Possible Issue with XYM chain (possible chain hack!)

CH526 · March 20, 2021, 1:28am

Hello

I used my mobile phone in October last year to opt-in for Xym airdrop. All went smoothly and using my NEM private key it eventually led me to a page where it showed me that I have successfully opted in. It never actually gave me a mnemonic key. My NEM account is:

NCPCPOQPZWCOXRP7WZC7SFPKPY3BZR2DLRCBJ2T7

Based on this I got a XYM account public wallet address shown when I opted in which I took a screenshot of in my mobile phone. And that address is:
ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY

I never deleted that android app. On the day of the snapshot, I had 66.6 K NEM on this accounted so I would expect 66.6 K XYM on the XYM wallet as well.

Now today I updated the android app which I used to opt in as it said something like “Update app to access your account…”. After updating, I am getting a different XYM address than what was shown to me when I originally opted in and it has 0 XYM.
Now when I tried to find out what the balance of the original XYM is using XYM explorer, I find that it had 190.6 K XYM on the day of snapshot and then someone transferred 190.66 XYM from that account then further 190 K XYM and then further 472 XYM.

Most likely this is an exploit that was utilised by that person and he/she even knew that I do not have the mnemonic phrase so I can’t even access my XYM account since I never got the mnemonic key.

Please help me resolve this issue and help me get back the original 66.6 K XYM to my account. I do not have the private key/mnemonic key of XYM account since I never received it from the original opt-in app, optin dated 9th October 2020 10:48 am (GMT) which was supposed to have address:

ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY

Everything above is on-chain and can be verified.

Biocrypt · March 18, 2021, 5:37pm

You cant opt in using mobile wallet, that was only available on desktop wallet AFAIK

Biocrypt · March 18, 2021, 5:38pm

Are you sure it was the offical nem wallet and not malware you downloaded?

CH526 · March 18, 2021, 5:40pm

I was able to successfully opt-in using that app and it was the official app as much as I know. You can also check that the NEM address: NCPCPOQPZWCOXRP7WZC7SFPKPY3BZR2DLRCBJ2T7

above got successfully registered for opt-in.

Biocrypt · March 18, 2021, 5:45pm

Also I dont think opt-in was available in october
Edit: maybe it was, my mistake, time flies lol
It looks like you opted in and sent 40k XEM somwhere else.
Gimme a sec to look

CH526 · March 18, 2021, 5:44pm

I even got VRF public and private keys during opt-in. And if it was not available in October then how did I successfully opt-in. You can check it on-chain using my NEM address.

Biocrypt · March 18, 2021, 5:49pm

The address ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY is not appearing, what is the new address?

Biocrypt · March 18, 2021, 5:51pm

Dont worry we will get this sorted

Biocrypt · March 18, 2021, 5:52pm

If you have the private key have you tried recovering your XYM wallet with it?

thomasoehri · March 18, 2021, 6:13pm

From what I can see here you opted-in your NEM account NCPCPOQPZWCOXRP7WZC7SFPKPY3BZR2DLRCBJ2T7 using the symbol address ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY.

Next i checked the symbol opt-in account (ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY ) and it really did receive 190,663.794105 XYM from the genesis block, which is surprising since you never had that much XEM in your NEM account.

I then had a look if other accounts opted-in using the same symbol address ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY ), and that is indeed the case. From what i can see using this list, 32 other accounts opted-in using that symbol address.

My only guess is you (and those other 31 accounts) used a modified/scam Symbol App that always opted-in to the thiefs symbol address and thus not showing you any mnemonic, especially since those 190k XYM have been transferred out of that wallet

Do you remember where you’ve downloaded the app?

CH526 · March 18, 2021, 6:19pm

Thanks for the reply. So how is it possible to receive 190 K XYM while my account having 66.6 K at the time of the snapshot and all those funds transferring to some other account soon after the snapshot?
That seems more of an issue with the XYM chain.
Anyways how can I now claim my airdropped symbol (66.6 K) which is a large amount for me?
I downloaded the app from google app store.

CH526 · March 18, 2021, 6:20pm

The private key of XEM can not be used to access equivalent XYM account.

Biocrypt · March 18, 2021, 6:21pm

What app did you download spcifically? Im referring to nem and symbol.
Can you screenshot the link? There appears to be a number of nem wallets on the google play store

CH526 · March 18, 2021, 6:27pm

I downloaded Symbol Wallet app from google app store to opt in. I just updated it today and it is showing a different symbol address with 0 balance in it.

Symbol Wallet
NEM Group Limited

thomasoehri · March 18, 2021, 6:47pm

That was possible because it was not only your account that was opted-in to that symbol account (ND4ZLFPFQJLNO3VRXI4ST4X5QXFW5TG2FIYF2AY), but also other accounts each with their own balances totaling 190k XYM.

There is no issue with the Symbol blockchain. The chain did exactly what it was told. Yours and the others accounts signed a message using their private keys to opt-in to receive XYM to that symbol address.

Your XYM have already been claimed, in your case sadly to an account you don’t have control over. As i see it the only chance you have to get your XYM back is to trace where those 190k XYM have been sent to and if it went to an exchange and it is not already too late get into contact with that exchange and tell them you’ve fallen victim to thiefs and your XYM were stolen

CH526 · March 18, 2021, 7:13pm

Thanks for the explanation. I used the official symbol wallet app for opt-in. It was the only app appearing on the google play store so I trusted it to be legitimate and it was the recommended method available on NEM website to opt-in.
I am sure there is a way to reclaim my 66.6 K symbol in an easier way.
Please send me details of the person who can track and trace those stolen symbols and make them unspendable. It looks more like an inside job.
To add further, if that app was a scam, the easiest thing for scammers were to use my provided NEM private key during opt-in and take the funds out of NEM as well after the snapshot which did not happen.

CH526 · March 18, 2021, 8:01pm

These are the screenshots of the symbol app I used for opt-in.
Screenshot_symbol_app_stats Screenshot_google_appstore

Biocrypt · March 18, 2021, 9:03pm

I have not got this app, it is legit, but can anyone who has tell me if opt-in was ever possible on it? I dont believe it was.

CH526 · March 18, 2021, 9:08pm

It was one of the recommended ways to opt-in mentioned on the symbol website during the opt-in time as I mentioned earlier.
It seems like an inside job to me to bring a failure to symbol chain and must be resolved.

DaveH · March 18, 2021, 9:42pm

Please can you log this on helpdesk and the team will help you out: NEM Helpdesk