On Wednesday, we reported claims that Warith Al Maawali lost $60,000 to $70,000 while using the Coinomi wallet. He argued that Coinomi’s built-in spell checker was at fault as it automatically sent his seed phrase as plain text to a Google-owned website and that the funds were intercepted.
Coinomi acknowledges that there was a security vulnerability but disputes the loss of funds. Moreover, Coinomi now accuses Al Maawali of extortion.
In a tweet, late Wednesday, Coinomi provided details of its correspondence with Al Maawali. It said that it repeatedly requested that he publish blockchain evidence of the funds moving, which he failed to do. Instead, Coinomi says that Al Maawali demanded, repeatedly, that he should be paid 17 BTC or he would go public with the news.
In a Medium post earlier on Wednesday, Coinomi admitted that there was a security flaw but refuted that the seed phrase was sent as plain text. It also claimed that Google, the sole recipient, did not process, cache or store the requests, so the funds could not have been stolen. The issue, it says, was fixed six days ago.
However, Al Maawali continues to dispute Coinomi’s version of events. He’s launched a website named avoid-coinomi.com to publicize the incident, and has posted tweets received from the team, which have since been deleted. He accuses them of abrogating responsibility for what happened and threatening him with legal implications if he went public. He further says that he provided Coinomi with 24 hours in which to return his funds and now intends to begin legal proceedings.
The incident has led to much debate around the security of hot wallets, those that are connected to the internet. However, without further evidence, suggestions that the money could have been stolen via malware, or transferred by Al Maawali to another account are perfectly credible.
However, on Reddit, at least two other users have now also alleged that funds lodged with Coinomi have disappeared, although they don’t specify that they imported their seed phrase into the wallet. Coinomi claims that, to date, it has no reports of other hacked wallets.
We reached out to both Al Maawali and Coinomi and will update when we hear more.
Without further proof, it’s impossible to determine whether or not the funds actually disappeared. If the funds were stolen because of the vulnerability, the thief would require access to Google’s encryption suite. If it was someone with access to log data at Google, a criminal investigation would be warranted. In that case, Al Maawali would need to produce proof of the funds moving on the blockchain.
In the meantime, Coinomi needs to update its website, which still states that “no Coinomi wallet has ever been hacked or otherwise compromised to date.” The admission of a security flaw disproves that. They might want to ease up on the spell check too.