According to a blog post by blockchain intelligence firm Elliptic on Tuesday, it is believed that Atomic Wallet users may have been targeted by Lazarus, the well-known hacking group from North Korea.
The team behind Atomic, a non-custodial cryptocurrency wallet, announced on early Saturday morning that certain users had experienced compromises and lost funds from their wallets. The company stated that the number of incidents did not exceed 1% of their “monthly active users.” These announcements followed numerous Reddit reports from users who complained about their wallets being emptied.
An anonymous blockchain investigator named ZachXBT estimated that approximately $35 million worth of various cryptocurrencies, including bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB), polygon (MATIC), and Tron-based USDT, had been stolen.
According to Elliptic, the stolen cryptocurrency has been directed to a mixer called Sindbad.io. This particular mixer is believed to be a successor to the previously sanctioned mixer Blender.io. Sindbad.io has frequently been employed for money laundering purposes related to other hacks attributed to Lazarus, and its usage pattern remains consistent, as stated by Elliptic. The blog post further reveals that the firm discovered links between the wallets holding the stolen funds from Atomic and some of the hacks previously associated with Lazarus.
The Hack
Last year, a security audit company called Least Authority published a blog post expressing concerns about the vulnerability of Atomic Wallet. According to the company, the issues included the improper implementation of cryptography by Atomic, failure to adhere to best practices in wallet design, a lack of comprehensive project documentation, and incorrect usage of Electron, a framework for creating desktop applications. However, Least Authority has since removed the post.
Dyma Budorin, the CEO of blockchain security firm Hacken, provided several possible explanations for the occurrence of the hack. One possibility is that Atomic’s method of generating recovery phrases (also known as seed phrases) for wallets did not generate sequences of words that were sufficiently random. This could have made it easier for hackers to employ brute-force techniques to access the wallets, Budorin informed CoinDesk.
Non-custodial wallets like Atomic provide users with the ability to independently manage their cryptocurrency without relying on a centralized company. However, this also means that if users lose their device or password, the only way to recover their funds is through the seed phrase. Unfortunately, anyone who gains access to the seed phrase can replicate the wallet and steal the funds.
Another theory suggests that hackers may have mathematically derived users’ private keys by analyzing the transaction data visible on the bitcoin blockchain. This type of attack was recently discussed in a research paper published by University of California, San Diego researchers. Hacken also discovered that the Android version of Atomic had a vulnerability due to its use of an outdated and insecure dependency for transaction signing, as mentioned by Budorin.
Hacken proposed other possibilities, such as a supply chain attack on the wallet manufacturer, a breach of Atomic’s website, or the inadvertent or intentional exposure of users’ private keys to Atomic’s centralized server.
According to ZachXBT, Jito Labs, a scaling startup on the Solana blockchain, successfully recovered over $1 million in stolen funds from a single incident. Budorin emphasized that this hack has drawn attention to the fundamental issues with crypto wallets and their lack of emphasis on constructing a robust architecture with implemented security best practices. When asked about the possible cause of the hack, Atomic CEO Konstantin Gladych declined to comment.
According to Gladych, the team is currently gathering information from impacted users and sharing it with blockchain analysis companies such as Chainalysis, Crystal, and Elliptic. He also mentioned that a portion of the funds has been intercepted as they reached exchanges.
Gladych confirmed that the attack was carried out by a group of skilled hackers who demonstrated organization and expertise in their approach. They employed various techniques including scripts, fund splitting, and the use of mixers to obfuscate their activities.
