from Hacker News

Exodus Bitcoin Wallet: $490k swindle

by flexiondotorg on 2/20/24, 8:41 PM with 264 comments

• by vmoore on 2/21/24, 7:20 AM

  The operational security measures one has to take these days to secure crypto is insane. You have to build your own mini intelligence agency just to protect your digital crypto assets. You have to do:

  - Principle of least privilege.

  - Zero Trust.

  - Compartmentation.

  - Hardened Operating Systems with no malware and strong endpoint defense.

  - Firewalls that whitelist only your IP and disavow everything else.

  - 2FA/MFA/Biometrics auth for everything.

  - Defense in Depth.

  - Use crytography tools vetted from the community surrounding it, and use tools which are battle hardened.

  Modern computing is very leaky and every node is malicious. You need extreme vigilance to safeguard crypto.

  Are people up to the task of doing all this?

  I'm asking because I lost crypto before, and now I'm more resilient and have better security posture.

• by codedokode on 2/20/24, 9:56 PM

  Canonical should not have displayed a "safe" icon at scam app page. The proper text should be something like "Not verified. Review the code and check the publisher before using the app.".

  The same should be at Google Play and Apple Store. Scam apps and sanctioned apps are regularly passing through reviews.

• by codetrotter on 2/20/24, 9:14 PM

  This is scary and even a hardware wallet might not help.

  When I create a transaction with Electrum on my computer, I use a hardware wallet to sign the transaction. When I sign the transaction, the hardware wallet shows the amounts, and the output addresses.

  But if my copy of Electrum was backdoored and smart about what it did, it could use an output address for the remaining amount that went to another wallet. And since I and most people mainly check the address we are sending to but don’t pay close attention to the change address, we could end up having our funds stolen that way.

  I’ve been thinking about moving to a multisig setup instead, that would have multiple computers independently used for checking and signing the transactions.

  So far I’ve been putting it off because a single wallet and being diligent about checking the output address that you send to seemed sufficient. But now I think moving to a multisig setup is something me and more people should do sooner rather than later.

• by edent on 2/20/24, 9:08 PM

  What I don't get about the Snap store is why there's no verified link back to a website?

  If you have the technical ability to create an app, you probably have the ability to upload something to /.well-known/ or to add a DNS TXT record.

  That way the Snap store could say "This app came from this website."

  OK, it doesn't help if someone goes to the trouble of registering a homograph address, but it would at least give normal users a chance to check out who the author is.

  That seems to be how Flathub works. It shows a verified domain, or prominently says that it is a community released app.

• by jstanley on 2/20/24, 9:12 PM

  One point I would make:

  > it connects to some API at https://www.exchangerate-api.com/

  This is not necessarily right. The exchangerate-api.com site is hosted behind Cloudflare, so I don't know where it's actually hosted, but the IP addresses shown in bandwhich could be unrelated.

  You also said:

  > Visiting one of those IPs redirects to https://www.exchangerate-api.com/

  It is common for malicious sites to redirect to legitimate sites to help evade detection, so it is possible that exchangerate-api.com is an unrelated and legitimate site.

• by gjsman-1000 on 2/20/24, 9:44 PM

  I'm still not exactly sure, to be honest, why Snap exists.

  The desktop on Linux has gone Flatpak.

  If I'm running a server, why the heck would I trust Snap, a platform that until recently didn't even let me control updates, over Docker? If something goes wrong, who do I call? If I need a custom storage arrangement, who do I call? If I need a custom network arrangement, who do I call? If I need to scale up, who do I call? Why would I subject myself to this?

  Is it IoT? Maybe it has a market there - but why doesn't it focus on being the best it can be, solely for that market, then?

  One more note: Snap even allowing unapproved repackaging of apps was, in my opinion, a very bad idea in the first place. Case in point: Even the Snap homepage is advertising a community repackage of a password manager ("NordPass" - developer not verified). Why the heck should Snap be proud of that?

  (Edit: Apparently NordPass's website does point to it - but the developer remains unverified. What's the point of verification...)

• by neilv on 2/20/24, 9:22 PM

  > They likely saw a button like this in the "App Centre", which gave them some confidence in the application. [...] Furthermore the title of the Snapcraft web frontend says "Snaps are containerised software packages that are simple to create and install. They auto-update and are safe to run."

  Sounds like assurances made by UX and Marketing, which engineering might've been able to tell them they can't make.

  If it ends up costing them $490K plus legal fees, that's still a relatively inexpensive way to learn this lesson.

• by rsynnott on 2/21/24, 2:57 AM

  In which being your own bank continues to be undesirable.

  (Never understood why ‘be your own bank’ was meant to be at all appealing. Being a bank is terrible. And still realistically less risky than this sort of thing; apart from truly bizarre edge cases (see the Citi/Revlon drama), this sort of thing simply can’t happen.)

• by ceejayoz on 2/20/24, 8:57 PM

  A rather hilariously appropriate app name.

• by renewiltord on 2/20/24, 9:07 PM

  Well, that's really unfortunate. I would never just go download a random crypto app, not even from the Apple App Store. But the "Safe" marker is a massive UI risk. It makes me think it was signed and verified in some way.

• by nntwozz on 2/20/24, 10:10 PM

  On a tangent, my neighbor came to me about a month ago and asked if I was a "hacker"?

  He's around 75 and has known me for maybe 20 years, we're not close friends but we run into each other every now and then and he knows I work with IT; I'm about half his age.

  Long story short, I find out he needs help to retrieve his bitcoin wallet because he's lost $300k. I spend an hour looking around his devices and find out he's been buying bitcoin from a young hip instagram lady in Florida.

  Wait for it…

  …they shared access to the wallet.

  He had a chat log stretching back one year on whatsapp with her, he was now paying her smaller sums to cover the cost for some "hacker" to retrieve his wallet.

  ¯\_(ツ)_/¯

• by hsbauauvhabzb on 2/20/24, 9:21 PM

  ‘ I’m writing this in the hope Canonical will fix its processes so reputation-damaging events like this don’t keep happening.’

  That is such a poor attitude. Instead maybe hope that canonical may fix the lax vetting and security of their store, but to care directly about their reputation and not the user who was scammed due to their weak practices goes hand in hand with everything else I’ve seen from snap.

• by philipwhiuk on 2/20/24, 11:36 PM

  By the standards of Web3, this is a very small theft.

  Case in point: https://www.web3isgoinggreat.com/?id=fixedfloat-hack

• by Saris on 2/21/24, 12:50 AM

  The strangest part to me is that it shows it as "Safe", based on what? It doesn't seem like any checks were done at all to make sure this was a real app from Exodus.

• by nly on 2/21/24, 12:03 PM

  Keeping your Bitcoin on your computer in any form is an extremely bad idea.

  Multiple laminated (real) paper wallets in a safety deposit box and multiple locations is the only way to go.

• by achiang on 2/21/24, 5:09 AM

  It has been 10 years since I left Canonical (on good terms), but what popey describes (hi popey) about the intentional lack of human review in the Snap store sounds very Canonical to me.

  I agree with all the recommendations - add human gates. Yes, it's expensive, but still far cheaper than the unbounded reputational damage that just occurred around the untrustworthiness of the store (hi Amazon).

• by kwar13 on 2/21/24, 5:10 AM

  The crypto industry has had a serious UI/UX problem, no doubt about that. I also presume this bitcoin holder wasn't a sophisticated one, because the main point of a cold wallet is NOT ever have your seed phrase (12-24 words) go online. That's the real exploit in here.

  Crypto has a long way to go and some improvements are being made but it definitely is one of the main pain points.

• by Pxtl on 2/20/24, 10:20 PM

  Reminds me of this old Xkcd:

  https://xkcd.com/1200/

  when they said that these Snap packages were "safe" they probably meant from a "linux is secure" and "properly sandboxed" meaning, not "we've verified that this person isn't trying to scam you".

• by upofadown on 2/21/24, 12:13 PM

  This seems to be the big, unsolved, identity problem at least X3:

  * No way for anyone (user or store) to verify the identity of the publisher.

  * User was not given enough understanding to be able to protect their Bitcoin identity (usability, identity backup).

  * No way for anyone (user or store) to identify who had downloaded the malicious snap.

• by DerekRodriguez on 2/21/24, 3:41 AM

  I founded a company that makes a distributed wallet that is immune to these types of problems. You might be scammed out of your specific keyshare, but the scam would need to compromise all nodes at once which is nearly impossible. It's called Gridlock.

• by fuddle on 2/21/24, 4:10 AM

  Do we know how much was transferred to the attackers wallet in total from all attacks?

• by lyu07282 on 2/20/24, 9:39 PM

  The takeaway is to avoid using Snap. In case you needed another reason to.

• by democracy on 2/21/24, 6:53 AM

  Crypto is sooooo cringey in 2024...

• by doubloon on 2/21/24, 1:00 AM

  so they cut a bunch of people and abandoned the desktop, https://www.techradar.com/news/what-happened-at-canonical

  then tried to 'self checkout' the app store

  "One of the goals is to automate the whole Snapcraft publishing and review pipeline so there’s fewer (expensive and slow) humans in the loop." (from op article).

  automation should not replace human judgement, it should replace human drudgery.

• by Devasta on 2/21/24, 12:27 AM

  They shouldn't feel too bad. If they still had that 490k they'd just waste it on stupid bullshit like cryptocurrency.

• by shuntress on 2/20/24, 9:22 PM

  If only there were some kind of system or network of long-standing institutions with a deep commitment to paper-trails and accountability that was overseen by some kind of community-managed regulation to control this type of thing.

• by lxe on 2/20/24, 11:29 PM

  App stores with stringent and restrictive policies do indeed help prevent this type of scams, unfortunately.

• by judith48 on 2/24/24, 10:45 PM

  The world has evolved, lot of phishing and scam on cryptocurrencies . its very important to know that a source is legit before investing and most importantly safe guarding and upgrading security concerning your crypto like two factors authenticators and all necessary precautions .. although there are lot of good coders and hackers like recovering ATusa com that make it easier to recover stolen cryptocurrencies and of course only few are able to get theirs in full......

• by redder23 on 2/20/24, 9:00 PM

  Even the real version is the app is a software wallet right? If you have almost 500k in BTC and do not have it on a hardware wallet and use their official software for it, I have to say it's at least partially on you if you lose it.

• by lobito14 on 2/21/24, 7:29 AM

  https://www.exchangerate-api.com/ isn't related to crypto, and it's probably also a fake website.