CoinStats, the crypto portfolio app, has temporarily shut down its application to address a security incident. The company stated the breach was limited to 1,590 wallets or 1.3% of all CoinStats Wallets. The company reported that connected wallets and centralized exchanges (CEXes) were unaffected. CoinStats is also investigating a scam notification some iOS and Android users received.
Author’s note: As a long-time supporter of CoinStats, I personally had limited funds in a CoinStats wallet generated around 2022. These funds were moved out of the wallet, which was not connected to any external apps, around 1.5 hours before the notification scam was sent to users. Funds from both Ethereum and Polygon wallets are now with the attacker.
CoinStats stated that the list of affected wallets may be updated as the investigation progresses, but significant changes are not expected. Users with affected wallets are advised to move their funds immediately using their exported private keys if they were previously exported. CoinStats provided a link to the list of affected wallets.
Scam notification promoting 14.2 ETH prize to users
The scam notification falsely informed users of a reward and directed them to log into the CoinStats AirScout wallet. The link pointed users to a Drainer website, which was promoted via a CoinStats push notification and official in-app notification on the app’s home screen. The company is looking into the issue and has apologized for the inconvenience, assuring users that updates will be provided as soon as possible.
The notification falsely congratulated recipients on winning a 14.2 ETH reward in an event with a total pool of 200 ETH. The message also mentioned that the event was to celebrate exceeding 2 million CoinStats users and the launch of CoinStats AirScout, and it falsely stated that users’ crypto had been transferred to the CoinStats AirScout Wallet.
The company is actively investigating the extent of the compromised funds and will issue updates as more information becomes available. Efforts are underway to restore the app’s functionality as swiftly as possible, and CoinStats has expressed gratitude for users’ patience during this period.
CryptoSlate reached out to CoinStats moments after the notification was sent but has not received a response.
Potential causes of the private key breach
While CoinStats has not yet publicly disclosed insights into the cause of the attack, the incident may raise concerns about whether private keys were stored on their server and the randomness of wallets generated from within the app, especially since only CoinStats-generated wallets appear to have been specifically targeted and drained.
The attackers’ ability to access the server and send a malicious push notification suggests that they may also have gained insights into the wallet generation process. Any potential weaknesses in the random number generation used during that time could have allowed attackers to predict private keys and compromise user funds.
No wallets or API connections shared with the CoinStats portfolio application appear to have been affected at this point. However, some users have reported that other wallets that were connected to utilize DeFi features have been drained. These are unconfirmed by CoinStats at this time.
CoinStats acted swiftly and removed access to the application within hours of the incident. As of press time, the app remains down while the investigation is ongoing.
As always, stay vigilant of any surprise competitions or rewards across crypto and use hardware wallets to secure critical funds.