Select Page

Are you using Komodo’s Agama Wallet to store your KMD and BTC cryptocurrencies?

Were your funds also unauthorisedly transferred overnight to a new address?

If yes, don’t worry, it’s probably safe, and if you are lucky, you will get your funds back.

Here’s what exactly happened…

Komodo, a cryptocurrency project and developer of Agama wallet, adopted a surprisingly unique way to protect its customers’ funds.

The company hacked its customers and unauthorisedly transferred nearly 8 million KMD and 96 Bitcoins from their cryptocurrency wallets to a new address owned by the company.

Why? To secure funds of its customers from hackers.

This may sound weird, but it’s true.

Komodo recently learned about a malicious open source, third-party JavaScript library that the company was using in its Agama Wallet app.

The library, named “electron-native-notify,” two months ago received a update from its anonymous author who included a secret backdoor in the new code that was designed to steal and send seeds/private key and other login passphrases of Agama wallet users to a remote server.

So, if you have logged in to any version of Agama wallet downloaded from Komodo’s official website or their Android and iOS apps after 13 April this year, it’s likely you’ve had your wallet credentials stolen.

The malicious library update in question was initially detected by a security team at npm JavaScript package repository service, who then informed Komodo of the issue.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a useful package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” the npm blog said.

The npm blog also shared a brief video demonstration showing how the backdoored version of Agama wallet has been secretly sending a wallet’s private seed to a remote server in the background.

images from Hacker News