1. Home
  2. Wallet

Wallet

North Korean hackers swipe over $100M from Atomic Wallet users

According to Elliptic, a blockchain analysis company, an estimated 5,500 crypto wallets have been affected by the attack.

Atomic Wallet, a noncustodial decentralized wallet, has been hit by a staggering exploit, leading to users reporting losses of their entire cryptocurrency portfolios. This unforeseen breach has sent shockwaves through the crypto community, as Atomic Wallet's fundamental premise relies on users assuming full responsibility for storing their assets securely. 

The losses from the Atomic Wallet heist have now skyrocketed to over $100 million, according to analysis conducted by Elliptic. This alarming figure highlights the severity of the attack, which compromised an estimated 5,500 crypto wallets.

Despite the magnitude of the incident, Atomic Wallet has yet to provide any explanation regarding the root cause of these substantial losses. This has led to mounting concerns from frustrated users who anxiously await clarification and reassurance from the company. Meanwhile, at the time of publication, the company's last update on Twitter was on June 7. 

Frustrated Atomic Wallet users have taken to Twitter to express their annoyance at the way the company is handling the issue. Twitter user Ezra Carlson shared, tagging Atomic wallet, "why won't AM give me a straight answer about why they didn't warn me, knowing full well that they were being hacked, that it was not safe to use AM last week before I made a transfer to my wallet that was then hacked."

Another user "RealDeal Crypto" called out Atomic Wallet for its lack of updates pertaining to the situation, saying "Your last update was five days ago - SERIOUSLY?!?!

On June 3, Atomic Wallet acknowledged reports of compromised wallets in a tweet but downplayed the impact, stating that "less than 1%" of their user base had been affected. However, the staggering sum of the losses suggests a significant breach.

Related: Atomic Wallet hack losses top $35M, on-chain sleuth reports

Blockchain analysis company Elliptic has linked the heist to the notorious Lazarus Group, believed to be responsible for stealing over $2 billion in crypto assets through various thefts. According to Elliptic, this disclosure marks the first time a significant crypto heist has been openly attributed to the Lazarus Group since their successful $100 million exploit of Horizon Bridge in June 2022.

Following the heist, Elliptic shared that it was collaborating with international investigators and exchanges, and mobilizing its resources to recover the stolen assets. Their attempts have allegedly resulted in the freezing of over $1 million worth of the stolen funds, so far. However, the blockchain analysis company noted that, "in response to the freezing of these funds, the thief has begun to change their behavior. In particular, they have turned to the Russia-based Garantex exchange to launder the stolen assets."

The recent attack joins a series of notable breaches, including the recent exploit of Jimbos Protocol, resulting in a loss of $7.5 million, and a malicious proposal that seized control of Tornado Cash's governance in May. According to a Chainalysis report, it is estimated that crypto hackers absconded with a staggering $3.8 billion in 2022, with a significant portion attributed to attacks linked to North Korea, particularly exploiting decentralized finance protocols.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Solana DEX volume hits record high: Is SOL price headed to $300?

Crypto custodian BitGo signals intent to acquire Prime Trust

Should the deal go through, Prime Trust’s infrastructure will “map over 1:1” with BitGo’s services, and add another trust company and crypto IRA fund.

Wallet infrastructure provider and digital asset custodian BitGo have signed a non-binding letter of intent to acquire fintech infrastructure provider Prime Trust, according to an announcement on June 8. 

The terms of the agreement were not disclosed. If the deal goes through, BitGo will acquire Prime Trust’s payment rails and cryptocurrency IRA fund and increase its wealth management offerings.

Prime Trust’s Nevada Trust Company will also join BitGo’s network of regulated trust companies in South Dakota, New York, Germany, and Switzerland. Prime Trust’s API infrastructure and exchange network will “map over 1:1” with BitGo services. According to the BitGo statement:

“This acquisition makes BitGo the first global digital asset company to provide a full suite of solutions for institutions and fintech platforms.”

The crypto custody market is evolving rapidly, with Ripple acquiring Swiss digital asset custody provider Metaco in May for $250 million. In addition, technological advances are impacting the market.

The acquisition comes as the United States Securities and Exchange Commission has proposed rule changes that would make it harder for crypto companies to act as custodians of their customers’ funds.

Related: Prometheum subsidiary receives FINRA approval for digital asset qualified custody

Prime Trust reportedly laid off a third of its staff in January. Later, it stepped in to hold Binance.US customer funds through a network of partner banks after the banking crisis in March. It was the center of a scandal in the U.S. state of Oregon last year when it was identified as the source of a $500,000 contribution to the state Democratic Party that later turned out to have come from FTX executive Nishad Singh.

Bitgo itself was almost acquired by Galaxy Digital for $1.2 billion last year, and filed suit against Galaxy after the deal was cancelled.

Magazine: ‘Account abstraction’ supercharges Ethereum wallets: Dummies guide

Solana DEX volume hits record high: Is SOL price headed to $300?

Atomic Wallet says hack affected 1% of active users, but investors claim otherwise

In the aftermath of the attack, Atomic Wallet — along with individual blockchain investigators — have amped up efforts to track and revert stolen funds.

A hack that drained $35 million from Atomic Wallet users since June 2 impacted less than 1% of its monthly active users, according to the company. In the aftermath of the attack, Atomic Wallet — along with individual blockchain investigators — have amped up efforts to track and revert stolen funds.

Trying to cash in on the commotion, a few verified scam Twitter accounts impersonated Atomic Wallet while sharing phishing links claiming to help users recover lost funds.

Pseudonymous on-chain researcher ZachXBT further claimed to have helped a victim recover $1 million of lost funds. However, the recovery process is yet to be disclosed, which ZachXBT allegedly “Will share in time but best not to yet.”

Despite Atomic Wallet’s announcement, numerous users were continuing to report loss of funds at the time of writing. Additionally, the community called out the company’s attempt to water down the damage, as one user stated:

“% doesn't matter, hacker intend to focus on big fund wallet only.”

The episode reflects on the importance of researching the right service provider when it comes to the safekeeping of crypto assets. Moreover, it questions the “not your keys, not your coins” narrative preached by numerous crypto wallet providers such as Atomic Wallet, as shown below.

ZachXBT’s investigation found that the largest amount lost by an individual in the Atomic Wallet hack was $7.95 million in Tether (USDT) on the Tron blockchain. As per the last update, the five biggest losses account for $17 million.

Related: Gate.io threatens legal action against rumor-mongers

Over the weekend, on June 4, a hacker took control of the mobile phone owned by pro-XRP (XRP) lawyer, John Deaton. Deaton’s Twitter account was then used to shill LAW tokens.

Soon after the tweet, Deaton and accounts representing him warned users about the hack and were advised against investing in the cryptocurrency.

Magazine: AI Eye: 25K traders bet on ChatGPT’s stock picks, AI sucks at dice throws, and more

Solana DEX volume hits record high: Is SOL price headed to $300?

Atomic Wallet exploited, users report loss of entire portfolios

Several users on Twitter have reported losses of crypto assets, claiming funds held on the Atomic Wallet app vanished.

Atomic Wallet has been apparently exploited, with users on Twitter reporting complete losses of their crypto portfolios. Atomic is a noncustodial-decentralized wallet, meaning users are responsible for assets stored in the application. 

"We have received reports of wallets being compromised. We are doing all we can to investigate and analyse the situation. As we have more information, we will share it accordingly," said Atomic's team on Twitter on June 3.

A number of users have commented on the post reporting losses, claiming funds were wiped out from their digital wallet app. On-chain sleuth ZachBTX, known for tracing stolen funds and assisting hacked projects, is taking part in the investigation. At the time of writing, it's unclear how the attack was carried out. Atomic claims to have over 5 million users.

Twitter users have also reported that funds on the Atomic Wallet app have been stolen in the past. "This happened to my BTC 6 months ago with Atomic. They simply replied back to protect your pw, seed phrase, blah blah... I told them NOT even possible! All I do is use U to exchange and then move crypto out. My response to them, I will use U no MORE then! Now I was right!," wrote a user in response to the post.

The attack joins a growing list of crypto hacks taking place every week. Decentralized Finance (DeFi) app Jimbos Protocol was exploited on May 28, resulting in a loss of 4,000 Ether worth around $7.5 million. Tornado Cash, a decentralized crypto mixer, was also recently hacked. On May 20, an attacker successfully granted 1.2 million votes to a malicious proposal, gaining full control of the protocol's governance.

Crypto hackers stole an estimated $3.8 billion last year, mainly from North Korea-linked attackers and DeFi protocols, according to a Chainalysis report. Another analysis from TRM Labs reveals that while the number of incidents remained the same in the first quarter of 2023, the average hack size dropped to $10.5 million from nearly $30 million in the first quarter of 2022.

“Unfortunately, this slowdown is most likely a temporary reprieve rather than a long-term trend,” TRM Labs noted, warning that just a few large-scale attacks could tip the scales again.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Solana DEX volume hits record high: Is SOL price headed to $300?

Privacy-focused Aleo blockchain gets new wallet as mainnet launch approaches

The wallet developer also raised $4.5 million from HackVC and other firms to further advance ZK-based enterprise solutions.

Demox Labs has debuted a new wallet for the privacy-oriented Aleo blockchain network, according to a June 1 announcement. Called “Leo,” the wallet allows users to generate zero-knowledge (ZK) proofs within their browsers, letting them interact with Aleo’s ZK-based apps. Aleo is in its testnet phase but expects to launch a mainnet later this year.

According to the announcement, Demox also raised $4.5 million from investors to further develop ZK-proof technology through Aleo and other networks. Over 40,000 users signed up for the Leo wallet waitlist in the period leading up to its debut.

The funding round was led by venture capital firm HackVC and included participation from DCVC, Amplify Partners, Coinbase Ventures, CRV, OpenSea and CSquared. The funds will be used to make Leo compatible with other ZK-proof blockchains and develop Web3 applications for enterprises.

Demox Labs co-founder and CEO Barron Caster saw the wallet’s launch and fundraise as the start of a new privacy-focused era in Web3:

“Leo Wallet is just one example of how [zero-knowledge proofs] will empower individuals to use modern technologies and maintain legal and regulatory compliance without sacrificing personal privacy […] Sharing sensitive data will soon become an option, not a requirement.”

In a conversation with Cointelegraph, Aleo CEO Alex Pruden echoed that sentiment. He said zero-knowledge privacy technology is unique because it allows for “programmable privacy.” He added: “Everything you can do on Ethereum, you can do in Aleo, but privately.”

Related: Are ZK-proofs the answer to Bitcoin’s Ordinal and BRC-20 problem?

Aleo raised $28 million in April 2021 and acquired another $200 million in February 2022. It launched its testnet in August of the same year.

Solana DEX volume hits record high: Is SOL price headed to $300?

Crypto phishing scams: How users can stay protected

A look at the different techniques employed by crypto phishing scammers and how users can stay protected.

In the fast-paced and ever-evolving world of cryptocurrency, where digital assets are exchanged, and fortunes can be made, a lurking danger threatens the safety of both seasoned investors and newcomers alike: crypto phishing scams. 

These schemes are designed to exploit the trust and vulnerability of individuals, aiming to trick them into revealing their sensitive information or even parting with their hard-earned crypto holdings.

As the popularity of cryptocurrencies continues to rise, so does the sophistication of phishing techniques employed by cybercriminals. From impersonating legitimate exchanges and wallets to crafting compelling social engineering tactics, these scammers stop at nothing to gain unauthorized access to your digital assets.

Malicious actors use different methods of social engineering to target their victims. With social engineering tactics, scammers manipulate users’ emotions and create a sense of trust and urgency.

Eric Parker, CEO and co-founder of Giddy — a noncustodial wallet smart wallet — told Cointelegraph, “Did someone reach out to you without you asking? That’s one of the biggest rules of thumb you can use. Customer service rarely, if ever, proactively reaches out to you, so you should always be suspicious of messages saying you need to take action on your account.”

“Same idea with free money: If someone is messaging you because they want to give you free money, it’s likely, not real. Be wary of any message that feels too good to be true or gives you an immediate sense of urgency or fear to make you act quickly.”

Email and messaging scams

One common technique used in crypto phishing scams is impersonating trusted entities, such as cryptocurrency exchanges or wallet providers. The scammers send out emails or messages that appear to be from these legitimate organizations, using similar branding, logos and email addresses. They aim to deceive recipients into believing that the communication is from a trustworthy source.

Bitcoin Scams, Scams, Security, Cybersecurity, Biometric Security, Wallet, Bitcoin Wallet, Hardware Wallet, Mobile Wallet

To achieve this, the scammers may use techniques like email spoofing, where they forge the sender’s email address to make it appear as if it’s coming from a legitimate organization. They may also use social engineering tactics to personalize the messages and make them seem more authentic. By impersonating trusted entities, scammers exploit the trust and credibility associated with these organizations to trick users into taking actions that compromise their security.

Fake support requests

Crypto phishing scammers often pose as customer support representatives of legitimate cryptocurrency exchanges or wallet providers. They send emails or messages to unsuspecting users, claiming an issue with their account or a pending transaction that requires immediate attention.

The scammers provide a contact method or a link to a fake support website where users are prompted to enter their login credentials or other sensitive information.

Omri Lahav, CEO and co-founder of Blockfence — a crypto-security browser extension — told Cointelegraph, “It’s important to remember that if someone sends you a message or email unsolicited, they likely want something from you. These links and attachments can contain malware designed to steal your keys or gain access to your systems,” continuing:

“Furthermore, they can redirect you to phishing websites. Always verify the sender’s identity and the email’s legitimacy to ensure safety. Avoid clicking on links directly; copy and paste the URL into your browser, checking carefully for any spelling discrepancies in the domain name.”

By impersonating support personnel, scammers exploit users’ trust in legitimate customer support channels. In addition, they prey on the desire to resolve issues quickly, leading users to willingly disclose their private information, which scammers can use for malicious purposes later.

Fake websites and cloned platforms

Malicious actors can also build fake websites and platforms to lure in unsuspecting users.

Domain name spoofing is a technique where scammers register domain names that closely resemble the names of legitimate cryptocurrency exchanges or wallet providers. For example, they might register a domain like “exchnage.com” instead of “exchange.com” or “myethwallet” instead of “myetherwallet.” Unfortunately, these slight variations can be easily overlooked by unsuspecting users.

Lahav said that users should “verify whether the website in question is reputable and well-known.”

Recent: Bitcoin is on a collision course with ‘Net Zero’ promises

“Checking the correct spelling of the URL is also crucial, as malicious actors often create URLs that closely resemble those of legitimate sites. Users should also be cautious with websites they discover through Google ads, as they may not organically rank high in search results,” he said.

Scammers use these spoofed domain names to create websites that imitate legitimate platforms. They often send phishing emails or messages containing links to these fake websites, tricking users into believing they are accessing the genuine platform. Once users enter their login credentials or perform transactions on these websites, the scammers capture the sensitive information and exploit it for their gain.

Malicious software and mobile apps

Hackers can also resort to using malicious software to target users. Keyloggers and clipboard hijacking are techniques crypto phishing scammers use to steal sensitive information from users’ devices.

Keyloggers are malicious software programs that record every keystroke a user makes on their device. When users enter their login credentials or private keys, the keylogger captures this information and sends it back to the scammers. Clipboard hijacking involves intercepting the content copied to the device’s clipboard. 

Cryptocurrency transactions often involve copying and pasting wallet addresses or other sensitive information. Scammers use malicious software to monitor the clipboard and replace legitimate wallet addresses with their own. When users paste the information into the intended field, they unknowingly send their funds to the scammer’s wallet instead.

How users can stay protected against crypto phishing scams

There are steps that users can take to protect themselves while navigating the crypto space.

Enabling two-factor authentication (2FA) is one tool that can help secure crypto-related accounts from phishing scams.

2FA adds an extra layer of protection by requiring users to provide a second form of verification, typically a unique code generated on their mobile device, in addition to their password. This ensures that even if attackers obtain the user’s login credentials through phishing attempts, they still need the second factor (such as a time-based one-time password) to gain access.

Utilizing hardware or software-based authenticators

When setting up 2FA, users should consider using hardware or software-based authenticators rather than relying solely on SMS-based authentication. SMS-based 2FA can be vulnerable to SIM-swapping attacks, where attackers fraudulently take control of the user’s phone number.

Hardware authenticators, such as YubiKey or security keys, are physical devices that generate one-time passwords and provide an extra layer of security. Software-based authenticators, such as Google Authenticator or Authy, generate time-based codes on users’ smartphones. These methods are securer than SMS-based authentication because they are not susceptible to SIM-swapping attacks.

Verify website authenticity

To protect against phishing scams, users should avoid clicking on links provided in emails, messages or other unverified sources. Instead, they should manually enter the website URLs of their cryptocurrency exchanges, wallets or any other platforms they wish to access.

By manually entering the website URL, users ensure they access the legitimate website directly rather than being redirected to a fake or cloned website by clicking on a phishing link.

Be cautious with links and attachments

Before clicking on any links, users should hover their mouse cursor over them to view the destination URL in the browser’s status bar or tooltip. This allows users to verify the link’s actual destination and ensure that it matches the expected website.

Phishing scammers often disguise links by displaying a different URL text than the destination. By hovering over the link, users can detect inconsistencies and suspicious URLs that may indicate a phishing attempt.

Parker explained to Cointelegraph, “It’s very easy to fake the underlying link in an email. A scammer can show you one link in the email’s text but make the underlying hyperlink something else.”

“A favorite scam amongst crypto phishers is to copy a reputable website’s UI but place their malicious code for the login or Wallet Connect portion, which results in stolen passwords, or worse, stolen seed phrases. So, always double-check the website URL you’re logging into or connecting your crypto wallet with.”

Scanning attachments with antivirus software

Users should exercise caution when downloading and opening attachments, especially from untrusted or suspicious sources. Attachments can contain malware, including keyloggers or trojans, which can compromise the security of a user’s device and cryptocurrency accounts.

To mitigate this risk, users should scan all attachments with reputable antivirus software before opening them. This helps detect and remove any potential malware threats, reducing the chances of falling victim to a phishing attack.

Keep software and apps updated

Keeping operating systems, web browsers, devices and other software up to date is essential for maintaining the security of the user’s devices. Updates can include security patches that address known vulnerabilities and protect against emerging threats.

Utilizing reputable security software

To add an extra layer of protection against phishing scams and malware, users should consider installing reputable security software on their devices.

Antivirus, anti-malware and anti-phishing software can help detect and block malicious threats, including phishing emails, fake websites and malware-infected files.

By regularly updating and running security scans using reputable software, users can minimize the risk of falling victim to phishing scams and ensure the overall security of their devices and cryptocurrency-related activities.

Educate yourself and stay informed

Crypto phishing scams constantly evolve, and new tactics emerge regularly. Users should take the initiative to educate themselves about the latest phishing techniques and scams targeting the cryptocurrency community. In addition, stay informed by researching and reading about recent phishing incidents and security best practices.

Recent: What is fair use? US Supreme Court weighs in on AI’s copyright dilemma

To stay updated on security-related news and receive timely warnings about phishing scams, users should follow trusted sources in the cryptocurrency community. This can include official announcements and social media accounts of cryptocurrency exchanges, wallet providers and reputable cybersecurity organizations.

By following reliable sources, users can receive accurate information and alerts regarding emerging phishing scams, security vulnerabilities and best practices for protecting their crypto assets.

Solana DEX volume hits record high: Is SOL price headed to $300?

Jack Dorsey’s TBD announces new Web5 toolkit

The Web5 toolkit aspires to put the control of data and identity into the hands of users.

TBD, a division of fintech company Block, which is led by CEO Jack Dorseyannounced a novel Web5 decentralized web platform at Bitcoin 2023 in Miami on May 19. 

The platform aims to introduce “decentralized identity and data storage” to applications, thereby allowing developers to leverage the technology to create “delightful user experiences, while returning ownership of data and identity to individuals,” the company shared. 

Dorsey’s Web5 platform also seeks to introduce several key components to facilitate this decentralized web experience. Under the platform, wallets will act as agents, facilitating identity and data interactions for individuals and institutions. Decentralized web nodes will serve as personal data stores, securely holding both public and encrypted data, while decentralized web apps leverage decentralized identity and data storage capabilities to enhance user experiences.

Furthermore, the Web5 platform will also employ the use of decentralized identifiers (DIDs), which are internationally recognized standards for identifiers created and controlled by individuals, eliminating reliance on centralized entities. The platform will also incorporate self-sovereign identity services and software development kits that provide the necessary tools for utilizing DIDs and verifiable credentials.

Related: Jack Dorsey’s Block asks for input on proposed ‘mining development kit’

In recent years, Dorsey — who founded Twitter — has advocated for a “free and open protocol” for social media. In June 2022, Cointelegraph announced that Dorsey was building “Web5” powered by Bitcoin (BTC), focused on bypassing Web3 entirely and utilizing a new Bitcoin-centric model for identity management.

Magazine: Bitcoin glory on Chinese TikTok, 30M mainland users, Justin Sun saga

Solana DEX volume hits record high: Is SOL price headed to $300?

New tech could make crypto and Web3 wallets more convenient

Developers are working on ways to get rid of seed words and even private keys, while still keeping users in control.

The foundation of the Web3 ecosystem is the wallet, an app or browser extension that lets users verify their web identities and authorize transactions. But using a wallet has always involved a steep learning curve. New users must learn to copy down their seed words and store them in a safe place, create a strong password to encrypt their keystore file, copy addresses accurately when sending funds, and other things they may never have to learn when using a Web2 app.

If a new user wants to make onboarding more accessible, one option is to use a custodial wallet provider, such as a centralized exchange. But experienced crypto users will almost always caution them against this for a good reason. The world has witnessed centralized exchanges like Mt. Gox, QuadrigaX and FTX go bankrupt from hacks or outright fraud, causing some customers to lose all their funds due to using a custodial wallet.

Because of this risk, many crypto users still see a noncustodial wallet backed up by a set of seed words as the only secure way for a user to protect their Web3 identity.

But do users always have to choose between security and convenience? Or is there a way to combine a noncustodial wallet's security with an exchange’s convenience?

A few Web3 companies are trying to create wallets that are easy to use but also don’t require the user to place all their trust in a centralized custodian. Companies like Magic, Dfns, Kresus, Web3Auth, Immutable and others believe that a wallet can be just as easy to use as an email account, and secure enough to be trusted to protect the user’s identity and funds. These companies are using different types of new wallet infrastructure to make this idea a reality.

Here is a rundown of a few of the solutions used by wallet developers:

Magic

One new system is the Magic software developer kit (SDK), produced by Magic Labs. It is a developer kit and wallet infrastructure that allows developers to create seedless wallets for users.

Instead of storing the private key on the user’s device, an encrypted copy is kept on an Amazon Web Services Hardware Security Module (HSM). The encryption is performed using a Master Key that cannot leave the HSM. All signing is done within the HSM, preventing the user’s key from being broadcast to the internet.

Magic wallets do not use passwords. Instead, when users first sign up for a magic wallet, they submit their email address to the Magic relayer. The relayer then sends a one-time use token to the user through their email. This token will only work if used by the device that sent the request and only for a limited time.

The token is used to authenticate with Amazon Web Services when the user clicks a link within the email. The blockchain wallet account’s private and public keys are then generated on the user’s device and sent to the HSM. Magic Labs says they cannot see the generated private key, as it never goes to their servers.

When users stop using their wallets and close their browsers, they can reopen their wallets by repeating the process. They submit their email address to Magic again and receive a new, one-time-use token. This time, after authenticating, they regain access to their wallet.

Magic Labs has created a demo showing how the system works. It appears to allow anyone to create a wallet without downloading a browser extension or copying down seed words. It also allows users to close out their browsers and return to their wallets later, logging into the same Web3 account again.

The demo currently only works on testnets such as Goerli, Sepolia and Mumbai.

Wallets based on Magic

A few different wallets have been released or are currently in development that use Magic. One notable example is the Kresus wallet, a mobile app that allows users to store and hold Bitcoin (BTC), Ether (ETH), Solana (SOL), Polygon (MATIC) and tokens from these networks. It also allows users to send crypto using .kresus domain names instead of crypto addresses.

Kresus was released in the Apple App Store on May 11. The team told Cointelegraph that an Android version would come later in 2023.

Immutable Passport is another example. It’s an application programming interface (API) built by Web3 game developer Immutable. When participating games integrate their websites with Passport, it allows players to create wallets directly through the game’s site.

Related: What is Immutable, explained

Immutable told Cointelegraph that Passport wallets connect to the Immutable X network, a layer-2 Ethereum protocol, which allows players to store all of their Immutable gaming collectibles in one account, regardless of which game they initially signed up with.

Immutable recently implemented Passport as the default login method for its developer portal, and they plan to use it for at least one game’s login page by summer 2023, the team said.

Security concerns with Magic

The Magic SDK does contain one known security flaw, which developers have taken steps to mitigate. Because it relies on email tokens to authenticate a user, an attacker can potentially gain access to a user’s HSM by hacking into their email account and then requesting to authenticate from the attacker’s own device. Once they’ve got access to the HSM, they can authorize any transactions from the user’s account.

For this reason, both Immutable Passport and Kresus plan to use two-factor authentication (2FA) as an additional layer of security in case a user’s email account becomes compromised.

Wallets based on Magic do not have passwords, so they can’t be hacked through the usual method of stealing and cracking a password hash.

Web3Auth

Another new wallet infrastructure developers are often using is Web3Auth.

Web3Auth is a key management network that relies on multiparty computation (MPC) to make private keys recoverable. When users sign up for an account using Web3Auth, they generate a private key as usual. Then, this key is split into three “shares.” 

The first share is stored on their device, the second is stored by the Web3Auth network through a login provider, and the third is a backup share that should be stored on a separate device or offline. The third share can also be generated from security questions if the user prefers.

Because of the way multiparty computation works, a user can generate the private key and confirm transactions with only two of the three shares. This means the user can still recover their wallet if their device crashes or they lose their backup key. At the same time, the login provider cannot perform transactions without the user’s permission since the provider only has one share.

The provider also cannot censor transactions. If the provider refuses to give the user their second share after they’ve correctly authenticated, the user can generate their private key using a combination of the share stored on their device plus the backup share.

Related: Multiparty computation could offer increased protection for wallets

On Web3Auth, the login provider share is further split into nine different shards and distributed across a network of storage nodes, with five shards being needed to reconstruct the provider share. This prevents the login provider from storing its shares on its own infrastructure.

Web3Auth wallets

Web3Auth has been integrated into several retail wallets, including Binance Wallet and a closed beta version of Trust Wallet. In the extension version of Binance Wallet, users can create wallet accounts using their Google logins. In the Trust Wallet version, Google, Apple, Discord and Telegram are login provider options, according to an official video from Web3Auth’s Twitter account.

In either case, the user still needs to copy down seed words. However, the account can be recovered even if these words are lost, so long as the user still has access to both their device and login provider account.

Speaking to Cointelegraph, Web3Auth CEO Zhen Yu Yong argued that the transition to using multiple key shares in Web3 is similar to the evolution of 2FA on Web2 sites, stating:

“Usernames and passwords in the early 2000s or late 1990s were incredibly easy to lose. Back then, we thought that financial applications would never be built on the internet.”

“With usernames and passwords, we eventually progressed into two-factor authentication,” Yong continued. “I think that’s the same transition we’re trying to push here [...] Instead of using a single factor seed phrase, we’re splitting this up into multiple different factors […] and doing it such that it’s all your access points, so it’s all still self-custodial.”

Dfns

Dfns, pronounced as “defense,” is an MPC key management network that allows institutions, developers and end-users to create passwordless and seedless wallets. It holds each blockchain’s private key as multiple shards spread among nodes throughout the Dfns network.

To authorize a transaction, the Dfns nodes must jointly produce a signature using each shard.

Unlike Web3Auth, Dfns does not keep a share of the blockchain private key on the user’s device or as a backup. All of the shards are kept on the network itself.

The Dfns nodes use a protocol called “WebAuthn” to verify that a user has authorized a transaction. This protocol was created by the World Wide Web Consortium to allow users to log into websites without a password. On Dfns, the nodes are programmed only to sign a transaction with their shard if the end-user has authenticated using this protocol.

When a user registers for a website using WebAuthn, the site creates a private key on the user’s device. This private key is not used in any blockchain. It only exists to allow the user to log in to the site.

The user is prompted to protect the key with a pin code or biometric lock when the key is created. On a Windows PC, this lock can be created through Windows Hello, which is part of the operating system, or through a separate device such as a mobile phone or Yubikey. On a mobile device, the lock is generated using the device’s built-in security.

Example of a WebAuthn registration prompt. Source: WebAuthn.io

On a website that implements WebAuthn registration, the user does not need an email address or password to register. Instead, the device uses its own security system to identify the user.

Related: Gemini unveils Yubikey integration

When a wallet development team creates a wallet using Dfns, they can pass down this authentication method to the end-user. In this case, the wallet is considered noncustodial because the wallet provider doesn’t have the user’s device, pin code or biometric data and therefore can’t authorize transactions.

The end-user can also add devices to a wallet if the first one crashes.

Wallet developers can create custodial wallets using Dfns as well. In this case, the wallet developer has to authenticate with the network using WebAuthn. They can use any method to authenticate a user with themselves, including even usernames and passwords.

Wallets that use Dfns

Speaking to Cointelegraph, Dfns founder Clarisse Hagège stated that many of the platform’s clients are institutions and development teams in the business-to-business market.

However, the team has begun to attract more business-to-consumer wallet providers recently. The retail crypto savings app SavingBlocks uses Dfns, and the company is in talks with a couple of decentralized exchanges to help create wallets for their customers as well, she said.

Hagège argued that for crypto mass adoption to happen, users shouldn’t even be aware that there is a blockchain private key when they make transactions.

“What we’re targeting is the hundreds of thousands of developers that will build use cases targeted to blockchain mass adoption, targeted to people that do not want to know that they have a private key,” she explained. “We have a network of servers that operates that key generation […], and what’s important is not actually owning the private key or the key share, but it’s owning the access to the API.”

Will new wallet tech be adopted by the masses?

Whether these new wallet technologies will lead to mass adoption or even be accepted by current users remains to be seen. Despite their simplicity, they may still be too complex for users that prefer to hold their crypto in an exchange. On the other hand, users who believe in the “not your keys, not your crypto” mantra may be suspicious of trusting an MPC network or hardware security module owned by Amazon to authorize transactions for them.

Still, some users may decide that the advantages of MPC or magic links are just too good to pass up. Only time will tell.

In the meantime, these new technologies will likely provoke discussion about how to ensure users stay in control of their funds or what “self-custody” really means.

Solana DEX volume hits record high: Is SOL price headed to $300?

New wallet uses Amazon hardware security modules to eliminate seed words

The newly launched crypto wallet by Kresus requires users to sign in with “magic links,” meaning password hashes don’t need to be stored.

A new crypto wallet has just launched in Apple’s App Store store that uses Web2 trickery to ensure users don’t need to interact with seed phrases or passwords.

According to a May 11 announcement from the app’s developer, Kresus, the new wallet stores users’ private keys in an Amazon Web Services Hardware Security Module (HSM) and uses “magic links” and 2FA to authenticate users.

Most crypto wallets require users to write down a recovery phrase or “seed words” when they set up an account. If the user loses their recovery phrase and their device crashes, they lose access to their account forever.

For this reason, some crypto users prefer to store their crypto in an exchange account. But events like the collapse of FTX have also led to fears that keeping crypto in an exchange could also be unsafe.

A screenshot of the Kresus iOS app. Source: Kresus Labs

Speaking to Cointelegraph, the Kresus team said that their new wallet app attempts to fix this problem using a wallet infrastructure and software development kit (SDK) called “Magic,” which stores the user’s private key on an Amazon Web Services computer that is specifically designed to store highly sensitive information.

The AWS computer encrypts the user’s key with a Master Key that cannot leave the hardware module, much in the same way that a hardware wallet does. This eliminates the need for seed words or private keys to be stored on the device or kept as a paper backup, the team said.

Unlike a centralized exchange, Kresus does not use passwords to authenticate users, since stealing password hashes and cracking them is one of the most common techniques hackers use to get access to web accounts. Instead, it requires users to click a link from within an email each time they attempt to log in.

The app also uses 2FA to protect the account in case the user’s email address becomes compromised.

When it comes to sending crypto, users don’t need to cut and paste crypto addresses on Kresus. Instead, the app allows each user to register for a free .kresus domain name through Unstoppable Domains, which they can use to send crypto to others.

“We’re really trying to offer something that is truly a better mousetrap for any Web3 user,” Kresus CEO Trevor Traina told Cointelegraph. “Where you can move all of your things from multiple places into one place, have it be very accessible but highly secure […] but also a gateway portal for people who aren’t comfortable yet on Web3 because they’re terrified they’ll be locked out.”

The Kresus team stated that because of the way Magic infrastructure works, neither they nor the Magic development team are able to see the user’s private key during account creation or login, so they cannot make unauthorized transactions.

Related: Human ID project ‘Worldcoin’ launches gas-free wallet only for humans

The Web3 app developer closed a $25 million funding round to support the development of its so-called SuperApp in March.

Kresus is not the only wallet to offer seedless onboarding through Magic SDK. Web3 gaming company Immutable told Cointelegraph that it is also developing a seedless wallet called “Immutable Passport” that uses the same infrastructure. Passport will work on the Immutable X and Immutable zkEVM networks and will be used to onboard players of Immutable’s Web3 games, such as Gods Unchained and Guild of Guardians.

Solana DEX volume hits record high: Is SOL price headed to $300?

Account abstraction could bring the next billion users to Ethereum: Ambire CEO

In episode 19 of Hashing It Out, Ambire founder and CEO Ivo Georgiev explained a new technology aiming to bring increased flexibility and security to the Ethereum network.

In episode 19 of Cointelegraph’s Hashing It Out podcast, Elisha Owusu Akyaw talks to Ivo Georgiev, CEO of Ethereum smart contract wallet Ambire. Georgiev explained account abstraction and how wallets can bring more people to the network. 

Georgiev believes self-custody is an “extremely difficult” problem that can be solved with account abstraction. He explained that account abstraction makes crypto wallets programmable, giving them multiple keys and allowing features like two-factor authentication.

The CEO claimed that account abstraction could boost crypto adoption through new tools like embedding wallets on websites. “I think account abstraction will onboard the next one billion users on Ethereum,” he added.

Beyond what needs to be added to wallets to make them more user-friendly, Georgiev was asked to suggest new features that wallets could provide. Using MetaMask as a case study, he explained that there is very little need to remove any features as they currently exist. However, removing the swapping feature may be something wallets will do since multiple decentralized exchanges provide such services, and there is a growing need to adopt a minimalistic design. To conclude, Georgiev highlights that the most important improvement for wallets is changing the user onboarding process.

Related: Mutual aid, DAOs and activism: The Agenda podcast chats with PactDAO co-founder Marisa Rando

On regulations, Ambire’s CEO says they are not happy with the current landscape, but he doesn’t think wallets will be a major target of regulators in the near future.

Listen to the latest episode of Hashing It Out with Ivo Georgiev on Apple Podcasts, Spotify, Google Podcasts, or TuneIn. You can also explore Cointelegraph’s full roster of informative podcasts on the Cointelegraph Podcasts page.

Solana DEX volume hits record high: Is SOL price headed to $300?