If you're a cryptocurrency startup, would you face a huge backlash by hacking your own customers to keep their funds safe if you know that a hacker is about to launch an attack and steal their funds?

This is exactly what happened yesterday when the Komodo Platform learned about a backdoor in one of its older wallet apps named Agama.

Knowing they had little time to act, the Komodo team said it used the same backdoor to extract users' funds from all impacted wallets and move them to a safe location, out of the hacker's reach.

The tactic paid off, and 8 million Komodo coins and 96 bitcoins, worth nearly $13 million, were taken from users' vulnerable accounts before the hacker could get a chance to abuse the backdoor and steal users' funds.

The backdoor

The backdoor in the Agama wallet app was discovered during an audit by the security team of the npm JavaScript package repository.

Npm staff said they identified a malicious update for the electron-native-notify (version 1.1.6) JavaScript library, which contained code designed to steal cryptocurrency wallet seeds and other login passphrases specific to cryptocurrency apps.

While initially, it did not make any sense for a library with a very limited feature-set to contain such an advanced functionality, after investigating the issue, npm staffers realized they were dealing with a supply-chain attack aimed at another app downstream, which was using the now-backdoored library.

The app was Agama, a cryptocurrency wallet developed by Komodo, and which was using the EasyDEX-GUI application as part of its build-chain, which, in turn, was loading the now-malicious electron-native-notify library.

While the backdoor was added to the electron-native-notify library on March 8, it only made it in the main Agama wallet on April 13, when Komodo released Agama v0.3.5.

The npm team said the malicious code would work as intended and collect Agama wallet app seeds and passphrases, and upload the data to a remote server.

The seeds and passphrases would have allowed a hacker to connect to the cryptocurrency accounts managed through the Agama wallet and steal users' funds.

Komodo to allow users to reclaim their funds

"After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk," the Komodo team said yesterday in a security alert.

"We were able to sweep around 8 million KMD and 96 BTC from the vulnerable wallets, which otherwise would have been easy pickings for the attacker.

"The safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF (KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) are under the control of the Komodo Team, and assets can be reclaimed by their owners. See our support page article for details," Komodo added.

In the meantime, the company has discontinued the older Agama wallet and is now recommending that users move to one of its newer products. Forks of the Agama wallet app ran by other companies, such as the Verus Agama wallet, were not affected.

Komodo is also recommending that when users reclaim their funds, they create new KMD or BTC addresses that use different seeds and passphrases from the ones they used before, so to prevent the hacker from using the old seeds and passphrases they collected for future attacks.

More data breach coverage: