Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers

Pierluigi Paganini June 07, 2019

The Cryptocurrency startup Komodo hacked itself to protect the funds of its users and avoid that hackers steal them exploiting a flaw in its Agama wallet.

The story I’m going to tell you is amazing, the Cryptocurrency startup Komodo hacked itself after discovered a backdoor in its Agama wallet.

Komodo’s Agama Wallet allows users to store KMD and BTC cryptocurrencies, but the presence of a backdoor posed a serious risk to them.

Komodo Agama Wallet 1

Once discovered the flaw, the company decided to exploit it to protect the funds, anticipating the hackers and moving them to a secure location.

“Today, Komodo were made aware of an issue with one of the libraries used by the Agama wallet, potentially putting some user funds at risk.” reads a blog post published by the company.

“After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.” 

The experts at the company moved around 8 million KMD and 96 BTC from its Agama flawed wallets to safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF(KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) under their control.

The owners of those wallets that have not been swept, or that have other assets than KMD and BTC, have to move all their funds from Agama to a new address as soon as possible. Komodo provided a list of safe wallets and other information on its support page.

Experts pointed out that the Verus version of Agama wallet is not affected by this vulnerability, its latest version supports Komodo in both lite mode and native mode.

The backdoor in the Agama wallet app was discovered by experts at the security team of the npm JavaScript package repository.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.” reads the post published by the npm, Inc. security team.

Npm security team spotted a supply chain attack, hackers used a malicious update for the electron-native-notify (version 1.1.6) JavaScript library. It included a malicious code designed to steal cryptocurrency wallet seeds and other login passphrases.

“The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet).” continues the security team at npm.

The experts discovered that the attackers targeted the Agama cryptocurrency wallet which was using the EasyDEX-GUI application that was loading the now-malicious electron-native-notify library.

The backdoor was added to the electron-native-notify library on March 8, and it was included in the main Agama wallet on April 13, when Komodo released Agama version 0.3.5.

This means that users that logged in to any version of Agama wallet after 13 April likely had their wallet credentials compromised.

The npm experts also published a video that shows how the vulnerable version of Agama wallet sends the private seed associated with a waller to a remote server in the background.

Komodo experts used the same technique to transfer the funds of the company clients to a safe wallet before hackers could have stolen them.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Komodo, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment