Crypto Startup Hijacks Own Accounts to Patch Zero-Day Vulnerability

How would you feel if you were to receive an email from the company that manages your crypto wallet, saying that your account has been hacked? I would totally lose it, and so would you if your account was loaded.

Still, that’s not the worst part. Try this one for size: your account has been hacked by the very same company who vouched to safeguard your precious booty. Earlier this week, Komodo, a cryptocurrency startup, announced that its hacking team managed to take advantage of a zero-day vulnerability to move $13 million worth of Komodo coins and bitcoins to a safe location.

Why would a company want to hack its own platform?

It’s not actually hacking, as in searching for a backdoor, looting, and running away with the money. According to Npm, the cybersecurity company who identified and fixed the vulnerability, this breach could have cost Komodo millions of dollars. So, what was the vulnerability, and how did the team manage to get away with the money?

In a blog post detailing the patch job, Npm wrote that during a routine check they’d identified a malicious update which contained a code capable of making away with crypto seeds.

Moreover, the viral code was also capable of accessing the users’ passwords used for other cryptocurrency apps. The Npm team stated that the culprit, which was a JavaScript library, shouldn’t have been able to tamper with the app’s advanced functions.

However, the malware code, which was part of a more intricate supply-chain attack, piggybacked on the EasyDEX-GUI application. That would be the breaching point for the hacker. Apparently, the vulnerability was confined to only one of Komodo’s cryptocurrency-management applications (Agama).

The update was released at the beginning of March and did not raise any red flags until the Npm team started to mess around with it. Once the breach was identified, the team moved the contents of the users’ cryptocurrency wallets to a safe location.

According to the estimates, some 96 bitcoins and 8 million Komodo coins were at risk due to this zero-day vulnerability. This adds up to $13 million, give or take.

So, what happens now? Well, by now, you should have received the email saying that the company hacked its own accounts for your sake (yes, I know exactly how this sounds!).

Now you need only access the ‘safe wallets’ to claim your bitcoins or Komodo coins. According to the startup’s support page, the safe location associated with the KMD portfolio is https://www.kmdexplorer.io/address/RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF. As for bitcoins, head to https://www.blockchain.com/btc/address/1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk in order to reclaim your electronic wallet.

Wrap-up

What more is there to be said? Better a company hack its own accounts in order to patch any security breaches than a hacker. Komodo was right to be worried -if not for the Npm team; this zero-day vulnerability could have gone unnoticed. The result – millions of dollars lost and angry users demanding an explanation for their empty cryptocurrency wallets.

What’s your take on this entire Komodo business? Should more companies thread in their footsteps and hire ethical hackers? Head to the comments section and let me know.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *