Atomic Wallet - REKT

Now I am become rekt…

Atomic Wallet blew up earlier this month.

While the news cycle became overrun by the regulatory grudgematch, North Korea’s Lazarus Group have remained busy

…and the losses have continued to mount.

Elliptic puts the total at over $100M gone so far, with the worst-hit victim losing $8M USDT.

But the true total may be far higher.

Last August, when a similar attack ran rampant on Solana, we wrote:

Panic, chaos, suspicion.

All are inevitable reactions to an indiscriminate attack, where nobody knows who’s safe, and who’s next.

With still no clarification from Atomic Wallet, this time is no different.

Many have blamed the team’s past attitude to security concerns.

In 2021, Atomic Wallet were informed of vulnerabilities in their product, but didn’t engage with the auditors, Least Authority, who were left with no option but to publish a warning to users.

Why didn’t Atomic fix this ticking time bomb?

Atomic Wallet addresses began to be drained just before 10pm UTC on Friday 2nd June (with the theft of 304 ETH, worth over $500k).

The following day, Atomic Wallet acknowledged there was an issue, encouraging users to reach out via email. Since then, aside from downplaying the incident (“less than 1% of our monthly active users have been affected/reported”), the team have not stated what caused the hack.

Do they even know themselves?

The hack reportedly affected both desktop and mobile users, whose addresses were targeted on 13 chains.

The addresses were drained via a three step system. Firstly, a direct transfer into a new address, where tokens were then swapped for the chain’s native asset and consolidated in a third wallet.

Tracing the funds (spearheaded by ZachXBT and Tayvano) looks to have been a painstaking task, relying on individual user reports, and linking the above process to addresses which provided gas to the accounts in question.

Some funds ($1M) have apparently been recovered, but the method is being kept quiet for now. And while some spend time helping victims, others look to capitalise on their desperation with a fake ‘refund’ airdrop.

The laundering of funds has shown patterns attributed to the Lazarus Group, being sent to the Sinbad BTC mixer (formerly Blender), a DPRK favourite.

While the root cause is still to be identified, the hack may be linked to a BGP hijacking of Atomic Wallet traffic.

BGP has played a part in a number of crypto incidents in the past. While this technique is not enough on its own to carry out the heist, it may have been combined with the vulnerabilities alluded to (though never specifically disclosed) by Least Authority, who faced legal pressure to take down their blog post.

A leak of logged sensitive data, such as was the case with the Slope wallet incident on Solana, is another possiblity. Hacken CEO Dyma Budorin has also listed some potential scenarios.

Whatever the cause, the attitude of the Atomic Wallet team was summed up by Tayvano:

Your security posture sucks, you refuse to listen to people, you aggressively silence people, and your products and services facilitate theft on a daily basis and have for years.

Without knowing a root cause, other wallet providers will be having a hard time checking if they might be susceptible to the same attack vector.

With plenty of shady looking options out there, it’s better to be safe than sorry.

When it comes to securing your assets, any hint of a red flag should be reason enough look elsewhere.

And Atomic Wallet is covered in them.

Will they ever admit what went wrong?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.