This Crypto Startup Hacks Its Own Users’ Wallets to Rescue $13 Million

June 7, 2019 08:19 UTC

By CCN: Better the thief you know than the one you don’t. Cryptocurrency platform Komodo has had to hack its users after discovering a serious security flaw in one of its wallets.

According to a press statement by the blockchain startup, Komodo’s cybersecurity team was able to ‘sweep’ in and retrieve 8 million Komodo coins (KMD) and 96 Bitcoin before hackers got hold of the exposed loot. An estimated $13 million worth of cryptocurrency was saved in the process.

A video on YouTube reveals how bad actors could have potentially gained access to Komodo users’ private keys:

Funds are Safe and Sound But Still Centralized

The Komodo team has moved all funds to two company-owned wallets in the meantime:

Owners can claim them back in the coming weeks as the details are ironed out. Komodo urged affected users to get in touch via their Discord channel:

Plans are in the works to refund Komodo users. Source: Twitter.

The team also encouraged all users of their Agama wallets to transfer funds to a new address just as a safety precaution.

The unusual nature of this defense worked this time around but it does raise questions about the so-called ‘decentralized’ nature of cryptocurrency. In cases of disputes or fraud like above should someone step in to regulate a nascent industry like crypto?

Open-Source is a Double-Edged Sword for Cryptocurrency

The security flaw was ultimately discovered by auditors from npm, a package manager for Javascript. Unfortunately, this kind of attack is becoming more commonplace as hackers look for more creative ways to steal crypto.

The attack was carried out by using a pattern that is becoming more and more popular; publishing a ‘useful’ package to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.

The philosophy of open-source has spawned popular software like Linux, WordPress, and Firefox but has also come at a real cost to security. As remote working continues to grow, there is a serious need to audit developers, some of whom are half-way around the world.

Essentially we hacked the hacker, but he is very patient. He spent months acting as a normal contributor…

Komodo unwittingly included the compromised Javascript library into their Agama wallet, however, not all versions were affected.

Komodo Hacks Its Users But KMD Remains Unaffected

KMD has had a fairly muted reaction in the market since the announcement suggesting the company plugged the hole before hackers could do any serious damage.

KMD remains unaffected as the coin continues its upward trend versus Bitcoin this month. Source: TradingView.

Cryptocurrency enthusiasts will no doubt be hoping that this is the first and only time a project will need to hack its users to keep their funds safe.

This article was edited by Samburaj Das.

More of: Komodo
@trendz

Ryan is a web designer, writer, and trader who hails from sunny South Africa. He eats, breathes and lives crypto. With experience following the FX market and a keen interest in the history and evolution of money, Ryan is always trying to understand the bigger economic picture. When not meticulously looking over the charts, he can be found planning his next road trip or running around a 5-a-side soccer field. Twitter LinkedIn