Cryptocurrency users had a close shave with hackers as they were very close to losing all their hard earned funds last week after a hacker infected a crypto wallet with malicious code that pilfered their blockchain access details.
The attacker stealthily added the malicious code into a cryptocurrency wallet called Agama, the wallet was designed by Komodo. Had it been they were successful, about $13 million of Komodo’s KMD crypto token would’ve been stolen. The token is one of the privacy-centric coins in the market. Fortunately, the plan were thwarted by the swift action from both software repository npm and Komodo.
On 8th of March, 2019, the devious developer released what seemed to be a critical update to a software component utilized by the Agama crypto wallet. According to the attacker, they called themselves ‘sawlysawly’, and they published the malicious update on the GitHub’s website where Komodo hosts the source code.
An npm package named electron-native-notify was added by sawlysawly as a dependency in the Agama wallet, what this means is that newer versions of the Agama wallet can use the code.
The first version of electron-native-notify (1.1.5) which was released on npm was legitimate, at the time of the commit. Fifteen days after making the commit, it was updated to 1.1.6, which contained a malicious payload. An updated version of Agama was then released on the 13th of April 2019.
The alteration in electron-native-notify allowed the hacker to steal the wallet’s seed. A wallet seed is a secret phrase that allows users retrieve their crypto coins using any wallet.
Using wallet seeds is one of the ways users can get at their virtual coins or tokens anywhere. What this means is that if a user’s hard disk crashes and the wallet is erased, the coins can still be retrieved using the seed phrase. The disadvantage of this is that if anyone with malicious intent gets a user’s seed, they can use it to steal their crypto because they can access the user’s address and can transfer the user’s crypto to another wallet.
The hacker configured the code to duplicate the seed phrases from Agama wallets it had infected to a public server. Once this was done, the attacker goes to the website and can access the stolen seeds. With this, literally no one pin the crime on them. After copying these phrases, they move to the next stage where they start emptying user’s accounts, as reported by Komodo
The npm team found the problem at the beginning of June when it did a security analysis and the was alerted to it. Komodo was told about this problem, and they wasted no time in securing the exposed funds of users.
They used the seeds that had been stored on the public server to recover the stolen funds, then they moved it to a more secure wallet.
This was a well planned and coordinated attack, Komodo explained in a post on the issue:
It now seems clear that the bug was created intentionally to target Komodo’s version of Agama wallet. A hacker spent several months making useful contributions to the Agama repository on GitHub before inserting the bug. Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using.
The organisation has started returning user’s crypto coins. They’re encouraging affected users to fill a form online form. They have ranked accounts with small amounts below 7777 KMD as the first to get their funds. They promised to return the funds in these accounts on or before 15th of June.
As of Sunday the 9th of June, they explained on their Discord channel that they had refunded their users’ in full. The figure was in the range of $1m. This action surprised most of their users as they beat their own deadline by one week. Now they can start refunding the sums on larger accounts.
Komodo was keen to point out that the affected wallet was the Komodo Agama wallet, and that other versions of Agama that Komodo like the VerusCoin, was not affected by the malicious code.
This shows the importance of testing third party packages that your software depends on. This is a must for all developers or they would end up losing a lot to malicious hackers. The more dependencies used, there’s an increased likelihood of an attack.
Kudos to npm for discovering this hack and nipping it in the bud, and to Komodo’s swift team for taking action immediately to fix the problem.