Video Announcement

Please first watch my official video response to Coinomi’s “Spell Check” scandal before you continue reading:


https://www.youtube.com/watch?v=eP1WAkTJXw0

Table of Contents

First Statement

Second Statement

Third Statement

TL;DR

Coinomi multi-asset wallet poor implementation leads to sharing your plain-text passphrase with a third-party server. My passphrase was compromised and $60K-$70K worth of crypto-currency were stolen because of Coinomi wallet and how the wallet handled my passphrase. I’m disclosing this issue publicly because Coinomi refused to take the responsibility and all my attempts through private channels have failed.

Please note that this security issue cannot be exploited by anyone except by the people who created it or have control over the backend. To everyone who is using or used Coinomi wallet, make sure to remove your funds from the wallet and change your passphrase by creating a new wallet using another application otherwise your funds might get stolen sooner or later.

To understand how catastrophic the security issue is, they simply take your crypto-currency wallet’s passphrases/seeds and spell check it by sending it remotely to Google servers in clear plain text!

They did not take the responsibility of my loss, I gave them more than 24 hours before full disclosure, they fixed the issue without notifying their users and they kept procrastinating like scumbags to buy more time.

Below is a link to their final response to my request after going back and forth with them for over 3 days to get my stolen funds back, even after they confirmed the security issue and you can clearly see how silly and reckless their responses are (these responses are just examples):
https://avoid-coinomi.com/files/coinomi_final_response.png

My advice never ever trust Coinomi with your hard earned crypto-currency assets. Read this post entirely to understand why because this is not their first time reflecting this kind behavior.

The Incident

First of all I admit it was my mistake trusting Coinomi wallet by inserting one of my main wallets (Exodus wallet) passphrase into their application. I trusted them because I downloaded the software from their website, the setup file was digitally signed and was mentioned by several reputable websites such as bitcoinwiki.org. I wanted to shift some of the assets that were not supported by Exodus wallet using the same passphrase/seed.

The incident began on 14th February, 2019. I downloaded and installed Coinomi application (Windows version) and noticed that their setup file was digitally signed but their main application was NOT signed after the installation process was completed.

I contacted them publicly through twitter (@warith2020) and they confirmed the issue then uploaded a new version with the main application signed. At that time I had already entered my Exodus’s wallet passphrase into Coinomi’s application.

On 22nd February 2019, I noticed that more than 90% of my Exodus wallet assets were transferred to multiple wallet addresses and the first transaction began with BTC on 19th February 2019 around 3:30 am UTC. Then followed by ETH (including ERC20 tokens), LTC and finally BCH.

Technical Analysis

I started going back in time and arranging the events. The only new thing that I did was installing and running Coinomi wallet so my first conclusion was that the unsigned version of the application had a backdoor.

I did further investigation and compared both the unsigned version of the setup file and the signed version. The only difference was they added digital signature to the main executable file and the Java file (the main application).

At that stage I thought that there is probably something suspicious about the application apart from having their main executable unsigned, so I started replicating what I did in a new virtual machine but this time I installed “Fiddler”. A software that allows you to monitor and debug HTTP/HTTPS traffic of all applications running on your machine.

I started monitoring the traffic by running Fiddler in the background and then started Coinomi wallet. The first thing I noticed is that Coinomi application starts downloading dictionary wordlist from the following web address:
https://redirector.gvt1.com/edgedl/chrome/dict/en-us-8-0.bdic

Then I clicked on restore wallet and pasted a random passphrase and suddenly the screen screamed SURPRISE MODA****** (boom puzzle solved!)

The WHOLE passphrase in plain-text is sent to googleapis.com a domain name owned by Google! It was sending it as a spelling check function! Here is sample of the screenshot of the HTTP request:
https://avoid-coinomi.com/files/coinomi_screenshot_1.png

To verify my findings I have uploaded a video for anyone who wants to test and replicate what I did:
https://avoid-coinomi.com/files/coinomi_http_traffic_video.mp4

You can also simply paste any random sentence with spelling mistake in the textbox in Coinomi‘s “Restore Wallet” form/page and you will see that it gets underlined with red line after being sent in clear text to googleapis.com.

To understand what’s going on, I will explain it technically. Coinomi core functionality is built using Java programming language. The user interface is designed using HTML/JavaScript and rendered using integrated Chromium (Google’s open-source project) based browser.

The whole thing is done using JxBrowser to build cross-platform applications and before you say (like Coinomi‘s CTO did) that it’s JxBrowser issue, let me tell you that they mentioned this on their website in 2016 and how to disable the spell checking default behavior:
https://jxbrowser.support.teamdev.com/support/solutions/articles/9000044250-configuring-spell-checker

So essentially the textbox which you enter your passphrase in, is basically an HTML file ran by Chromium browser component and once you type or paste anything in that textbox it will immediately and discreetly send it remotely to googleapis.com for spelling check (how awesome is that!)

As a result, someone from Google’s team or whoever had access to the HTTP requests that are sent to googleapis.com found the passphrase and used it to steal my $60K-$70K worth crypto assets (at current market price). Anyone who is involved in technology and crypto-currency knows that a 12 random English words separated by spaces will probably be a passphrase to a crypto-currency wallet!

Coinomi’s Response

The team behind Coinomi are either extremely smart to add such backdoor so that when they get caught they would simply say it was an honest mistake or they are extremely stupid to overlook such security bug.

I will not be surprised if they intentionally created this backdoor behavior function and had an insider at Google especially when you learn from recent news about a founder of crypto-currency exchange claiming weird suspicious death while no one except him has access to the crypto-currency assets!

Coinomi’s team did not reflect any responsible behavior and they kept asking me about the technical issue behind the bug because they were worried about their public image and reputation. They kept ignoring my request of taking the responsibility and ignored my solid facts regarding it. They didn’t give a single **** about my stolen crypto assets. They kept reminding me (kinda threatening me) of the legal implications if I go public with the information I have and they forgot their legal responsibility for my stolen crypto assets as well as the risk that impacts other users of the wallet

In fact, Coinomi’s team discreetly deleted their reply to my tweets to hide the evidence regarding their unsigned main executable in which they confirmed the issue and they didn’t respond to my requests as shown in the following screenshots:
https://avoid-coinomi.com/files/coinomi_tweets.pdf

Such behavior was a clear evidence for me that there is something suspicious about their wallet and they didn’t want to expose it. It seems the founders are the developers of the application and they don’t like anyone who criticizes their ugly baby creation “Coinomi” wallet. They think that they are the code gurus fallen from the heavens who write perfect code.

However, before I published my findings I sent them the whole thing giving them more than 12 hours heads-up because they requested a clear technical evidence. Their CTO told me that he will download the report within 3 hours (they downloaded the report after 5-6 hours). Imagine someone tells you that you have a CRITICAL vulnerability in your software which holds users' hard earned crypto assets and yet you act carelessly because somehow you think you are a superior creature (Khan from Star Trek Into Darkness movie).

Below are the screenshots of the private messages between Coinomi’s CTO and me:
https://avoid-coinomi.com/files/coinomi_cto_private_messages.pdf
https://avoid-coinomi.com/files/cto_chat.zip

This is not their first time behaving this way especially when someone finds an issue with their application. Luke Childs previously published a security vulnerability/misconfiguration and their response was somehow similar:
https://bitsonline.com/coinomi-vulnerability-respond/
https://imnotdead.co.uk/blog/coinomi

Recap

To recap the events for further investigation:

  • My first passphrase attempt was sent to googleapis.com through Coinomi wallet was on 14th February 2019
  • Google’s employee or whoever has control over the data that are sent to googleapis.com processed the data that had my passphrase and that was between 14th and 19th February 2019
  • My crypto assets were stolen on 19th February 2019 starting around 3:30 am UTC and the transactions continued for 15 minutes. At the end 90% of the assets were gone and remaining assets were only left because these assets were supported by Exodus wallet but NOT Coinomi wallet (what a coincidence you say!)

Please note that I took all the security precaution to keep my passphrase and wallet safe. I have a separate isolated virtual machine for it with Anti-Virus/Anti-Malware and firewall installed. I also had other wallets on the same virtual machine for years. Nothing was stolen except for the wallet which I recently used my passphrase in, which is Coinomi wallet!

What's Next

I will start taking legal actions against the company behind Coinomi if they don’t act and take the responsibility. The company is registered in UK as “Coinomi LTD” if anyone one has faced or facing similar case were you suddenly lost your crypto assets and you happen to have used Coinomi wallet. The funny thing is that they state on their website:
“Most importantly, no Coinomi wallet has ever been hacked or otherwise compromised to date.” (bull****!)

Be aware that probably all desktop versions are affected (I’m not sure about the mobile versions) and the guy/group who is/are capturing the passphrases, possibly targeting only wallets with decent amount of assets to stay low profile as long as he/they can.

I have also uploaded copy of the latest version of Coinomi application in case they take down the links to hide the facts:

Final Thoughts

This was an expensive and mentally painful experience to learn from and hopefully after publishing this post no one will experience the same. The lessons learned so far:

  • Never trust any multi-asset crypto wallet unless they have done an external security audit by a trusted third-party and their security audit is publicly available.
  • Never ever trust Coinomi with your hard earned crypto-currencies. They do not take any responsibility and when they f***-up things they just run away like it’s not their business.
  • Never ever trust Google services/products with your sensitive information. They have great control over the data and it seems their policy isn’t that strict which results in taking advantage and the power of the collected data by their employees especially who have malicious intents.

At the end I need to make it clear again why I published this:

  • Spread awareness among users who are using or used Coinomi wallet.
  • Demand my stolen crypto-currency assets from the company behind Coinomi wallet either in terms of crypto currency or in terms of fiat currency. The more they procrastinate the more the value of the assets increase by time.
  • Force Google to start investigating the issue. I’m pretty sure this is a serious issue not only in regards of my stolen crypto-currency assets but also in terms of users’ privacy and their data being maliciously used by Google’s employees or whoever have control over these data.

Finally I hope the readers share this website to spread the awareness. I’m pretty sure hundred thousands of crypto assets will be saved and many users will have the opportunity to save their hard earned crypto assets!

Next time if you need to spell check your passphrase/seed and to make sure that you are following the English dictionary just use Coinomi wallet LMAO!

Second Statement Overview

Coinomi was forced by the community (special thanks) and finally published an official statement regarding the incident and it can be found here (screenshot here):
https://medium.com/coinomi/official-statement-on-spell-check-findings-547ca348676b

First of all, I wish they have sense of transparency and publish my responses in their social media channels like I always do so that the reader of both responses can judge and assess the situation.

I was expecting Coinomi’s official statement to be sloppy and incompetent but never thought it would be that bad. But again it’s clearly reflects the mentally behind their “never been hacked” wallet.

I will start responding to their official statement by quoting and screenshotting parts of their official response because as you know by now they have a bad habit of deleting their posts.

Coinomi’s Statement

Starting with their announcement title:

coinomi

Calling this horrible security issue as “findings” is quite misleading and running away from responsibility. Coinomi obviously don’t want (or like) to name the issue as a CRITICAL vulnerability. In fact, their vulnerability is something beyond CRITICAL. As a standard, usually vulnerabilities are ranked based on their severity: Low, Medium, High or Critical. I’m suggesting that the information security community should introduce a new rank and call it the “Coinomi Level”, the new highest level ranking.

Going to the next statement:

coinomi

"The seed phrase wasn’t being transmitted in plain text, instead it was being encapsulated inside a HTTPS request with Google being the sole recipient"

When I said that my passphrase was transmitted in plain text, I meant it reached Google API servers in plain text. Please make sure you know the difference between transmitting something in a secure tunnel (this is how HTTPS works) and between encrypting something before transmitting it.

For the sake of argument, imagine if they encrypted the passphrase first then sent it to Google. In such scenario even if you transmit that data through HTTP (not SSL/TLS) it would reach the destination encrypted. Nonetheless, that made me giggle for a while because it's like saying “we took all the security measures and transmitted your passphrase securely to Google” ouch!

“The seed phrase wasn’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets”

That statement was hilarious and essentially they mean by that is “It’s not a vulnerability because the user chose to restore his wallet otherwise he would have been safe”. So as a Coinomi user you are not supposed to “restore your wallet” and that feature was there just to spell check your passphrase and make sure it matches Google’s dictionary.

"The spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as “Bad Request”¹ and weren’t processed further by Google"

That’s quite misleading because how can Google API server respond by “Bad Request” without knowing what you sent to it in the beginning! The screenshot that they captured showing Google’s web service response, is actually from the web application side. The web application won’t reply to the request unless it processes the data first and then determine whether it was a valid data or not.

In fact, it’s even much worse than what they think or trying to imply. Google API servers needs a valid API Key in order to use their API web service. But in Coinomi’s case they sent the request using invalid (unauthorized) API Key which made Google API server treat the request as a bad request. This will definitely alert Google’s team to investigate the cause of the bad request and see the 12 English words separated by spaces (is that a passphrase to a crypto-currency wallet?!) and let's hope that server is not managed by a third-party or even compromised.

In other words, if Coinomi used a valid API Key then Google would have been obliged to treat the data better and would make the person who used my passphrase think twice.

Going to the next statement:

coinomi

"Our engineers immediately tracked down the cause of this issue, which wasn’t a bug in our source code but instead was a bad configuration option in a plug-in used in Desktop wallets only."

Stating that this wasn't part of their "source code" is really misleading and trying to run away from the responsibility. The JxBrowser component/plug-in is bundled with Coinomi’s wallet at the source code level and you can enable/disable any undesired feature of JxBrowser from the source code. So essentially it was a feature not a bug but Coinomi have misused it and it turned into a CRITICAL security bug.

Coinomi’s team is trying to divert the community attention and blame JxBrowser for their mess. In fact, JxBrowser clearly explained the default behavior in their documentation since 2016 and how to disable it:

coinomi

The original link can be found here:
https://jxbrowser.support.teamdev.com/support/solutions/articles/9000044250-configuring-spell-checker

To make it simple for the readers, Coinomi could have avoided the “spell check” scandal with a single line of code:
spellChecker.setEnabled(false);

Apparently the “Code Gurus” at Coinomi didn’t have the time to read JxBrowser documentation. In fact, I’m not sure why did they use JxBrowser in the first place. Coinomi wallet core functionality is based on Java programming language and it’s already cross-platform enabled by default so you don’t need a third-party component for that. The answer is probably that they were too lazy to do the UI in Java natively and wanted a fast sloppy solution to rollout their Desktop version as soon as possible to compete against their competitors skipping the QA tests (if it exists at all!).

The funny thing is that if we talk about the “spell check” vulnerability in a legal perspective then it will be considered as a “feature” and to be more precise, a hidden feature. This feature was NOT mentioned anywhere in their “Terms of Use” nor in their wallet application or documentation.

Now let’s talk about Google API and their terms regarding the API usage. You can find these terms in the following links:
https://developers.google.com/terms/
https://developers.google.com/terms/api-services-user-data-policy

Quoting some of their terms:

coinomi coinomi

As you can see, Coinomi have already violated several terms. For example they used Google API without a valid API Key (unauthorized usage) and they didn’t inform their users about it. In other words they deceived Coinomi wallet users with the hidden “spell check” feature which uses Google API servers to check their passphrases/seeds.

Coinomi stated in their official announcement that the data they sent to Google API servers were not “processed, cached or stored”. Don’t take my words for it and let’s see what Google says in their terms:

coinomi

We can come to a conclusion that the feature of using Google API to “spell check” users' passphrases/seeds was a hidden feature and it was NOT mentioned in their “Terms of Use” that I accepted before installing the application. So obviously if I knew about that feature I wouldn't use the application unless if I wanted to improve my passphrase vocabulary!

Apparently they don’t need to change their CTO only, they also need to change their attorney.

Support Ticket Deception & Privacy

First of all, publishing that support ticket publically is a clear violation of my privacy as a client. It contained sensitive information related to my case such as the my personal crypto-currency addresses and the destination crypto-currency addresses. These information should be only available for the authorities and the parties involved in the case.

Secondly, if my claims were false then why a “blackmailer” (based on Coinomi’s official statement) would accept to send his personal wallet “passphrase/seed” to them? If I wanted to double spend my money why would I give them my wallet passphrase/seed? I’m glad that I sent them my passphrase/seed through an encrypted channel otherwise they would have published it!

The final point is that they did not upload the full ticket and deleted the part where they confirmed that my assets were stolen and said they will start blacklisting the addresses so the person who stole my crypto-currency assets can’t utilize the assets in exchanges:
https://avoid-coinomi.com/files/coinomi_support_ticket.png

You can download the full support ticket from here (sensitive information blurred):
https://avoid-coinomi.com/files/coinomi_support_ticket_full.png

Key Facts & Evidences

I will recap the events to understand why I was affirmative with my conclusion that my assets were stolen because of Coinomi wallet and not because any other reason:

  • I downloaded and installed Coinomi wallet on 14th February 2019.
  • On the same day I pasted my Exodus wallet passphrase/seed in Coinomi’s wallet.
  • I opened “a new” Coinomi wallet with a new passphrase and transferred some crypto assets from the exchange to the wallet.
  • My crypto assets were stolen on 19th February 2019 and the only compromised wallet was Coinomi wallet which I “pasted” my passphrase in.
  • I had multiple wallets on the same virtual machine and none of them were stolen.
  • The assets in the new Coinomi wallet were also NOT stolen.

With these facts it’s clear that the only wallet which got compromised is the wallet which I pasted my Exodus passphrase in and that wallet was Coinomi which had a vulnerability (a feature) to spell check passphrases/seeds with Google API servers.

Misleading, Contradictory & Unprofessional Tweets

The team behind Coinomi was trying very hard to mislead the community with false information. I have listed few screenshots of their tweets to show the community what sort of company they are dealing with:

Patient Zero

One of Coinomi’s arguments in their official statement is that they had zero reports of hacked Desktop wallets and they are using it as an excuse. In fact, several reports of stolen assets were reported on Reddit. However, I will list some reasons that probably made me the first victim:

  • The Desktop wallet is new and it's less than 3 months old (announcement screenshot).
  • Desktop users are a lot less compared to the mobile version of the wallet.
  • To trigger the bug, the user has to restore his wallet.
  • My address had decent amount of crypto assets that attracted the criminal who stole my crypto assets.

Who’s Behind Coinomi?

It’s seems the team behind Coinomi (especially the management) are hiding behind the shadows. I’m listing them here so that the community can always identify them if they start any new project or even rename Coinomi to “Spell Checker”. They are affecting the ecosystem of crypto-currencies in a negative way because they lack credibility and professionalism.

Final Thoughts

By my second statement and the YouTube video, I’m pretty sure that I have provided all the facts and evidences that proves my claims regarding my stolen crypto-currency assets. I also provided clear evidences that shows how Coinomi lack credibility.

I have no choice other than taking this case legally against Coinomi because they keep refusing to take the responsibility of my loss. They wanted it to do it the hard way then let it be.

My final message to the person who stole my crypto-currency assets. The case is escalating by time by time and eventually legal investigations will begin. You still have the choice to correct your mistake and return the assets to the following addresses:

BTC:
1CtybEBttTMRuNwn4vbfcWurAJXDYX9Ntg

LTC:
LfiMHCpmef4MYsWu3fnNLsxcMxJJutQgsb

BCH:
qpqj7jl6uw3u8lsg28zcd06rcdfpashmfvyv9k2t90

ETH (including ERC20 tokens):
0xd87209d2118012C8021Ca5B8A4D3732906aa2770

Third Statement Overview

Coinomi was very desperate to improve its public image after its “Spell Check” scandal, especially when their cheap social media tactics failed. They literally hired a third-party to vouch for them and prove that my case against them was wrong.

We already know by now Coinomi is cheap (check my previous statements) and they went farther this time and hired a company by the name of CipherBlade to “launder” their mess. Please bear with me and read the entire statement so that you understand what I mean by “cheap”. As a starter, let me tell you that CipherBlade is barely a new company that didn’t complete even a year in the business with no background or history!

In their report, CipherBlade has concluded that my funds were stolen because my machine probably had malware and it had nothing to do with Coinomi’s “Spell Check” hidden feature that sent my seed/passphrase to a third-party in clear text. CipherBlade kept repeating that they are unbiased and they don’t favor Coinomi’s side over me, but in reality they ignored many facts and tried to mislead the community as Coinomi did. In fact, CipherBlade has challenged me in their report, so how unbiased is that?!

Moreover, CipherBlade did not contact me nor verified any information related to my point of view. So I wonder how they are not favoring Coinomi's side over me?! Anyone with common sense can see it clearly how hard CipherBlade is trying to launder Coinomi's public image as they did previously with ShapeShift.

A Reminder

First of all, let me remind you of the following tweet that Coinomi posted after my first statement:
Blockchain Analysis Firm Feedback

They stated that they hired a Blockchain analysis firm and they confirmed the funds were NOT stolen. I wonder, was it CipherBlade? How come that they now state it was stolen?

Coinomi also stated in their support ticket (before things go public) that they were working with their partner "Chainalysis" (another Blockchain analysis firm) and they are going to blacklist these addresses, but in reality, nothing was blacklisted after I contacted several exchanges and confirmed it. So what did Chainalysis say about the incident? Or were they trying to take advantage of Chainalysis brand name to obtain trust and cover their mess?

Coinomi also stated in their official statement that they have contacted Google, but there is no update regarding their claim since 27th February:

coinomi

Moreover, they accused me of blackmailing them. In other words, I sent the stolen crypto-currency to myself and blamed them for my loss. So how come now they change their story and confirm that the funds were indeed stolen!

What I'm trying to imply is that Coinomi is full of lies and contradictory statements. They spread false facts to mislead the community and hire companies and individuals to support them.

Making Things Clear

CipherBlade was hired by Coinomi to write the report, and they clearly stated that in their report:

cipherblade

It's funny to see how they select the phrases to make things much more pleasing. They used the phrase “we were compensated for our time” which actually means we got paid to write the report. It's obvious that CipherBlade was favoring one party over the other, otherwise, what's the purpose of Coinomi spending money for a non-guaranteed report favoring their side and influenced by them.

Moreover, CipherBlade ignored all my solid facts and evidence in my first and second statements. They based their report just on assumptions with no solid facts such as the cause of my loss was a malware infection. They ignored solid proof that my seed/passphrase was sent to Google, and Coinomi is legally obliged to communicate with Google and start an investigation. Instead, CipherBlade ignored that fact because obviously, it does not support Coinomi's position in this case.

CipherBlade kept implying multiple times in their report that I should report the incident to law enforcement agencies as theft rather than filing a legal case against Coinomi. I have emphasized numerous times on social media that my job is not to find the person who stole my crypto-currency assets. My job is to sue Coinomi for my loss because their software had a hidden feature that was not mentioned in their documentation nor in their terms of use which sent my seed/passphrase to a third-party server.

I didn't use Google API services directly, I simply used Coinomi's wallet, which had a feature that sends your seed/passphrase to Google servers. Therefore, Coinomi is legally responsible for contacting Google and finding the criminal. For example, when an exchange gets hacked and users' funds get stolen. Do the affected users file a case against the exchange or against the person who hacked the exchange? Of course, it will be the exchange because they trusted the exchange to keep their funds safe and that's exactly what all Data Breach laws in the UK and Europe are all about. It seems that CipherBlade has zero knowledge about Data Breach laws, and yet they claim they know how to proceed with legal actions and give legal advice.

Ironically, CipherBlade claims that they are a cyber-security firm and yet they did not acknowledge even once in their report that the "Spell Check" bug was a CRITICAL vulnerability. For that reason, I nominate CipherBlade as the best cyber-security firm you can hire for your organization ever (pun intended).

CipherBlade’s Report

When you hear about a case study report written by a so-called blockchain analysis firm, you would expect something technical with substantial evidence. But In CipherBlade's case, the full report was focusing on claiming negative arguments against me and acknowledging positive points towards Coinomi with just assumptions. The report seems written by a law firm to defend its client (or written by Coinomi).

Most of the arguments that they raised have been addressed in my first and second statements. In this part, I will highlight and quote some of the false arguments that CipherBlade used in their report to endorse Coinomi's position positively.

Quoting from CipherBlade’s report:

cipherblade

This is a clear example of how CipherBlade is contradicting itself. They confirm that digital signatures are used to approve that a file is indeed created by the original developer and has not been tampered with. In Coinomi's case, the main executable files were not digitally signed, and this makes my point valid.

CipherBlade also claims it's nearly impossible for a digitally signed installer file to contain a malicious executable file. To be honest, that's one of the worst statements I have ever read, and it clearly shows how CipherBlade lacks technical and cyber-security knowledge specifically. They are basically saying a digital signature prevents malicious files from being deployed!

A digital signature is used to build trust between the developer and the user. If for any reason the digital signature certificates get compromised, then the attacker can digitally sign malicious files on behalf of the original developer. Another scenario is when an attacker manages to modify one of the executable files before the building process or creating the final setup or installer file. Below is a real story on how a "digitally signed" application had a backdoor:
Powerful backdoor found in software used by >100 banks and energy cos.

Now let me drop one final bombshell to end this argument. Why did Coinomi delete the following tweet where they confirmed the missing digital signature? Doesn't that raise suspicion?
Screenshot of the tweet
Link to the original tweet

Moving to the next statement:

cipherblade

I have addressed this argument in my second statement in detail and explained why I was probably one of the few first victims. I have stated a fundamental fact that the desktop wallet was barely new (less than 3 months old) and provided other facts which you can read here:
Second Statement: Patient Zero

There were also several reports of stolen funds of users who used Coinomi's wallet before and after my incident. This can be due to the same vulnerability, probably another backdoor in Coinomi's wallet or users' lack of security precautions. But in my case, it was apparent how my crypto-currency assets got stolen because of Coinomi's "Spell Check" hidden feature.

Calling my solid fact as a "hypothesis" is another misleading statement. I have already explained in details in my second statement how Google clearly declares that it treats invalid requests that are sent to their API server with special care, and you can find the details here:
Second Statement: Legal Implications

Moving on to the final quote in this part:

cipherblade

CipherBlade claims that the possible cause of my stolen crypto-currency assets is malware that monitors the computer's clipboard. Once more, it's just an assumption that I have already addressed in my video response.

As I have stated in the video, Coinomi was installed on an isolated virtual machine. Both my main machine and the virtual machine have an Anti-Virus/malware application installed. To be more specific, both machines have SpyShelter installed. SpyShelter is an advanced Anti-Spyware with Host Intrusion Prevention System (HIPS). It detects the behavior of the application, regardless of being malware or not. It has a clipboard protection feature where it warns the user of any application that tries to capture the clipboard. You read about the feature on their website:
https://www.spyshelter.com/clipboard-protection/

Moreover, I have copied and pasted from my password manager several passwords related to other crypto-currency wallets, bank accounts, PayPal, Amazon, eBay, and many more during the past 5 years. Nothing was compromised or stolen, and yet the only thing that was stolen is the wallet that I pasted my seed/passphrase in which is Coinomi's wallet. Therefore, I'm calling out CipherBlade to enlighten me with their cyber-security wisdom.

The So-called Blockchain Forensics

Once again, I like how CipherBlade uses phrases like "Blockchain Forensics" to exaggerate their expertise and market their service. What they did is called "Blockchain Visualization" and anyone with average Blockchain analysis skills and knowledge can do better than that. In fact, I was able to get better visualization and data using free and open-source tools such as revealing some IP addresses and email accounts linked to some of the addresses involved in this chain of transactions.

I will start quoting their so-called “Blockchain Forensics”:

cipherblade cipherblade

Once again, CipherBlade is contradicting itself. They stated earlier that the cause was probably due to a malware that monitors the computer's clipboard, but now they changed that into a Keylogger after analyzing ETH transactions. I wonder how they were able to convert the Blockchain visualization diagram into a malware characteristics conclusion! They are probably using some sort of elite NASA technology (they should apply for a patent).

I'm honestly not sure how they came to that conclusion! Therefore let's raise some valid questions to CipherBlade:

  • Did they provide any solid proof that links these addresses to any known malware?
    The answer is clearly NO.
  • Did they provide any solid proof that these addresses belong to other victims?
    The answer is clearly NO.

Furthermore, they supported their claim with a graph that clearly shows the characteristics of a "mixing" service. Apparently, CipherBlade never heard or understands how a mixing service works. The other addresses they claim to be for other victims are possibly addresses of other people (whether criminals or not) used the mixing service. It can also belong to the mixer's addresses pool to fund the Consolidation Wallet and make things more difficult to trace.

Each mixing service provider works differently than the other, and each has its own characteristics. Some make things harder to trace, and some are more traceable than others, but most of them fund your new wallet address with coins not involved in the mixing process, and they take all the risk. Below is a simple illustration taken from an existing mixing service (reference removed to avoid the accusation of promoting illegal services):

cipherblade

On the other hand, when CipherBlade analyzed BTC transactions, they came to the conclusion that these transactions reflect mixing service characteristics:

cipherblade

So the obvious question is, how come the same entity which stole my crypto-currency assets is characterized as a malware in ETH transactions and characterized as a mixing service in BTC transactions based on CipherBlade's analysis? Isn't that contradictory as usual?

Moving to the final quote in this part:

cipherblade

This statement hilariously made me speechless. What they are trying to say is that a crypto-currency thief should make a single or a direct transaction to move the stolen funds. That probably would be the most idiotic thief you would ever encounter in your life. The obvious thing that any crypto-currency thief would do is to find a way to make the stolen assets untraceable, and the simplest option is to use a mixing service.

Who The Hell Is CipherBlade?

CipherBlade is a barely new company that started its business in mid-2018 with no or limited history depends on how you see it. They claim on their website that they have recovered millions of dollars:

cipherblade

It's amusing to see the irony behind their claim that they have recovered millions of dollars, yet they couldn't afford a professional business email address and used a free email address when they started their business (the screenshot was taken from their website on September 2018):

cipherblade

It will become evident to you why they couldn't afford that when you check their incorporation documents. The incorporation involved several companies; most of them are from Seychelles. As most of you know, Seychelles is the land of offshore companies where you literally can register a company there while sitting at home. Seychelles is also known to be the land of money launders, tax dodgers, and anyone who wants to hide their identity behind a fake business name.

The characteristics of CipherBlade's incorporation document reveals a typical incorporated shell company (I like to call it virtual or fake company). To understand how fishy the business behind CipherBlade, I urge you to read the following interesting articles for more in-depth details:

The Challenge

CipherBlade has challenged me to upload an image of my virtual machine for Digital Forensics analysis to prove whether my machine was infected with a malware or not. My common sense tells why I should not trust a business that is registered on papers only with my data.

Anyhow, I liked the concept of the challenge, so let's include Coinomi in the challenge and make the rules fair for both parties:

  • Another trusted reputable third-party with solid backgrounds will be hired to do the Digital Forensics.
  • The fees required to do the Digital Forensics will be transferred to a trusted escrow service.
  • If the results of the Digital Forensics concluded that my machine was clean of malware, then Coinomi will pay the fees and take full responsibility to refund my stolen crypto-currency assets (17 BTC or what is equivalent to it). Otherwise, I will be responsible for covering the Digital Forensics fees.

To make things more interesting, I have a small challenge for CipherBlade. They implied multiple times in their report that it would be reasonably easy to track down the person who stole my crypto-currency assets if proper procedures been followed. Therefore I give them full permission to recover all of my crypto-currency assets, and they get 25% of anything they recover as a bounty.

At least they can later update their website and state that they were able to recover hundred thousands of dollars (pun intended).

Privacy Violation

CipherBlade has violated my privacy by publishing my personal crypto-currency wallet addresses without my consent (I have never mentioned my addresses publicly). These addresses are considered as private information, especially in my case, which involves illegal activity and should be only available for the authorities and the parties involved in the case.

It's just another clear example of how CipherBlade lacks professionalism and more importantly knowledge about laws that govern privacy and data breach. Therefore, this incident will be reported to the Information Commissioner's Office as a privacy violation.

Final Thoughts

I believe after all the facts that I have listed, we can come to the conclusion that CipherBlade is your typical one-man show offshore company that is operated through a suspicious chain of shell companies. Their business model depends on profiting from people's loss and cleaning the mess of other companies by writing the so-called blockchain analysis reports.

They got involved with Coinomi to profit from writing the report and gain publicity by deceiving the community with false facts that they have solved this controversial case. In reality, their report backfired at them and set the last nail in their coffin.

On the other hand, I'm glad that Coinomi started to suffer financially by paying for an external report that backfired and gained them zero acknowledgments. Their next step probably going to be hiring a prostitute to come on camera and say that I sent her the stolen crypto-currency assets!

Further updates will be posted through social media channels (@warith2020), (@avoid_coinomi) and if required will be posted here.