Komodo, a cryptocurrency project learned about a backdoor in one of its wallet apps named Agama and they hacked their own customers to keep their funds safe from being attacked by hackers.
As soon as the Komodo team came to know about the backdoor, they used the same backdoor to extract users’ funds from all affected wallets and move them to a new address owned by the company and beyond the reach of a hacker.
This unique way has however worked and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users’ vulnerable accounts before the hacker could get a chance to misuse the backdoor and steal the funds.
While this issue was investigated, the staff came to know that they are dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library.
The Agama app is a cryptocurrency wallet developed by Komodo, and was using the EasyDEX-GUI application as part of its build-chain, which in turn was loading the now-malicious electron-native-notify library.
Even though the backdoor was added to the electron-native-notify library on March 8, it was made in the main Agama wallet on April 13, when Komodo released Agama v0.3.5.
According to the npm team, the malicious code would work as proposed and collect Agama wallet app seeds and passphrases, and upload the data to a remote server.
These seeds and passphrases would let a hacker to connect to the cryptocurrency accounts managed through the Agama wallet and steal users’ funds.
The Komodo team stated that after discovering the vulnerability their Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk. The safe wallets are under the control of the Komodo Team, and assets can be reclaimed by their owners.
The company has also discontinued the older Agama wallet and they are recommending all the users to use any of their newer products.
Komodo recommends that while the users make the claim for their funds, they should create new KMD or BTC addresses that use different seeds and passphrases other than the ones used before. This prevents the hackers from using the old seeds and passphrases collected for future attacks.