Cryptocurrency Firm Hacked Its Customers to Protect Their Funds From Hackers

Posted by & filed under Security News.

Are you using Komodo’s Agama Wallet to store your KMD and BTC cryptocurrencies? Were your funds also un-authorisedly transferred overnight to a new address? If yes, don’t worry, it’s probably safe, and if you are lucky, you will get your funds back.

Komodo, a cryptocurrency project and developer of Agama wallet, adopted a surprisingly unique way to protect its customers’ funds.

The company hacked its customers and unauthorisedly transferred nearly 8 million KMD and 96 Bitcoins from their cryptocurrency wallets to a new address owned by the company.

Why? To secure funds of its customers from hackers.

This may sound weird, but it’s true.

Komodo recently learned about a malicious open source, third-party JavaScript library that the company was using in its Agama Wallet app.

The library, named “electron-native-notify,” two months ago received a update from its anonymous author who included a secret backdoor in the new code that was designed to steal and send seeds/private key and other login passphrases of Agama wallet users to a remote server.

So, if you have logged in to any version of Agama wallet downloaded from Komodo’s official website or their Android and iOS apps after 13 April this year, it’s likely you’ve had your wallet credentials stolen.

The malicious library update in question was initially detected by a security team at npm JavaScript package repository service, who then informed Komodo of the issue.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a useful package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” the npm blog said.

The npm blog also shared a brief video demonstration showing how the backdoored version of Agama wallet has been secretly sending a wallet’s private seed to a remote server in the background.

After discovering the vulnerability, Komodo decided to use similar password stealing technique against its users to gain access to as many affected wallets as possible and transferred their funds to a safe wallet before hackers could have stolen them.

“The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners,” Komodo said.

However, it’s important to note that not all affected user wallets have been emptied by the company. So, if your wallet has not been swept, you are strongly recommended to immediately move all your funds from Agama to a new address.

Komodo also said that the Verus version of its Agama wallet is not affected by this vulnerability and is still completely secure, as it doesn’t include the malicious library in question. So, users of Verus version of Agama wallet are not affected by the security incident.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.