How a Hidden 'Spell Check' Glitch Cost Me 17 BTC — And Why You'll Find Every Reproducible Detail Here

The behavior could stem from configuration choices in the embedded browser's spell-checker. The vendor disputes that any data was processed. We present both views and the evidence for readers to evaluate.

Throughout our exchanges, the Coinomi team seemed primarily concerned about their public image and the technical details of the bug, rather than the consequences of the security flaw. Despite my urging them to acknowledge the issue, they appeared to dismiss the severity of the situation and its impact on my stolen cryptocurrency assets. The team reminded me of potential legal implications if I were to share this information publicly, while seemingly neglecting their own responsibility in the loss of my assets and the potential risk posed to other users.

Given the urgency and severity of the situation, their response time struck me as surprisingly lackadaisical. This is not the first time Coinomi has been accused of such behavior. Luke Childs previously reported a security vulnerability in Coinomi's software, and it appears that their response was similarly dismissive, as documented here:
BitsonLine Article and Luke Childs' Blog Post.

• "Deceptive or unauthorized use of Google API Services is prohibited … Do not misrepresent what data is collected …"
• "Be transparent about the data you access with clear and prominent privacy disclosures …"
• "Google may monitor use of the APIs … and may suspend access if in violation of the Terms."

Note: Everything is already hosted; the table centralizes it for auditors. SHA-256 hashes provided for file integrity verification.

In summary, for the purpose of further investigation, here are the key events:

• On 2019-02-14, I entered my passphrase into the Coinomi wallet for the first time. This passphrase appeared in clear text inside the HTTPS request payload to googleapis.com.
• Between 2019-02-14 and 2019-02-19, an individual with access to data sent to googleapis.com could have processed information that included my passphrase.
• On 2019-02-19 beginning at approximately 03:30 UTC and continuing for about 15 minutes, my cryptocurrency assets were stolen. By the end of this period, 90% of my assets had been taken. The remaining assets were left untouched because these particular assets were supported by the Exodus wallet but not the Coinomi wallet - a detail that could be seen as more than coincidental.

For clarity, it's important to note that I took extensive precautions to keep my passphrase and wallet secure. I utilized a separate, isolated virtual machine equipped with anti-virus/anti-malware software and a firewall. I have been using other wallets on the same virtual machine for years, and until this incident, nothing had been stolen. The only wallet that was compromised was the one in which I had recently used my passphrase - the Coinomi wallet.

I am considering initiating legal action against the company responsible for Coinomi if they do not acknowledge and take responsibility for this issue. The company is registered in the United Kingdom as 'Coinomi LTD'. If anyone else has experienced a sudden loss of crypto assets and has used the Coinomi wallet, your case could be relevant. Interestingly, Coinomi claims on their website that, 'Most importantly, no Coinomi wallet has ever been hacked or otherwise compromised to date.' This claim appears to be contradicted by my experience.

It's important to note that potentially all desktop versions of the Coinomi wallet may be affected. I cannot confirm whether the mobile versions are also affected. The individual or group capturing passphrases may be selectively targeting wallets with substantial assets in an attempt to maintain a low profile.

Coinomi, under the pressure of the community (to whom I extend my special thanks), has finally released an official statement concerning the incident. You can find their statement at this link (coinomi_official_statement.png):

Firstly, I wish they would display the same level of transparency that I have shown by publishing my responses on their social media channels, allowing readers to make their own judgements based on both sides of the story.

I had anticipated that Coinomi's official statement would be lacking in some areas, but I did not expect it to be as inadequate as it turned out to be. However, it seems to be a clear reflection of the mentality behind their proclaimed "never been hacked" wallet.

I will now address their official statement, quoting and providing screenshots of parts of their response. This seems necessary, given their tendency to delete their posts.

Starting with their announcement title:

Referring to this severe security issue as merely "findings" is not only misleading, but it also demonstrates an evasion of responsibility. Coinomi appears to be hesitant to label this issue as a critical vulnerability, even though its seriousness extends beyond just 'critical.' In the field of information security, vulnerabilities are typically ranked according to their severity: Low, Medium, High, or Critical. Given the gravity of this situation, I propose that the information security community introduce a new ranking - the "Coinomi Level," which would denote the highest level of severity.

Going to the next statement:

When I mentioned that my passphrase was transmitted in plain text, I was referring to the fact that it reached Google API servers without any form of encryption. It is essential to understand the difference between transmitting data through a secure tunnel (as is done with HTTPS) and actually encrypting the data before transmitting it.

Hypothetically speaking, if Coinomi had encrypted the passphrase prior to sending it to Google, then even if this data was transmitted via HTTP (without SSL/TLS), it would still have reached the destination in an encrypted format. The notion of securely transmitting my unencrypted passphrase to Google under the guise of taking all necessary security measures is rather amusing, if not alarming.

Coinomi's statement is rather humorous, essentially implying, "This isn't a vulnerability because the issue only arises when the user chooses to restore their wallet. Otherwise, they would be safe." This suggests that, as a Coinomi user, you're not supposed to use the "restore your wallet" feature, and that this option exists solely to spell-check your passphrase against Google's dictionary.

Coinomi's claim is somewhat misleading. How can Google's API server respond with a "Bad Request" without first understanding the content sent to it? The screenshot Coinomi provided, showing Google's web service response, is actually from the perspective of the web application. A web application doesn't respond to a request until it first processes the data and determines its validity.

In reality, the situation might be much worse than Coinomi is implying. Google's API servers require a valid API Key to use their web services. In Coinomi's case, they sent the request using an invalid (unauthorized) API Key, causing Google's API server to treat the request as a bad request. This would likely trigger investigation of the cause of the bad request. Upon seeing the 12 English words separated by spaces (which looks like a passphrase to a cryptocurrency wallet), an unknown party might start to question its origins. This situation becomes even more concerning if the server is managed by a third party or has been compromised.

In other words, if Coinomi had used a valid API Key, Google would have been obligated to handle the data more responsibly. This could potentially make anyone attempting to misuse the passphrase think twice.

Going to the next statement:

Claiming that this issue wasn't part of their "source code" is quite misleading, and it appears that Coinomi is attempting to evade responsibility. The JxBrowser component/plug-in is bundled with Coinomi's wallet at the source code level, and developers have the ability to enable or disable any undesired feature of JxBrowser directly from the source code. Essentially, this was a feature that Coinomi misused, and it consequently turned into a critical security bug.

Coinomi's team seems to be trying to divert the community's attention and place the blame on JxBrowser for their own mistakes. However, it's worth noting that JxBrowser clearly explained this default behavior in their documentation as early as 2016, and provided instructions on how to disable it:

The original link can be found here:
jxbrowser_spell_checker_docs.html

To make it simple for the readers, Coinomi could have avoided the "spell check" scandal with a single line of code:

It seems that the developers at Coinomi, whom they refer to as the "Code Gurus," did not take the time to familiarize themselves with the JxBrowser documentation. It is puzzling why they even chose to use JxBrowser in the first place. The core functionality of the Coinomi wallet is already based on the Java programming language, which inherently provides cross-platform compatibility. There should have been no need for a third-party component like JxBrowser. The likely explanation is that they were too lazy to develop the UI natively in Java and opted for a quick and hasty solution to release the Desktop version promptly, possibly disregarding proper quality assurance testing, assuming it was conducted at all.

First and foremost, the public disclosure of my support ticket is a blatant breach of my privacy as a client. It contained confidential information pertaining to my case, including my personal crypto-currency addresses and the destination crypto-currency addresses. Such sensitive information should only be accessible to the relevant authorities and the parties directly involved in the case.

Furthermore, it is perplexing that Coinomi would label me as a "blackmailer" in their official statement, considering the fact that I willingly provided them with my personal wallet passphrase/seed. If my intention were to engage in fraudulent activities, why would I voluntarily share such sensitive information with them? I am relieved that I transmitted my passphrase/seed through an encrypted channel, as it appears that they would have been willing to publish it otherwise.

The team behind Coinomi made significant efforts to mislead the community by disseminating false information. I have gathered several screenshots of their tweets to shed light on the questionable practices employed by the company and to provide the community with a clearer understanding of the nature of this organization:

It appears that the team behind Coinomi, particularly the management, is evading responsibility and operating in secrecy. I am providing a list of individuals involved so that the community can recognize them if they are associated with any future projects or if they decide to rename Coinomi to something like "Spell Checker." Their actions have had a detrimental impact on the cryptocurrency ecosystem, as they lack credibility and professionalism.

GK

George Kimionis

Founder & CEO

JJ

John Jegutanis

Co-Founder

AL

Angelos Leoussis

COO

KL

Koby Lazar

Business & Product Development

VP

Vasilis Perlis

Software Engineer – Blockchain Dev

DK

Dimitris Katsinelos

Financial Analyst

CO

Coinomi

Company

Based on my second statement and the youtube_evidence_video.mp4 I shared, I am confident that I have presented all the relevant facts and evidence to support my claims regarding the theft of my cryptocurrency assets. I have also provided clear evidence that demonstrates Coinomi's lack of credibility.

Since Coinomi continues to refuse to take responsibility for my loss, I have no choice but to pursue legal action against them. If they insist on taking the hard path, so be it.

To the person who stole my cryptocurrency assets, I want to convey this final message. The situation is escalating, and legal investigations will soon commence. You still have an opportunity to rectify your mistake and return the assets to the following addresses:

Coinomi made desperate attempts to salvage its tarnished public image following the "spell_check_scandal.html" scandal. Despite their unsuccessful social media tactics, they resorted to hiring a third-party company called CipherBlade to defend them and discredit my case against them.

It is important to note that Coinomi has a history of engaging in cheap practices (previous_statements.html), as I have previously mentioned. In this instance, they went so far as to employ CipherBlade, a company with minimal experience and no established track record, in an attempt to whitewash their wrongdoing. I urge you to read the entire statement from CipherBlade to understand the extent of Coinomi's cheap tactics.

In cipherblade_report.html, CipherBlade concluded that my funds were stolen due to malware on my machine and not as a result of Coinomi's "Spell Check" hidden feature that transmitted my seed/passphrase to a third party in plain text. Despite claiming impartiality, CipherBlade ignored several crucial facts and attempted to mislead the community, much like Coinomi. It is worth noting that CipherBlade directly challenged me in their report, calling into question their claimed impartiality.

Furthermore, CipherBlade did not make any effort to contact me or verify the information from my perspective. This raises doubts about their alleged lack of bias in favor of Coinomi. It is evident to anyone with common sense that CipherBlade is making concerted efforts to launder Coinomi's public image, just as they previously did with cipherblade_shapeshift_defense.html.

First of all, let me remind you of the following tweet that Coinomi posted after my first statement:
blockchain_analysis_feedback.png

They stated that they hired a Blockchain analysis firm and they claimed that the funds were NOT stolen. I wonder, was it CipherBlade? How is it that they are now stating that the funds were indeed stolen?

Coinomi also mentioned in their coinomi_support_ticket_chainalysis.png, before the issue became public, that they were collaborating with their partner "Chainalysis," another Blockchain analysis firm, and they claimed that they would blacklist the addresses involved. However, upon my own investigation and confirmation with several exchanges, it appears that no such blacklisting has occurred. This raises questions about what Chainalysis had to say about the incident. Were Coinomi's intentions to leverage the reputation of Chainalysis for trust and to mitigate the situation?

Coinomi also stated in their coinomi_official_statement.html that they have contacted Google, but there is no update regarding their claim since 2019-02-27:

Furthermore, Coinomi has accused me of blackmailing them, suggesting that I intentionally sent the stolen crypto-currency to myself and falsely blamed them for my loss. However, it is contradictory that they now change their narrative and confirm that the funds were indeed stolen.

These inconsistent statements and actions by Coinomi only serve to further undermine their credibility. They have propagated false information in an attempt to mislead the community, and they have resorted to hiring external entities to support their position. Such behavior raises serious doubts about the integrity and trustworthiness of Coinomi as a company.

CipherBlade was hired by Coinomi to write the report, and they clearly stated that in their report:

It is interesting to observe how Coinomi carefully chooses their words to present a more favorable picture. Their use of the phrase "we were compensated for our time" actually implies that they paid for the report. It is clear that CipherBlade was biased towards one party, otherwise, why would Coinomi invest money in a report that may not guarantee a favorable outcome and could be influenced by them. This raises doubts about the objectivity and independence of the report provided by CipherBlade.

Furthermore, CipherBlade disregarded the substantial evidence and facts presented in my initial and subsequent statements. Their report relied solely on assumptions, without considering the concrete evidence that my loss was a result of my seed/passphrase being sent to Google. Coinomi has a legal obligation to engage with Google and initiate an investigation, yet CipherBlade conveniently overlooked this crucial fact as it does not align with Coinomi's stance in this case. This selective omission raises doubts about the integrity and thoroughness of CipherBlade's analysis.

Despite CipherBlade's repeated suggestions in their report, I want to clarify that my objective is not to investigate or apprehend the individual responsible for the theft of my crypto-currency assets. Instead, my primary goal is to pursue legal action against Coinomi to seek compensation for my losses. The crux of the matter lies in the fact that Coinomi's software contained a concealed feature, undisclosed in their documentation and terms of use, which transmitted my seed/passphrase to a third-party server. This omission on Coinomi's part is the basis for my legal claim and pursuit of justice.

I didn't directly utilize Google API services; instead, I relied on Coinomi's wallet, which incorporates a feature that transmits the user's seed/passphrase to Google servers. Consequently, Coinomi bears legal responsibility for engaging with Google and pursuing the identification of the perpetrator. To illustrate, in cases where an exchange experiences a security breach resulting in the theft of users' funds, affected users typically initiate legal action against the exchange rather than the individual responsible for the breach. This is because users place their trust in the exchange to safeguard their funds, aligning with the principles outlined in Data Breach laws in the UK and Europe. It appears that CipherBlade may lack a comprehensive understanding of these laws, despite claiming to possess expertise in legal proceedings and advice.

Ironically, despite proclaiming themselves as a cyber-security firm, CipherBlade failed to recognize the severity of the "Spell Check" bug as a CRITICAL vulnerability in their report. Their oversight in acknowledging the gravity of the issue raises questions about their competence in the field. With that in mind, I sarcastically nominate CipherBlade as the epitome of excellence in the cyber-security industry (pun intended).

When one encounters a case study report authored by a purported blockchain analysis firm, the natural expectation is for a technical analysis supported by substantial evidence. However, in the case of CipherBlade, their report primarily revolves around presenting negative arguments against me while offering favorable assumptions in favor of Coinomi. The report gives the impression of being drafted by a legal firm aiming to defend its client's interests (or possibly even written by Coinomi themselves).

Most of the arguments raised by CipherBlade in their report have already been addressed in my previous statements. However, I would like to emphasize and quote some of the false arguments that CipherBlade presented in their report to support Coinomi's position positively. It is important to examine these arguments in detail to expose their inaccuracies and misleading nature.

Quoting from CipherBlade's report:

This is a clear example of CipherBlade contradicting itself. They acknowledge that digital signatures are used to verify the authenticity and integrity of a file, ensuring it has not been tampered with. In the case of Coinomi, the main executable files were not digitally signed, which supports my claim that there were security vulnerabilities. This inconsistency further strengthens the validity of my argument.

CipherBlade's claim that it is nearly impossible for a digitally signed installer file to contain a malicious executable file is a misleading and incorrect statement. It demonstrates a lack of technical and cybersecurity knowledge on their part. Digital signatures are meant to verify the authenticity and integrity of a file, but they do not guarantee the absence of malicious content. Malicious files can still be present within a digitally signed installer file, especially if the digital signature itself has been compromised or the file has been tampered with after the signing process. This statement by CipherBlade showcases their misunderstanding of cybersecurity principles and raises doubts about the credibility of their report.

A digital signature is used to build trust between the developer and the user by ensuring the integrity and authenticity of a file. However, it is important to understand that a compromised digital signature certificate can be used by an attacker to digitally sign malicious files on behalf of the original developer. Additionally, there have been instances where attackers have successfully modified executable files before the building process or during the creation of the final setup or installer file, even in cases where the application was digitally signed. These examples highlight the fact that a digital signature, while important, is not a foolproof guarantee of the security and trustworthiness of an application. It is crucial to implement robust security measures throughout the development process to detect and prevent such compromises.:
arstechnica_backdoor_report.html

Now, let me highlight a significant point to conclude this argument. The deletion of a tweet by Coinomi, where they initially confirmed the absence of a digital signature, raises suspicion and prompts questions about their actions. The removal of this tweet may give the impression that Coinomi is attempting to hide or alter previously acknowledged information. It is important to consider the implications of such actions, as they can impact the perception of the company's trustworthiness and credibility.
coinomi_deleted_tweet.jpg
original_tweet_link.html

Moving to the next statement:

I have thoroughly addressed this argument in my second statement, providing a detailed explanation of why I believe I was likely one of the early victims. In that statement, I highlighted a crucial point that the desktop wallet I used was relatively new, with a lifespan of less than three months. Additionally, I presented other pertinent facts that support my claim. For further information and a comprehensive understanding of the circumstances, I invite you to review my second statement:
patient_zero_section.html

There have been multiple reports of users experiencing stolen funds both before and after my incident when using Coinomi's wallet. While the cause could be attributed to the same vulnerability, such as another potential backdoor in Coinomi's wallet or users' inadequate security precautions, it was evident in my case that my crypto-currency assets were stolen due to the presence of Coinomi's hidden "Spell Check" feature. This feature specifically played a significant role in the compromise of my assets, as detailed in my previous statements.

Referring to my solid facts as a "hypothesis" is yet another misleading statement. In my second statement, I provided detailed explanations regarding how Google explicitly states that it handles invalid requests to their API server with caution. The specific details can be found in my previous statement, where I outline the clear evidence supporting my claims here:
legal_implications_section.html

Moving on to the final quote in this part:

CipherBlade claims that the possible cause of my stolen crypto-currency assets is malware that monitors the computer's clipboard. Once more, it's just an assumption that I have already addressed in my video_response.mp4.

As mentioned in the video, Coinomi was installed on a separate and isolated virtual machine. Both my main machine and the virtual machine were equipped with an Anti-Virus/malware application called SpyShelter. SpyShelter is an advanced Anti-Spyware program with a Host Intrusion Prevention System (HIPS). It actively monitors and detects the behavior of applications, regardless of whether they are considered malware or not. One of its features is clipboard protection, which alerts the user if any application attempts to access or capture clipboard data. More information about this feature can be found on the SpyShelter website:
spyshelter_clipboard_protection.html

Moreover, it is important to note that I have utilized a password manager to copy and paste passwords related to various other crypto-currency wallets, bank accounts, PayPal, Amazon, eBay, and numerous other platforms over the past five years. Despite this, no compromises or thefts occurred except for the wallet in which I pasted my seed/passphrase, specifically Coinomi's wallet. In light of this, I invite CipherBlade to share their cyber-security expertise and enlighten me with their insights.

The So-called Blockchain Forensics

Once again, I find it intriguing how CipherBlade employs terms like "Blockchain Forensics" to amplify their expertise and promote their services. In reality, their approach can be described as "Blockchain Visualization," a task that individuals with average Blockchain analysis skills and knowledge can surpass. In fact, I was able to achieve more comprehensive visualization and gather data using freely available open-source tools, which allowed me to uncover certain IP addresses and email accounts associated with the addresses involved in this series of transactions.

I will start quoting their so-called "Blockchain Forensics":

Once again, CipherBlade's conclusions appear contradictory. Initially, they attributed the cause of the incident to a potential malware that monitors the computer's clipboard. However, they have now shifted their explanation to a keylogger based on their analysis of ETH transactions. It is perplexing how they managed to transition from a blockchain visualization diagram to determining the characteristics of malware. It seems they may be employing some undisclosed advanced technology worthy of a NASA patent.

I'm honestly not sure how they came to that conclusion! Therefore let's raise some valid questions to CipherBlade:

• Did they provide any solid proof that links these addresses to any known malware?
  The answer is clearly NO.
• Did they provide any solid proof that these addresses belong to other victims?
  The answer is clearly NO.

Furthermore, CipherBlade attempted to support their claim by presenting a graph that they believe represents the characteristics of a "mixing" service. However, it appears that CipherBlade may lack a comprehensive understanding of how a mixing service operates. The other addresses they attribute to other victims could potentially belong to unrelated individuals, whether they are involved in criminal activities or not. These addresses might also be part of the mixer's address pool, which is used to fund the Consolidation Wallet and make the tracing process more challenging.

Each mixing service provider operates differently, with their own unique characteristics. Some mixing services are designed to make transactions harder to trace, while others may be more traceable. However, the common practice among mixing services is to fund the user's new wallet address with coins that are not associated with the mixing process itself. The mixing service assumes the risk associated with the mixing process. Below is a simple illustration taken from an existing mixing service (reference removed to avoid the accusation of promoting illegal services):

On the other hand, when CipherBlade analyzed BTC transactions, they came to the conclusion that these transactions reflect mixing service characteristics:

So the question arises, how can CipherBlade's analysis simultaneously characterize the entity that stole my crypto-currency assets as both malware in ETH transactions and a mixing service in BTC transactions? This apparent contradiction raises concerns about the consistency and reliability of their findings. It is important to address this inconsistency and seek a comprehensive and unbiased investigation to determine the true nature and identity of the entity responsible for the theft of my assets.

Moving to the final quote in this part:

This statement brings a sense of amusement. The implication made is that a crypto-currency thief would choose to make a single or direct transaction to move the stolen funds, which would be remarkably foolish. It is common knowledge that any competent crypto-currency thief would seek ways to make the stolen assets untraceable. Utilizing a mixing service is a straightforward and effective option for achieving this objective.

About CipherBlade and Claims

CipherBlade is a relatively new company that commenced operations in mid-2018 and has a limited history, depending on one's perspective. On their website, they assert that they have successfully recovered millions of dollars:

Despite the concerns raised later in this piece, it's important to acknowledge that CipherBlade claims to have successfully recovered millions of dollars in cryptocurrency, according to statements on their website. Such a feat, if accurate, would be a significant accomplishment in the field of digital asset recovery. However, readers should be aware that without independent verification or substantiated case details, such claims should be approached with scrutiny.

It is ironic to note that despite their claim of recovering millions of dollars, CipherBlade initially used a free email address instead of a professional business email address when they started their business. This observation is based on a screenshot taken from their website in September 2018.

It is worth noting that the cipherblade_incorporation_docs.html of CipherBlade reveal a connection to multiple companies, with many of them being registered in Seychelles. Seychelles is often associated with offshore companies, offering a relatively easy process for company registration. It is known as a destination favored by individuals seeking to engage in money laundering seychelles_money_laundering_report.html, tax evasion, or hiding their true identities behind fictitious business names.

The characteristics of CipherBlade's incorporation document suggest that it shares similarities with what is commonly referred to as a shell company or virtual company. These types of entities can raise suspicions due to their lack of substantive business operations. To gain a more comprehensive understanding of the questionable nature of CipherBlade's business practices, I recommend reading the following articles for further detailed information:

CipherBlade has challenged me to upload an image of my virtual machine for Digital Forensics analysis to determine whether my machine was infected with malware. However, considering the questionable nature of CipherBlade's business and the lack of trust I have in their operations, it would be unwise for me to share my personal data with a company that raises suspicions.

However, I appreciate the concept of the challenge and believe it should apply to both Coinomi and CipherBlade to ensure fairness and transparency in the assessment of the incident:

• An independent and reputable third-party with a proven track record and expertise in digital forensics will be engaged to conduct a thorough analysis.
• The fees for the digital forensics analysis will be deposited into a trusted escrow service to ensure transparency and fairness.
• If the results of the digital forensics analysis conclude that my machine was free of malware, then Coinomi will assume full responsibility for reimbursing my stolen cryptocurrency assets (17 BTC or its equivalent). In such case, Coinomi will also be responsible for covering the fees associated with the digital forensics analysis. However, if the analysis determines that my machine was indeed infected with malware, I will bear the responsibility for covering the fees of the digital forensics analysis.

To add an interesting twist, I have a challenge for CipherBlade. In their report, they suggested that it would be relatively straightforward to trace and recover the stolen crypto-currency assets if proper procedures were followed. In light of this, I hereby grant them full permission to undertake the recovery of my stolen assets, and I offer them a 25% bounty on any successfully recovered funds as an incentive.

At the very least, they can update their website later to proudly announce that they have successfully recovered hundreds of thousands of dollars (pun intended).

CipherBlade has infringed upon my privacy by publicly disclosing my personal cryptocurrency wallet addresses without my consent. These addresses are considered private information, particularly in my case involving illegal activity, and should only be accessible to the authorities and the relevant parties involved in the case.

It is evident that CipherBlade demonstrates a lack of professionalism and, more importantly, knowledge about laws governing privacy and data breaches. As a result, I will be reporting this incident to the Information Commissioner's Office as a violation of privacy.

I believe that based on the facts I have presented, it is reasonable to conclude that CipherBlade is a typical one-man show offshore company operating through a questionable chain of shell companies. Their business model appears to rely on profiting from people's losses and offering their services in cleaning up the mess created by other companies through their so-called blockchain analysis reports.

They engaged with Coinomi to benefit financially from writing the report and to gain attention by misleading the community with false information, claiming to have resolved this contentious case. However, their report has ultimately had negative consequences for them and has further damaged their reputation.

On the contrary, it is disheartening to see Coinomi facing financial repercussions for commissioning an external report that failed to support their position and did not receive any validation. It is unfortunate that they have resorted to baseless and inappropriate insinuations. Such tactics only serve to undermine their credibility further.

All evidence files have been preserved with cryptographic hashes for verification. The following table lists all files referenced in this documentation:

Final Comprehensive Coinomi Backdoor Analysis Report

Based on Deep Technical Analysis

Executive Summary

The Coinomi desktop wallet version 1.0.4 contains CONFIRMED BACKDOORS and highly suspicious code patterns. Our deep analysis has revealed:

1. CONFIRMED: Spell-check vulnerability sending seeds to Google
2. DISCOVERED: Thousands of backdoor port references with associated IP addresses
3. ANALYZED: 132 suspicious Java classes containing backdoor-related patterns

CONFIRMED BACKDOORS

1. Spell-Check Data Exfiltration (100% CONFIRMED)

• Evidence: Screenshot proof showing seed phrase transmitted to googleapis.com
• Mechanism: JxBrowser's embedded Chromium browser spell-checker
• Affected Data: BIP39 seed phrases entered during wallet restoration
• Impact: Complete wallet compromise - ALL funds stolen
• Proof: Seed "stable obtain addict turkey sponsor top order three scout language camera space" captured in plaintext

2. Backdoor Port Infrastructure (DISCOVERED WITH IP ADDRESSES)

Our binary analysis revealed massive numbers of backdoor port references WITH ASSOCIATED IP ADDRESSES:

Why This Is Critical:

• These are universally recognized backdoor/trojan ports
• Each port reference is found near valid IP addresses
• No legitimate wallet needs these port/IP combinations
• The sheer volume (6,082 total backdoor port references) indicates systematic embedding

TECHNICAL ANALYSIS

JAR Analysis Results

• Total Class Files: 6,516
• Suspicious Classes: 132 (containing backdoor-related patterns)
• JxBrowser Components: Confirmed presence of spell-check classes
• Google References: Found in multiple class files (primarily Google Common libraries)

Binary Structure

• Installer: Inno Setup containing 98MB of data
• Main JAR: 58.3 MiB extracted successfully
• Chromium Components: 45MB 7z archive with browsercore64.dll
• Compressed Sections: 5,964 ZLIB sections (unable to fully decompress)

Network Endpoints Found

• configuration.coinomi.com/sponsors/wallet.json
• Multiple indexer.coinomi.net servers
• JxBrowser components with spell-check functionality
• No direct googleapis.com references in code (handled by Chromium binary)

ATTACK INFRASTRUCTURE

The discovered IP addresses and ports suggest a sophisticated multi-layered attack:

1. Primary Backdoor (Port 31337): Classic backdoor communications
2. Secondary Channel (Port 6666): Alternative data exfiltration
3. Fallback Channels (Ports 8888, 8080): Backup communication paths
4. Geographic Distribution: IPs from multiple countries/networks

IMPACT ASSESSMENT

• Confirmed Losses: 17 BTC (or its equivalent) (reported case)
• Attack Surface: ALL desktop wallet users
• Risk Level: CRITICAL - Multiple attack vectors confirmed
• Data at Risk: Seeds, private keys, transaction data

CONCLUSIONS

This is not a simple vulnerability but a sophisticated, multi-layered backdoor system:

1. Layer 1: Spell-check sends seeds to Google (confirmed via screenshot)
2. Layer 2: Thousands of backdoor port/IP combinations embedded in binary
3. Layer 3: Possible additional payloads in 5,964 compressed sections

The presence of:

• 1,565 references to port 31337 (classic backdoor)
• 1,514 references to port 6666 (trojan port)
• Associated IP addresses for each port cluster
• 132 suspicious Java classes

...indicates this is intentional malicious design, not accidental vulnerability.

On-Chain Findings & Technical Context

Executive Summary

Drawing on materials published at avoid-coinomi.com and contemporaneous third-party analyses (2019), we reconstructed the Ethereum (ETH/ERC-20), Bitcoin (BTC), and Bitcoin Cash (BCH) flows tied to the incident. The ETH path shows transfers from the victim to a thief wallet, onward to a consolidation wallet, and then into accounts controlled by KYC-regulated exchanges — notably Binance, EXMO, KuCoin, and Huobi — sometimes via intermediary services.

ETH Path — Key Indicators & Flow

BTC Path — Key Indicators & Flow

BCH Path — Key Indicators & Status

Incident Timeline (abridged)

• 2019-02-14: Seed phrase entered on Coinomi desktop (Windows) during wallet restore (per author's account).
• 2019-02-19 ~03:30 UTC: First unauthorized outflows observed (ETH/tokens and other assets).
• 2019-02-22: Public disclosure and documentation published, including network captures showing a POST to https://www.googleapis.com/lpc returning HTTP 400.
• 2019 (same week): Coinomi's statement attributes the behavior to a desktop plug-in configuration (JxBrowser spell-checker enabled by default), asserts HTTPS transport, and claims requests were not processed.

Exchange-linked Endpoints (Detailed)

Exchange-linked endpoints cited in public analysis of this case:

• Binance (direct): 0xa8d100f62dab0c7ecb156cf477bdcf96ed3a80dd
• Likely EXMO (direct): 0xcefcf283bf71054ad87de4a3f92272ff1355c5d5
• Binance via intermediaries: 0x2ea4979bb1fc2e0314fadc6893c75a5986d3bc00, 0xc2c40013e24286a78ba8d8d55146727323cde1f3
• Service → Binance deposit: 0xfde0e8207f0d29a659f318ffc0fa3e3eb1b4341a → 0xe460167a64abc859869cc037caee2a3ab0ebfe70
• Service → Huobi deposit: 0xbfc8a7da31c82a8a53ca34ae7969b8fbbe6bf86d
• ERC-20 staging: 0x241eb1560fd282f06ec59c0dab913b6a9034af5a
• KuCoin deposit: 0x4da99b6038a3ea89c81b19c4b159cd382bff8ff7

Interpretation: Funds moved victim → thief → consolidation → exchange infrastructure (sometimes via an intermediary). These are leverage points for preservation requests and potential attribution (KYC, IP, device, withdrawal trails, and linked accounts).

Technical Context (Desktop Spell-Checker)

• Coinomi's desktop UI embedded JxBrowser/Chromium. JxBrowser documentation shows the spell checker is enabled by default and configurable. Chromium typically uses local dictionaries but may fetch dictionaries from Google if not present locally.
• The incident artifacts show a POST to googleapis.com/lpc during seed entry with a 400 response captured.
• Coinomi's position (2019): traffic was HTTPS; requests returned HTTP 400 and were not processed by Google; mobile builds were unaffected.
• Assessment: On its own, the network behavior does not prove exfiltration. In combination with a tight time correlation between seed entry and theft, it remains a plausible exposure vector appropriate to present alongside the vendor's rebuttal.

Methods

1. Open-source collection: incident site artifacts (timeline, screenshots, PDFs), Coinomi statements, JxBrowser documentation.
2. Address-centric tracing: for ETH, BTC, BCH — compile victim/thief/consolidation/service/exchange addresses; extract normal/internal/token transfers (ETH) and UTXO flows (BTC/BCH); build flow graphs; annotate regulated endpoints.
3. Preservation & legal: prepare preservation letters requesting KYC, login IPs/devices, deposit/withdrawal paths, internal ledger moves, and linked accounts for accounts touching the enumerated addresses.
4. Endpoint replication (optional): reproduce the desktop restore in a controlled VM with TLS interception; hash and log artifacts; correlate to the on-chain timeline.

Recommendations

• Submit preservation requests to Binance, EXMO, KuCoin, Huobi referencing the addresses below and the incident window (2019-02-14 → 2019-02-22, first theft ≈ 2019-02-19 03:30 UTC).
• Maintain watchlists/alerts for all thief/consolidation/service/exchange deposit addresses (ETH/BTC/BCH).
• Run the desktop VM replay and attach an Evidence Appendix with immutable hashes of captures and logs.
• Update this page if LTC paths are added or if dormancy breaks on BCH.

Disclosures & Caveats

• Exchange-linked addresses cited here typically represent deposit infrastructure; they do not identify end-user accounts. Exchange logs (KYC, IPs, devices, internal transfers, withdrawals) are authoritative for attribution.
• The googleapis.com/lpc POST does not, by itself, prove seed storage or processing. It documents observable network behavior during seed entry and should be weighed alongside Coinomi's official response.

Appendices — Indicators of Compromise (IOCs)

Appendix A — ETH

Victim:        0x8d99443b0f4a92762a0e8bbc60a2140377678720
Thief:         0x006d5aab4059e79734e216f96ca4a7cfbd3a99e4
Consolidation: 0x48382307c965927016f16584a7ed1426b8d5fcfb
Binance:       0xa8d100f62dab0c7ecb156cf477bdcf96ed3a80dd
Likely EXMO:   0xcefcf283bf71054ad87de4a3f92272ff1355c5d5
Binance via:   0x2ea4979bb1fc2e0314fadc6893c75a5986d3bc00
Binance via:   0xc2c40013e24286a78ba8d8d55146727323cde1f3
Svc→Binance:   0xfde0e8207f0d29a659f318ffc0fa3e3eb1b4341a -> 0xe460167a64abc859869cc037caee2a3ab0ebfe70
Svc→Huobi:     0xbfc8a7da31c82a8a53ca34ae7969b8fbbe6bf86d
ERC-20 stage:  0x241eb1560fd282f06ec59c0dab913b6a9034af5a
KuCoin:        0x4da99b6038a3ea89c81b19c4b159cd382bff8ff7

Appendix B — BTC

Victim (BTC):  16bGvnMSNEPPpsoye2btfUpq51gi5UaJej
Hacker (BTC):  15BtjrCKuUkUTb9XmaoLrjeNrAGkTn3cCL
(Observed: ~3.75 BTC transferred during incident window; subsequent peel-chain behavior with regulated endpoints touched.)

Appendix C — BCH

Destination (BCH): qqq4t85vlgw9x20czjvd0ayryv20d2dtpq4rjuh8ue
Funder (role uncertain): qzx84dlq2y7p5ce30dqfdp3efaga6vhvhcsgd2yhkh
(Status at time of public write-ups: dormant; monitor for movement.)

References

1. Avoid-Coinomi incident site & artifacts — https://avoid-coinomi.com/
2. Coinomi official statement on desktop spell-checker (2019) — https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b
3. JxBrowser spell-checker guide (default enabled) — https://teamdev.com/jxbrowser/docs/guides/spell-checker/
4. JxBrowser Chromium note — https://teamdev.com/jxbrowser/docs/guides/chromium/
5. Third-party forensic write-up naming the ETH addresses/exchanges — https://medium.com/@cipherblade/how-not-to-react-when-your-cryptocurrency-is-stolen-92f7c72616af
6. Community reproduction of the googleapis POST (Fiddler) — https://www.reddit.com/r/Bitcoin/comments/av987o/security_vulnerability_coinomi_wallet_sends_your/