Cryptocurrency Wallet Hack, users lost over $655,000

Users lost over $655,000 worth of Verge cryptocurrency this week, but nobody knows who to blame in an incident involving the maintainers of the CoinPouch wallet app and the Verge cryptocurrency.

The whole drama started on Tuesday when maintainers of CoinPouch, a multi-currency wallet app, published a statement announcing a hack that affected CoinPouch users who stored Verge currency in their wallets.

The CoinPouch team blamed the incident on a Verge node the company set up together with Verge project maintainers to handle Verge transactions for CoinPouch users.

Problems started on November 9
CoinPouch says that on November 9, a user reported having his/hers funds stolen, an incident which they investigated together with the Verge project lead, who later concluded that "it did not look like a hack."

Nonetheless, the Verge dev recommended a set of modifications for CoinPouch's Verge node that would improve its security.

CoinPouch devs say that despite following instructions from the Verge team, days after applying these modifications, the company "started getting additional reports from users stating their Verge wallets in Coinpouch were not working correctly."

When CoinPouch asked the same Verge developer to investigate, he discovered that "most Verge tokens on the Verge Specific Node had been transferred out."

What followed was CoinPouch going public with the hack, and drawing the ire of most of its Verge users.

In a second statement following the initial hack announcement, CoinPouch said it filed a complaint with law enforcement, and requested a copy of the Verge node's underlying server from the hosting company to hand over to a forensics firm and investigate what happened.

Verge team tracks down thief's wallet
On Reddit, the Verge team said they've traced the stolen Verge funds to the thief's wallet, holding over 126 million Verge coins. CoinPouch has later intervened and contacted cryptocurrency exchange platforms and asked them to blacklist the thief's wallet, hoping to trap the funds inside.

In the meantime, the Verge cryptocurrency project has already distanced itself from CoinPouch, claiming CoinPouch was never listed as a recommended wallet on its website and even published an image depicting conversations with CoinPouch app developers to dispell any rumors of back-alley dealings.

Verge team tweet

"At this moment neither Coinpouch nor Justin, the founder and lead developer of Verge, are clear how the hack occurred," CoinPouch said in its statement. The company is currently waiting for the Thanksgiving extended weekend to pass, to continue its investigation into the hack.

Catalin Cimpanu  

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.




source: bleepingcomputer