Atomic Wallet Breach Cover-Up: $35M Stolen, Failed Security Audit

Atomic Wallet hacked by a North Korean hacking group – Lazarus. The stolen crypto funneled to a mixer called Sindbad.io. Approx. $35 million crypto was stolen. Over $1 million has been successfully recovered. Atomic Wallet failed a Security Audit by Least Authority on 2/10/22.

Possible explanations for the hack:
1. Atomic Wallet generates seed phrases without sufficiently random sequence words, making it easier for brute-force attacks
2. Hackers could have mathematically derived the users’ private keys from the transactions data visible on the bitcoin blockchain.
3. The Android version of Atomic “relied on an outdated and vulnerable dependency” when signing transactions.
4. Supply chain attack on the wallet manufacturer, a hack of Atomic’s website, or the intentional or unintentional broadcasting of users’ private keys to Atomic’s centralized server

https://web.archive.org/web/20241214201607/https://www.coindesk.com/consensus-magazine/2023/06/06/atomic-wallet-was-breached-by-north-korean-hackers-elliptic
Atomic Wallet Was Breached by North Korean Hackers: Elliptic
Jun 7, 2023

Atomic Wallet users might have fallen victim to Lazarus, the infamous North Korean hacking group, said blockchain intelligence firm Elliptic in a blog post on Tuesday.

Early Saturday morning, the team behind Atomic, a non-custodial crypto wallet, announced that some users were compromised and lost the funds from their wallets. According to the company, the number of incidents did not exceed 1% of “monthly active users.” The announcement followed multiple reports on Reddit from users complaining their wallets had been drained.

ZachXBT, a pseudonymous blockchain sleuth, estimated that around $35 million in various cryptocurrencies had been stolen, including bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB), polygon (MATIC) and Tron-based USDT.

The stolen crypto has been funneled to a mixer called Sindbad.io, Elliptic wrote. This mixer, which Elliptic believes is a successor of the previously sanctioned mixer Blender.io, has been often used to launder money from other hacks attributed to Lazarus, and the usage pattern is the same, Elliptic said. The firm also found connections between the wallets containing the loot from Atomic and some of the Lazarus hacks, the blog post reads.

What was hacked
Last year, security audit company Least Authority warned in a blog post that Atomic Wallet may have been vulnerable to breaches. According to Least Authority, issues included the way Atomic implemented cryptography, that it did not adhere to the best practices for wallet design, a lack of robust project documentation and incorrect use of Electron, a framework for building desktop applications. The firm has since taken down the post.

According to Dmytro Budorin, CEO of blockchain security firm Hacken, there are several possible explanations for how the hack happened. One reason could be that Atomic’s way to generate recovery phrases (the so-called seed phrases) for wallets did not produce sufficiently random sequences of words, making it easier for hackers to brute-force wallets, Budorin told CoinDesk.

Non-custodial wallets like Atomic allow users to keep their crypto autonomously, without trusting a centralized company, which means if users lose a device or password for their wallet they can only recover funds using the seed phrase. However, anyone who has access to the seed phrase can duplicate the wallet and steal the funds.
Another hypothesis is that hackers could have mathematically derived the users’ private keys from the transactions data visible on the bitcoin blockchain. This kind of attack was described in a freshly published paper by researcher at the University of California, San Diego. Hacken also detected that the Android version of Atomic “relied on an outdated and vulnerable dependency” when signing transactions, Budorin said.

Other possibilities include a supply chain attack on the wallet manufacturer, a hack of Atomic’s website or the intentional or unintentional broadcasting of users’ private keys to Atomic’s centralized server, according to Hacken.
According to ZachXBT, over $1 million in funds stolen from a single have been successfully recovered by Jito Labs, a Solana blockchain scaling startup.

“This hack is very vocal, highlighting the core problems in crypto wallets. The wallets don’t pay enough attention to building a strong architecture with security best practices implemented,” Budorin added.
Atomic CEO Konstantin Gladych told CoinDesk he couldn’t comment on the possible reason for the hack.
The team is now collecting data from affected users and passing it to the blockchain analysis firms like Chainalysis, Crystal and Elliptic, he said, adding that part of the funds landed on exchanges and has been blocked.
“The attack was definitely organized by a team of professional hackers. They’re using scripts, splitting of the funds, mixers, etc.,” Gladych said.

https://web.archive.org/web/20220210153123/https://leastauthority.com/blog/disclosure-of-security-vulnerabilities-in-atomic-wallet/
Disclosure of Security Vulnerabilities in Atomic Wallet, Audited by Least Authority Team
February 10, 2022

Our security research team conducted a comprehensive security audit of the Atomic Wallet system design, in addition to the corresponding core, desktop, and mobile coded implementations. The initial review phase began on 3 March 2021 and concluded upon delivery of the Initial Audit Report on 7 April 2021. We found that the design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.

Following the delivery of the Initial Audit Report, the Atomic Wallet team provided a response to our findings on 16 November 2021. During the verification phase, our team reviewed the commits provided by Atomic Wallet and found that a significant number of issues and suggestions remain unresolved and that the implementation in its current state continues to be a security risk for users.

Due to the current state of the design and implementation, as detailed in the issues and suggestions outlined in our Final Audit Report, we consider the Atomic Wallet to be insufficiently secure in protecting user assets and private data.

As a result, we strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities. In addition, until the issues and suggestions outlined in the report have been sufficiently remediated and the Atomic Wallet has undergone subsequent security audits, we strongly recommend against the Atomic Wallet’s deployment and use.

We are publishing this blog post in adherence with our policy on responsible disclosure to the users who may be at increased risk due to the issues we reported remaining unaddressed. We are committed to our clients and will work to ensure they have the appropriate information and time needed to address threats and vulnerabilities identified during our security audit. In an effort to stay true to our mission of promoting ethical practices as it relates to security and privacy, we also have a responsibility to the developers, users, and broader community utilizing the tools and technologies that we audit. In support of this effort, we permit our clients’ development teams the opportunity to address any issues prior to publicly disclosing our concerns or our findings. In the event that issues are not addressed by the development team in a timely manner and users are at risk, this results in a public disclosure.

Prior to publishing this blogpost, we notified the Atomic Wallet team of our plans to responsibly disclose the risk to users and invited them to work collaboratively with us in hopes that they would take immediate action, as recommended. We provided the Atomic Wallet team several opportunities to address the issues in our report and reached out several times to inform them of our reasoning and intentions prior to publishing this blogpost. However, they have not provided a sufficient or timely response after several suggestions by our team encouraging their proactive participation in this disclosure to alert users.

At this time, we have decided against publishing the Final Audit Report to the public in order to prevent potential malicious actors misusing the information in the report to compromise user wallets, steal user funds, and access private user data. We hope that this disclosure of the existence of significant vulnerabilities without providing details helps to appropriately warn users without putting them at even greater risk.

We identified several security-critical issues making current users of the Atomic Wallet vulnerable to a range of attacks that may lead to the total loss of user funds. Specifically, we found that user funds are at increased risk due to the current use and implementation of cryptography. We also noted a lack of adherence to wallet system design and development standards and best practices, reducing the overall security of the system and increasing the Atomic Wallet’s attack surface.

In addition, the absence of robust project documentation, a comprehensive test suite, and the large number of potential issues that may result from the incorrect use of Electron increase the risk of security vulnerabilities and implementation errors going unnoticed. The implementation also makes use of a large number of out-of-date and unmaintained dependencies.

We strongly recommend that Atomic Wallet immediately notify users of the existing vulnerabilities, addressing and resolving all issues and suggestions outlined in the audit report, and conducting and publishing a full, comprehensive follow up security audit of the Atomic Wallet by an independent security auditing team once all fixes have been sufficiently implemented.

6/3/23 Update

Atomic Wallet posted a Tweet on 6/3/23 stating that they are receiving multiple complaints of people’s wallets being compromised/hacked. As of right now, Atomic Wallet company has not provided any updates. Since crypto wallets are near impossible to hack due to the security and encryption that is built in, it is most likely an inside job (by a disgruntled employee). But no confirmation has been provided yet, that a hack has even happened. It is possible this could all be just FUD (fear, uncertainty and doubt). However, to be safe, if you do have crypto on Atomic Wallet, you could temporarily move all or part of it to another wallet like Exodus, etc.

Also check out my youtube community post regarding Diversification. Ecclesiastes 11:2 – But divide your investments among many places, for you do not know what risks might lie ahead. https://www.youtube.com/post/UgkxBMxqQR45C9rlz43NhlUEvoHZbMDH10Dx

https://twitter.com/AtomicWallet/status/1664946301815910400
We have received reports of wallets being compromised. We are doing all we can to investigate and analyse the situation. As we have more information, we will share it accordingly.
For any questions and concerns, contact support@atomicwallet.io

https://cointelegraph.com/news/atomic-wallet-exploited-users-report-loss-of-entire-portfolios
6/3/23
Atomic Wallet exploited, users report loss of entire portfolios
Several users on Twitter have reported losses of crypto assets, claiming funds held on the Atomic Wallet app vanished.

Atomic Wallet has been apparently exploited, with users on Twitter reporting complete losses of their crypto portfolios. Atomic is a noncustodial-decentralized wallet, meaning users are responsible for assets stored in the application.

“We have received reports of wallets being compromised. We are doing all we can to investigate and analyse the situation. As we have more information, we will share it accordingly,” said Atomic’s team on Twitter on June 3.

A number of users have commented on the post reporting losses, claiming funds were wiped out from their digital wallet app. On-chain sleuth ZachBTX, known for tracing stolen funds and assisting hacked projects, is taking part in the investigation. At the time of writing, it’s unclear how the attack was carried out. Atomic claims to have over 5 million users.

6/4/23 Update

Atomic Wallet has provided an update on June 4, 2023 regarding the current wallet Hack.

Update: The investigation is still ongoing in a joint effort with the leading security companies. The team is working on possible attack vectors. Nothing yet confirmed.

Support team is collecting victim addresses. Reached out to major exchanges and blockchain analytics companies to trace and block the stolen funds.

For additional instructions to anyone impacted, only contact via support@atomicwallet.io
Please be aware of fake accounts!

6/5/23 Update

June 5, 2023 Atomic Wallet Breach/Hack Update. Less than 1% of users affected. Per Atomic Wallet website there are 5 million users. One percent represents 50 thousand users impacted by the hack.

https://twitter.com/AtomicWallet/status/1665550651735023616
Jun 5, 2023
At the moment less than 1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago.
Security investigation is ongoing. We report victim addresses to major exchanges & blockchain analytics to trace and block the stolen funds.

https://atomicwallet.io/
“Trusted by 5,000,000 users worldwide”

Here is a breakdown of Atomic Wallet’s Security Practices on their website.

They claim Atomic Wallet is a Cold Wallet Type. Atomic company does not have access to your data, passwords. They do not store private keys and do not have access to them. Your private keys are encrypted locally on your device. Data stored on your phone or transmitted is fully encrypted.

So based on this information, it’s hard to believe/understand how the hack happened. There have been rumors that this hack may have been an inside job. Maybe even a disgruntled employee who sent a malicious update, and those that opened their wallets after updating were ones affected. Per Google Playstore, the last update was on May 22, 2023. So it could have been a malicious update that was sitting dormant until the hackers activated it. Also, if you recall the recent Ledger news and backlash, the Ledger company is currently in trouble for a similar issue where they have a backdoor allowing them to install updates to your Ledger, through which they can maliciously extract your seedphrase. Unfortunately, this issue probably affects most if not all hardware/software wallet makers out there. So until we find out how this hack happened, no wallet is safe out there. Best thing to do is diversify – split up your crypto among many different wallets.

Here is the security information from Atomic Wallet website:

https://atomicwallet.io/security
Security
All your funds are on the blockchain. Atomic works as a safe interface for the convenient and secure management of your crypto assets.

Safety
Your private keys are encrypted locally on your device. Only you have access to the wallet, and all the operations in the wallet require password confirmation.

Anonymity
Atomic does not require verification or account creating. All the basic features in your wallet are anonymous. We do not collect your personal data.

Decentralization
Atomic is a decentralized app built on the open-source libraries. We do not partner with centralized services. Nothing can interrupt the wallet performance, and no one can get the access to your funds.

Custody Free Wallet
In comparison with centralized wallets, Atomic does not collect or store your private data, we do not keep accounts online either have hot storages.
All personal information is kept locally on your devices. The access to blockchains is given only to you with the seed phrase generated for your wallet. It is important to know the basic rules of safety for using cryptocurrencies!

https://atomicwallet.io/blog/atomic-wallet-security
Cryptocurrency storage methods
Atomic Wallet is a cold wallet type, all passwords and data are stored on the user’s device and it is not kept at any server, so there is no custody risks or the possibility of losing funds through centralized services. The main risk in Atomic Wallet is if you lose your backup phrase or send it to another person.

Encryption
In Atomic Wallet, all data stored on the user device or sent when interacting with blockchains is fully encrypted. Local data secured with AES symmetric encryption algorithm and the data which is transferred via BitTorrent protocol or interacting with blockchains are secured with TLS asymmetric encryption.

Conclusion
Your safety is fully in your hands. We do not store any data on any servers, we do not store private keys and we do not have access to them. Therefore, it is the users themselves who are responsible for maintaining their password and backup phrase.

Atomic Wallet has also been actively Removing Comments and Complaints from Social Media, including Reddit

Atomic Wallet has been deleting posts and comments relating to the Summer 2023 Crypto Hack, where customers of Atomic Wallet lost millions of dollars in crypto – it was stolen. There are many comments where people are swearing that no one had access to their seed phrases. Many experts made posts on twitter stating that it looks possible to be in inside job (Atomic wallet employee) or possibly a software vulnerability that Atomic Wallet knew about but chose not to fix – there is a 2022 audit that proves the latter.

Deleted Atomic Wallet tweets:

Atomic Wallet has been going through old posts, comments, and tweets relating to the Summer 2023 crypto hack, and deleting them to hide the truth, and make people forget.

Jun 5, 2023
At the moment less than 1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago.
Security investigation is ongoing. We report victim addresses to major exchanges & blockchain analytics to trace and block the stolen funds.

6/7/23 – We continue to work with leading blockchain analysis companies

Since June 3, no new cases reported

We have received reports of wallets being compromised