Atomic Wallet Was Breached by North Korean Hackers: Elliptic

Atomic Wallet users might have fallen victim to Lazarus, the infamous North Korean hacking group, said blockchain intelligence firm Elliptic in a blog post on Tuesday.

Early Saturday morning, the team behind Atomic, a non-custodial crypto wallet, announced that some users were compromised and lost the funds from their wallets. According to the company, the number of incidents did not exceed 1% of "monthly active users." The announcement followed multiple reports on Reddit from users complaining their wallets had been drained.

ZachXBT, a pseudonymous blockchain sleuth, estimated that around $35 million in various cryptocurrencies had been stolen, including bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB), polygon (MATIC) and Tron-based USDT.

The stolen crypto has been funneled to a mixer called Sindbad.io, Elliptic wrote. This mixer, which Elliptic believes is a successor of the previously sanctioned mixer Blender.io, has been often used to launder money from other hacks attributed to Lazarus, and the usage pattern is the same, Elliptic said. The firm also found connections between the wallets containing the loot from Atomic and some of the Lazarus hacks, the blog post reads.

Read more: Least Authority Discloses Security Risks in Atomic Wallet

Last year, security audit company Least Authority warned in a blog post that Atomic Wallet may have been vulnerable to breaches. According to Least Authority, issues included the way Atomic implemented cryptography, that it did not adhere to the best practices for wallet design, a lack of robust project documentation and incorrect use of Electron, a framework for building desktop applications. The firm has since taken down the post.

According to Dyma Budorin, CEO of blockchain security firm Hacken, there are several possible explanations for how the hack happened. One reason could be that Atomic's way to generate recovery phrases (the so-called seed phrases) for wallets did not produce sufficiently random sequences of words, making it easier for hackers to brute-force wallets, Budorin told CoinDesk.

Non-custodial wallets like Atomic allow users to keep their crypto autonomously, without trusting a centralized company, which means if users lose a device or password for their wallet they can only recover funds using the seed phrase. However, anyone who has access to the seed phrase can duplicate the wallet and steal the funds.

Another hypothesis is that hackers could have mathematically derived the users’ private keys from the transactions data visible on the bitcoin blockchain. This kind of attack was described in a freshly published paper by researchers at the University of California, San Diego. Hacken also detected that the Android version of Atomic “relied on an outdated and vulnerable dependency” when signing transactions, Budorin said.

Other possibilities include a supply chain attack on the wallet manufacturer, a hack of Atomic’s website or the intentional or unintentional broadcasting of users’ private keys to Atomic’s centralized server, according to Hacken.

According to ZachXBT, over $1 million in funds stolen from a single have been successfully recovered by Jito Labs, a Solana blockchain scaling startup.

"This hack is very vocal, highlighting the core problems in crypto wallets. The wallets don't pay enough attention to building a strong architecture with security best practices implemented," Budorin added.

Atomic CEO Konstantin Gladych told CoinDesk he couldn’t comment on the possible reason for the hack.

The team is now collecting data from affected users and passing it to the blockchain analysis firms like Chainalysis, Crystal and Elliptic, he said, adding that part of the funds landed on exchanges and has been blocked.

“The attack was definitely organized by a team of professional hackers. They’re using scripts, splitting of the funds, mixers, etc.,” Gladych said.

UPDATE (June 6, 2023, 21:30 UTC): Adds comment from Atomic CEO Konstantin Gladych.

UPDATE (June 7, 2023, 16:40 UTC): Corrects the spelling of Dyma Budorin's name.