Coinomi Strikes Back: "We Don't Negotiate with Blackmailers"

Thursday, 28/02/2019 | 08:22 GMT by Rachel McIntosh
  • A one-man defamation campaign alleging software vulnerabilities has been launched against Coinomi.
Coinomi Strikes Back: "We Don't Negotiate with Blackmailers"
FM

Cryptocurrency storage application Coinomi Wallet has refuted recent claims that its software was coded to send unencrypted wallet recovery seed phrases to Google’s spell check servers. The claims were denied in an official statement posted on Medium on Wednesday, February 27.

Coinomi clarified that seed phrases “weren’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets,” and that if they were sent, they were encrypted and “encapsulated inside a HTTPS request with Google being the sole recipient.”

Additionally, “the spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”

Still, Coinomi did acknowledge that this was a problem, one that was likely caused by a poor configuration in plug-in software that operates as part of the Coinomi wallet desktop application.

Founded in 2014, Coinomi is one of the oldest cryptocurrency wallets on the market.

Allegations, Threats, and Blackmail

The claims were originally publicly made against the company came from one Warith Al Maawali, a man who said that a Coinomi wallet had been hacked because of the vulnerability. Maawali created a support request on Coinomi’s board describing the claims in detail; he also seems to have created Avoid-Coinomi.com, a website that also contains descriptions of the vulnerability as he sees it.

Coinomi is said to have immediately flagged the post as ‘high priority’ and to have launched an investigation into the matter. Despite this, however, Coinomi COO Angelos Leoussis explained on the company’s Telegram channel that Maawali persisted in “threatening, swearing, and blackmailing us for insane amounts.”

Unfortunately for Coinomi, Maawali’s claims spread like wildfire over the web. At the time of writing, a number of crypto-centric news publications, including DecryptMedia, Ethereum World News, and Bitcoin Exchange Guide have reported on Maawali’s claims without including Coinomi’s defense.

CoinTelegraph reported that before Maawali went public with his allegations, he requested that the company refund him the cryptocurrency that had allegedly been stolen from him, threatening that if they failed to do so, he would have “no choice other than reporting this in social media.” However, Maawali would not provide Coinomi with the details of his claims.

Coinomi proceeded by asking Maawali for more information on the alleged vulnerability. Maawali is said to have responded by saying that he wouldn’t give any details until he was guaranteed payment.

Even so, Coinomi reportedly reported the allegedly stolen assets to Chainalysis, so that the funds will be blacklisted, and therefore will not be accepted by any exchange.

Regardless of whether or not Coinomi's alleged vulnerability actually led to the theft of Maawali's assets, the debacle has served as a reminder that software wallets can be risky.

Indeed, Ledger CEO Eric Larchevêque told Finance Magnates in an email that “the Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack. Simply put, Cold Storage on a hardware wallet is the only way for investors to ensure complete security of their private keys.”

Finance Magnates reached out to Coinomi but had not received a response at the time of publication.

Cryptocurrency storage application Coinomi Wallet has refuted recent claims that its software was coded to send unencrypted wallet recovery seed phrases to Google’s spell check servers. The claims were denied in an official statement posted on Medium on Wednesday, February 27.

Coinomi clarified that seed phrases “weren’t being transmitted at all unless the user chose to explicitly restore their Desktop wallets,” and that if they were sent, they were encrypted and “encapsulated inside a HTTPS request with Google being the sole recipient.”

Additionally, “the spell-check requests that were sent over to Google API were not processed, cached or stored and the requests themselves returned an error (code: 400) as they were flagged as ‘Bad Request’ and weren’t processed further by Google.”

Still, Coinomi did acknowledge that this was a problem, one that was likely caused by a poor configuration in plug-in software that operates as part of the Coinomi wallet desktop application.

Founded in 2014, Coinomi is one of the oldest cryptocurrency wallets on the market.

Allegations, Threats, and Blackmail

The claims were originally publicly made against the company came from one Warith Al Maawali, a man who said that a Coinomi wallet had been hacked because of the vulnerability. Maawali created a support request on Coinomi’s board describing the claims in detail; he also seems to have created Avoid-Coinomi.com, a website that also contains descriptions of the vulnerability as he sees it.

Coinomi is said to have immediately flagged the post as ‘high priority’ and to have launched an investigation into the matter. Despite this, however, Coinomi COO Angelos Leoussis explained on the company’s Telegram channel that Maawali persisted in “threatening, swearing, and blackmailing us for insane amounts.”

Unfortunately for Coinomi, Maawali’s claims spread like wildfire over the web. At the time of writing, a number of crypto-centric news publications, including DecryptMedia, Ethereum World News, and Bitcoin Exchange Guide have reported on Maawali’s claims without including Coinomi’s defense.

CoinTelegraph reported that before Maawali went public with his allegations, he requested that the company refund him the cryptocurrency that had allegedly been stolen from him, threatening that if they failed to do so, he would have “no choice other than reporting this in social media.” However, Maawali would not provide Coinomi with the details of his claims.

Coinomi proceeded by asking Maawali for more information on the alleged vulnerability. Maawali is said to have responded by saying that he wouldn’t give any details until he was guaranteed payment.

Even so, Coinomi reportedly reported the allegedly stolen assets to Chainalysis, so that the funds will be blacklisted, and therefore will not be accepted by any exchange.

Regardless of whether or not Coinomi's alleged vulnerability actually led to the theft of Maawali's assets, the debacle has served as a reminder that software wallets can be risky.

Indeed, Ledger CEO Eric Larchevêque told Finance Magnates in an email that “the Coinomi meltdown is further evidence of why software wallets are a recipe for disaster. When entrusting a software wallet with your assets, you are exposing your private keys to the internet, leaving them vulnerable to attack. Simply put, Cold Storage on a hardware wallet is the only way for investors to ensure complete security of their private keys.”

Finance Magnates reached out to Coinomi but had not received a response at the time of publication.

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 60 Followers
About the Author: Rachel McIntosh
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.
  • 1509 Articles
  • 60 Followers

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}