70 comments

[ 2.4 ms ] story [ 125 ms ] thread
Yet again, we see that just because you can be your bank , doesn't mean you should. These 'safe', ' audited' programs, protocols, wallets keep failing. The introduction of irrevocable bounties creates a huge incentive to find bugs. The so-called self-funded bug bounty. Never trust a 3rd party to do your crypto.
> Never trust a 3rd party to do your crypto.

This strikes me as funny because software engineers are regularly told not to roll their own crypto.

I'm pretty sure these are different uses of the word crypto.
I chuckled because I interpreted their comment as a pun
The CEO is a huge scammer and at least one audit said atomic wallet was very insecure.
Not doubting you but could we get sources for that? (Genuinely interested in some of the key highlights from that audit)
Well, being audited means only that it is audited. Nobody forces the company/developers to act upon the findings of the audit... but still, technically it is true that they were audited even if the outcome of the audit was "haha, I wouldn't trust my used hanky on this"
Slot machine gives house the edge, users report loss of entire portfolios.
(comment deleted)
Ahh the schadenfruede is strong for me with this one. Silly cryptocurrency fans. When will they learn?
Perhaps now the only people left are scammers, scamming each other in an infinite loop.
These are the stories of people learning.
They apparently are learning slow then ey?
How many times does this have to happen before people learn that cryptocurrency is not a good place to park money?
the level of technical savvy to store crypto safely makes it impractical for the general population
And god forbid if you accidentally transfer your crypto from one incomprehensible address to another.
? It is literally uncountable how many times the big banks stole money from regular people. Crypto indeed is a good place to store money.
When this happens with big bank, you could try going to the court.

When this happens to crypto, you got nobody to blame but yourself.

> When this happens with big bank, you could try going to the court.

Great. So not only I lost my money but now I'm getting an assignment as well. Which will last many years and at best will result in recovering a fraction of what I lost and the most likely outcome us not getting anything back and possibly paying more.

Huh? You literally mean a bank took your money from your account?

Which ones?

Fwiw I've heard many horror stories about Paypal
Paypal is not considered a bank, which is the root of many problems we are facing with paypal.
I had the California State Board of Equalization empty one of my bank accounts without warning because they thought I owned them back taxes. I had moved out of the country and wasn't filing California taxes, which was a mistake. You still have to file a 0 tax.

I still haven't gotten my money back.

Dude, there are whole countries where the Goverment just stopped everyone from getting their money out of the Bank. Greek for example, just a few years ago. It's not something very rare nor do you have to be in a third world country.
Ah yes, big bank, bad. Government, very bad. Crypto good. Sure.
It's a great place but when you need to cash out you need fresh linux system with fresh wallet software connected to the internet only when you make the transaction. Not an app for your phone. Everybody will have malicious keylogger on their phone eventually if they install apps and sometimes even if they don't.
Of course you also need a clean version of linux and all software compiled with a clean compiler.

Thankfully we can be reasonably sure that some compilers at least predate cryptocurrency.

> Everybody will have malicious keylogger on their phone eventually

Are there actually any keyloggers for iOS and Android? Unlike on desktop OSes, there isn’t even an API for that, so you’d need an actual OS exploit.

> fresh linux system with fresh wallet software

And how do you make sure that that doesn’t come with a keylogger (in a world where a significant number of people were to actually do that)?

> you’d need an actual OS exploit

Not necessarily, for instance 3rd party keyboards like Grammarly are keyloggers by their very nature. They grab your input, process it, and give output in terms of grammar corrections. And a rogue app update can absolutely do the same.

> And how do you make sure that that doesn’t come with a keylogger

The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

It's possible to disable third party keyboards for sensitive data entry at least on iOS. Not sure if the same is possible on Android – worst case, a wallet could just provide their own keyboard/passphrase entry method.

> The same way you verify anything is what you want and stays that way, MD5/SHA256 hashes and airgaps.

How do you determine a given hash to be trustworthy? And how do you know you can trust your `sha256sum` implementation?

You're always trusting someone. Any security analysis pretending otherwise is worthless.

> a fresh linux system with fresh wallet software connected to the internet only when you make the transaction

wow, what a practical way to be able to store and use money!

It is rather safe and practical, for storing assets. It’s called a cold wallet.

If you want “practical” and unsafe, then store all your crypto in hot wallets like Atomic, that sure ended up well.

There are ways to park it safely and ways not to park it safely.
How are laypeople supposed to know which is which?
From my understanding, as what’s essentially a layperson in crypto, is hardware over any form of software. Same as with fiat in say PayPal, you don’t own it unless you can physically hold it. And physically holding it in this case is via FOSS hardware wallets such as Trezor.
That hardware will ultimately also be running software, and you need to be trusting the vendor/supply chain of both.

This is not at all to say that there is no point in hardened/secure execution environments like smartcards, Yubikeys, hardware wallets etc., but the important point is that the statement "hardware is more secure than software" by itself is dangerously misleading.

And there is no such thing as (fully) "FOSS hardware". Somebody needs to build a physical thing in the end, and you can't verify every single step of that process. Openness/transparency has its advantages and reduces the chance of nefarious things happening in your supply chain, but this is lightyears away from "trustlessness".

Who would park it there though? You receive money there and send it to your bank, or you send a little money to pay something. Who stores money there?
Why should anyone feel that they are unsafe with a heavily regulated payment industry?
If it's not a bank and not state backed/insured, it might as well be crypto. With crypto, at least in cold storage, there is a lot less chance of losing your money and no chance of getting a dreaded 'your account was indefinitely suspended' from the 'AI' at Paypal. And having no recourse whatsoever.

Still, personally, I distribute over all kinds of banks (where I get E100k per bank when they fall, so I make sure I'm under that amount per bank) and assets so the fallout is minimal if something falls. Well, unless it's a 1929 event of course; then it remains to be seen what is left after. But then crypto is wiped out too; people gotta live, so they will mass sell off.

[flagged]
> Is there anything intellectually interesting about this article? Just seems to be posted for anti crypto folks to feel better about themselves?

Perhaps that it’s news?

“Atomic Wallet has been apparently exploited, with users on Twitter reporting complete losses of their crypto portfolios.”

> Perhaps that it’s news?

Is it? This looks like rumor-mongering based on a couple tweets.

"Several users on Twitter"

"A number of users have commented on the post reporting losses"

There is one firsthand tweet from someone saying he lost funds this week, one from someone who says he lost funds six months ago, and one from the wallet developer saying "We have received reports of wallets being compromised".

Are we talking a hundred, or are we talking five? As far as the sources go, we have two in six months.

How, exactly, do they come up with an adjective like "several" for this?

I'm as anti-cryptobro as the next guy, but let's put on our critical thinking caps for a minute. Where's the indication that something newsworthy happened here?

If I posted an article about some people got rich off crypto is that also worthwhile because it's "news"? No, if there's no intellectual discussion and it's just cheap 10 second takes then it's not suited for HN.

From the guidelines:

> On-Topic: Anything that good hackers would find interesting. That includes more than hacking and startups. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual curiosity.

> Off-Topic: If they'd cover it on TV news, it's probably off-topic.

This is a very shallow news story that gives no information on the technical nature of the hack or anything intellectual in the slightest.

As can be seen by the comments on this thread almost everything is low-brow commentary similar to what you'd see on a Facebook news story.

If people want to discuss crypto security and the merits of different approaches that would be an awesome discussion to have. Unfortunately it can't happen here any more because the only crypto related things that get upvoted are news stories about bad things happening and the more that happens the more intellectually curious people are driven away.

Same. I've been trading Bitcoin/crypto since 2012 and never heard of Atomic Wallet
Repeat with me: Not your keys, not your coins.
This is a self-custodied light wallet, keys were on user devices. It could have been a weak RNG or due to client side malware, it’s too early to tell.
I'm curious about what happened too. Non custodial? Then how? Was the application FOSS? If not, I'd guess they were collecting some kind of data they shouldn't have been.
It's an app on a phone. It's only as self custodied as your front porch is. With entirety of the internet as your neighborhood.
Are you implying that the compromise happened due to an OS or app store level exploit/vulnerability?

If not, I don’t see how an app on a phone is worse than on a desktop.

It's worse because people use more phones then desktops, and they commonly use them for payments which makes them juicier target than desktops.
So the lesson is to use unpopular, yet still secure (i.e. audited and transparently and competently developed) software/hardware?
Yes.
Good luck finding something (lasting) checking all the boxes – sounds like an extremely unstable equilibrium to me.
It's been surprisingly easy for the last two decades. Just use about third most popular Linux.
So not your keys then. Thanks.
Well not anymore...

I don't get your response, though. It was an app where the keys were "yours". The "not your keys" is about custodial services, which this is not.

Well, then how can your coins be stolen without the keys?

If the keys were stolen using a cryptographic trick, how was it done at scale?

It sounds to me like at some moment the keys were exfiltrated.

So "not your keys, not your coins" stands. If you don't have strict control over the keys you don't have strict control over the coins.

Sounds like you're more advocating for cold storage. You could be right, but even the most secure software wallet is only as secure as the computer it is running on.
still no update about how it was done

surely they would have some idea

There should be a trail. If the funds are just gone it could be a glitch in Atomic.
It seems, but I might be wrong (others suggested it though) that you need the app to be compromised to do this. A server hack wouldn’t work because you still need your key/seed phrase. The app, with a hack, of course can, next to unlocking your wallets locally, send it to a server (which should never happen) and then the owner of that server can take the funds.

To me this seems the most obvious. Use open source wallets, reproducible builds, hashes and, of course, cold wallets. Also, divide; don’t put your money in one place; I would say that goes for banks too.

The general rule of the thumb in crypto is that everything will get exploited. Its a matter of “when”, not “if”.

I wouldn’t even trust Metamask in the long run. If the wallet doesn’t get exploited, something that interacts with the wallet will.

If crypto ever becomes a bigger market, you’ll eventually have state actors trying to exploit protocols and wallets, and they’ll be more sophisticated than the North Korean hackers.

Crypto is just totally ruthless with software exploits. Any software exploit leads to millions of dollars worth of assets being stolen, by whoever found the exploit.
That's the cost of having something actually valuable on you actual device.
Exactly. If a million people have $5 on their device, and it gets exploited, that’s up to $5 million in payout.
Just another day in the cryptoverse. Charlatans duping poor suckers by selling libertarian dreams.