within a digitally signed installer file, especially if the digital signature itself has been compromised or the file has been tampered with after the signing process. This statement by CipherBlade showcases their misunderstanding of cybersecurity principles and raises doubts about the credibility of their report.

A digital signature is used to build trust between the developer and the user by ensuring the integrity and authenticity of a file. However, it is important to understand that a compromised digital signature certificate can be used by an attacker to digitally sign malicious files on behalf of the original developer. Additionally, there have been instances where attackers have successfully modified executable files before the building process or during the creation of the final setup or installer file, even in cases where the application was digitally signed. These examples highlight the fact that a digital signature, while important, is not a foolproof guarantee of the security and trustworthiness of an application. It is crucial to implement robust security measures throughout the development process to detect and prevent such compromises.:
Powerful backdoor found in software used by >100 banks and energy cos.

Now, let me highlight a significant point to conclude this argument. The deletion of a tweet by Coinomi, where they initially confirmed the absence of a digital signature, raises suspicion and prompts questions about their actions. The removal of this tweet may give the impression that Coinomi is attempting to hide or alter previously acknowledged information. It is important to consider the implications of such actions, as they can impact the perception of the company's trustworthiness and credibility.
Screenshot of the tweet
Link to the original tweet

Moving to the next statement:


I have thoroughly addressed this argument in my second statement, providing a detailed explanation of why I believe I was likely one of the early victims. In that statement, I highlighted a crucial point that the desktop wallet I used was relatively new, with a lifespan of less than three months. Additionally, I presented other pertinent facts that support my claim. For further information and a comprehensive understanding of the circumstances, I invite you to review my second statement:
Second Statement: Patient Zero

There have been multiple reports of users experiencing stolen funds both before and after my incident when using Coinomi's wallet. While the cause could be attributed to the same vulnerability, such as another potential backdoor in Coinomi's wallet or users' inadequate security precautions, it was evident in my case that my crypto-currency assets were stolen due to the presence of Coinomi's hidden "Spell Check" feature. This feature specifically played a significant role in the compromise of my assets, as detailed in my previous statements.

Referring to my solid facts as a "hypothesis" is yet another misleading statement. In my second statement, I provided detailed explanations regarding how Google explicitly states that it handles invalid requests to their API server with caution. The specific details can be found in my previous statement, where I outline the clear evidence supporting my claims here:
Second Statement: Legal Implications

Moving on to the final quote in this part:


CipherBlade claims that the possible cause of my stolen crypto-currency assets is malware that monitors the computer's clipboard. Once more, it's just an assumption that I have already addressed in my video response.

As mentioned in the video, Coinomi was installed on a separate and isolated virtual machine. Both my main machine and the virtual machine were equipped with an Anti-Virus/malware application called SpyShelter. SpyShelter is an advanced Anti-Spyware program with a Host Intrusion Prevention System (HIPS). It actively monitors and detects the behavior of applications, regardless of whether they are considered malware or not. One of its features is clipboard protection, which alerts the user if any application attempts to access or capture clipboard data. More information about this feature can be found on the SpyShelter website:

Moreover, it is important to note that I have utilized a password manager to copy and paste passwords related to various other crypto-currency wallets, bank accounts, PayPal, Amazon, eBay, and numerous other platforms over the past five years. Despite this, no compromises or thefts occurred except for the wallet in which I pasted my seed/passphrase, specifically Coinomi's wallet. In light of this, I invite CipherBlade to share their cyber-security expertise and enlighten me with their insights.

The So-called Blockchain Forensics

Once again, I find it intriguing how CipherBlade employs terms like "Blockchain Forensics" to amplify their expertise and promote their services. In reality, their approach can be described as "Blockchain Visualization," a task that individuals with average Blockchain analysis skills and knowledge can surpass. In fact, I was able to achieve more comprehensive visualization and gather data using freely available open-source tools, which allowed me to uncover certain IP addresses and email accounts associated with the addresses involved in this series of transactions.

I will start quoting their so-called “Blockchain Forensics”:

cipherblade cipherblade

Once again, CipherBlade's conclusions appear contradictory. Initially, they attributed the cause of the incident to a potential malware that monitors the computer's clipboard. However, they have now shifted their explanation to a keylogger based on their analysis of ETH transactions. It is perplexing how they managed to transition from a blockchain visualization diagram to determining the characteristics of malware. It seems they may be employing some undisclosed advanced technology worthy of a NASA patent.

I'm honestly not sure how they came to that conclusion! Therefore let's raise some valid questions to CipherBlade:

  • Did they provide any solid proof that links these addresses to any known malware?
    The answer is clearly NO.
  • Did they provide any solid proof that these addresses belong to other victims?
    The answer is clearly NO.

Furthermore, CipherBlade attempted to support their claim by presenting a graph that they believe represents the characteristics of a "mixing" service. However, it appears that CipherBlade may lack a comprehensive understanding of how a mixing service operates. The other addresses they attribute to other victims could potentially belong to unrelated individuals, whether they are involved in criminal activities or not. These addresses might also be part of the mixer's address pool, which is used to fund the Consolidation Wallet and make the tracing process more challenging.

Each mixing service provider operates differently, with their own unique characteristics. Some mixing services are designed to make transactions harder to trace, while others may be more traceable. However, the common practice among mixing services is to fund the user's new wallet address with coins that are not associated with the mixing process itself. The mixing service assumes the risk associated with the mixing process. Below is a simple illustration taken from an existing mixing service (reference removed to avoid the accusation of promoting illegal services):


On the other hand, when CipherBlade analyzed BTC transactions, they came to the conclusion that these transactions reflect mixing service characteristics:


So the question arises, how can CipherBlade's analysis simultaneously characterize the entity that stole my crypto-currency assets as both malware in ETH transactions and a mixing service in BTC transactions? This apparent contradiction raises concerns about the consistency and reliability of their findings. It is important to address this inconsistency and seek a comprehensive and unbiased investigation to determine the true nature and identity of the entity responsible for the theft of my assets.

Moving to the final quote in this part:


This statement brings a sense of amusement. The implication made is that a crypto-currency thief would choose to make a single or direct transaction to move the stolen funds, which would be remarkably foolish. It is common knowledge that any competent crypto-currency thief would seek ways to make the stolen assets untraceable. Utilizing a mixing service is a straightforward and effective option for achieving this objective.

Who The Hell Is CipherBlade?

CipherBlade is a relatively new company that commenced operations in mid-2018 and has a limited history, depending on one's perspective. On their website, they assert that they have successfully recovered millions of dollars:


Despite the concerns raised later in this piece, it's important to acknowledge that CipherBlade claims to have successfully recovered millions of dollars in cryptocurrency, according to statements on their website. Such a feat, if accurate, would be a significant accomplishment in the field of digital asset recovery. However, readers should be aware that without independent verification or substantiated case details, such claims should be approached with scrutiny.

It is ironic to note that despite their claim of recovering millions of dollars, CipherBlade initially used a free email address instead of a professional business email address when they started their business. This observation is based on a screenshot taken from their website in September 2018.


It is worth noting that the incorporation documents of CipherBlade reveal a connection to multiple companies, with many of them being registered in Seychelles. Seychelles is often associated with offshore companies, offering a relatively easy process for company registration. It is known as a destination favored by individuals seeking to engage in money laundering land of money launders, tax evasion, or hiding their true identities behind fictitious business names.

The characteristics of CipherBlade's incorporation document suggest that it shares similarities with what is commonly referred to as a shell company or virtual company. These types of entities can raise suspicions due to their lack of substantive business operations. To gain a more comprehensive understanding of the questionable nature of CipherBlade's business practices, I recommend reading the following articles for further detailed information:

The Challenge

CipherBlade has challenged me to upload an image of my virtual machine for Digital Forensics analysis to determine whether my machine was infected with malware. However, considering the questionable nature of CipherBlade's business and the lack of trust I have in their operations, it would be unwise for me to share my personal data with a company that raises suspicions.

However, I appreciate the concept of the challenge and believe it should apply to both Coinomi and CipherBlade to ensure fairness and transparency in the assessment of the incident:

  • An independent and reputable third-party with a proven track record and expertise in digital forensics will be engaged to conduct a thorough analysis.
  • The fees for the digital forensics analysis will be deposited into a trusted escrow service to ensure transparency and fairness.
  • If the results of the digital forensics analysis conclude that my machine was free of malware, then Coinomi will assume full responsibility for reimbursing my stolen cryptocurrency assets (17 BTC or its equivalent). In such case, Coinomi will also be responsible for covering the fees associated with the digital forensics analysis. However, if the analysis determines that my machine was indeed infected with malware, I will bear the responsibility for covering the fees of the digital forensics analysis.

To add an interesting twist, I have a challenge for CipherBlade. In their report, they suggested that it would be relatively straightforward to trace and recover the stolen crypto-currency assets if proper procedures were followed. In light of this, I hereby grant them full permission to undertake the recovery of my stolen assets, and I offer them a 25% bounty on any successfully recovered funds as an incentive.

At the very least, they can update their website later to proudly announce that they have successfully recovered hundreds of thousands of dollars (pun intended).

Privacy Violation

CipherBlade has infringed upon my privacy by publicly disclosing my personal cryptocurrency wallet addresses without my consent. These addresses are considered private information, particularly in my case involving illegal activity, and should only be accessible to the authorities and the relevant parties involved in the case.

It is evident that CipherBlade demonstrates a lack of professionalism and, more importantly, knowledge about laws governing privacy and data breaches. As a result, I will be reporting this incident to the Information Commissioner's Office as a violation of privacy.

Final Thoughts

I believe that based on the facts I have presented, it is reasonable to conclude that CipherBlade is a typical one-man show offshore company operating through a questionable chain of shell companies. Their business model appears to rely on profiting from people's losses and offering their services in cleaning up the mess created by other companies through their so-called blockchain analysis reports.

They engaged with Coinomi to benefit financially from writing the report and to gain attention by misleading the community with false information, claiming to have resolved this contentious case. However, their report has ultimately had negative consequences for them and has further damaged their reputation.

On the contrary, it is disheartening to see Coinomi facing financial repercussions for commissioning an external report that failed to support their position and did not receive any validation. It is unfortunate that they have resorted to baseless and inappropriate insinuations. Such tactics only serve to undermine their credibility further.

Further updates will be posted through social media channels (@warith2020), (@avoid_coinomi) and if required will be posted here.