On June 3, 2023, hackers stole over $35 million worth of cryptocurrencies from Atomic Wallet, a popular non-custodial cryptocurrency wallet. The hack was made possible by a vulnerability in Atomic Wallet’s code that allowed hackers to steal private keys from users’ devices.
Table of Contents
- 1 Introduction
- 2 About the hack
- 2.1 1st Possibility: Compromised Private Keys Due to Code Vulnerabilities
- 2.2 2nd Possibility: Inclusion of Harmful SDK And Software Supply Chain Attack
- 2.3 3rd Possibility: Data Encryption Algorithm Information Leakage and Brute-Forcing Of Private Keys
- 2.4 4th Possibility: Lack Of Dynamic Protection In The Android App Client Allows Injection Attacks
- 3 Money Laundering Pattern Analysis
- 4 What happened to the lost money?
- 5 Insight Into Previous Hacks
- 6 Final Thoughts
Atomic Wallet is a non-custodial cryptocurrency wallet allowing users to store, send, and receive over 500 different cryptocurrencies and tokens.
The wallet is available for desktop, mobile, and web browsers. Atomic Wallet is a popular choice for cryptocurrency users due to its broad support for cryptocurrencies, user-friendly interface, and security features.
About the hack
The hackers stole approximately $35 million in various crypto assets, which include Bitcoin, Ethereum, Litecoin, Tether’s USDT, Ripple (XRP), Cardano (ADA), Dogecoin (DOGE), and Tezos.
The hack investigation is still ongoing, but various prominent analysts have given different theories behind the hack.
1st Possibility: Compromised Private Keys Due to Code Vulnerabilities
There are assumptions that Atomic Wallet’s hack was made possible via a flaw in the wallet’s coding, which allowed hackers to grab private keys from users’ devices.
Private keys are required to get access to cryptocurrency wallets, and once obtained, hackers can steal the crypto assets held in the wallet.
Some analysts are of the opinion that the hackers took advantage of this flaw by sending phishing emails to Atomic Wallet customers. When users clicked on the malicious links in the emails, the malware was installed on their devices. The malware then grabbed the private keys from the infected devices.
2nd Possibility: Inclusion of Harmful SDK And Software Supply Chain Attack
Some analysts confirm that it is probable that a harmful SDK was included inadvertently during the Atomic Wallet development process, resulting in the creation of a backdoor via a “software supply chain attack,” which was utilized by the hackers for unauthorized access.
3rd Possibility: Data Encryption Algorithm Information Leakage and Brute-Forcing Of Private Keys
It is possible that a data encryption algorithm could be vulnerable to information leakage, leading to the disclosure of encryption methods and potential flaws. This could potentially enable attackers to employ brute-force techniques to determine private keys.
4th Possibility: Lack Of Dynamic Protection In The Android App Client Allows Injection Attacks
Some security firms have also offered the theory that the lack of dynamic protection in the Android app client allowed malicious software to be installed on users’ Android devices, allowing injection attacks to steal user passwords or private keys.
No official statement has been made by Atomic Wallet’s team regarding the root cause of the hack, but these theories have given us a clear idea of the various vulnerabilities in Atomic Wallet’s code that make crypto assets vulnerable to hackers and attackers.
Money Laundering Pattern Analysis
Out of the $35 million lost, it is claimed that the top five victims account for $18 million. It is also stated $8 million was stolen from one user.
Furthermore, according to some major security firms, victims’ overall damages have approached $40 million.
On running a fund flow study on the addresses of the top five victims in terms of losses, the following money-transfer patterns were detected, which hackers used after deleting the technological interference elements brought up by the hackers.
Image: Atomic Wallet Victim 1 Fund Transfer View
The victim’s address sent 304.36 ETH to the hacker’s address. Following that, the funds were divided eight times through the intermediate address before being aggregated to a random address.
Following that, the funds were transferred to an address where they remain to this day. The address has an ETH balance of 692.74 ETH (worth $1.27 million).
This stated money laundering pattern closely resembles the techniques used by North Korean hackers in previous attacks, such as the Ronin Network and Harmony incidents.
The pattern consists of three steps:
- Consolidation and conversion of stolen funds: Following the attack, stolen tokens are consolidated and exchanged for ETH via decentralized exchanges (DEX) or other similar methods. This is a common practice to avoid having funds frozen.
- Stolen funds aggregation: The consolidated ETH is collected in several one-time-use wallet addresses. The hackers used nine such addresses in the Ronin incident, while they used 14 in the Harmony incident. Nearly 30 addresses were used in the Atomic Wallet incident.
- Transfer of stolen funds: The funds are laundered using Tornado Cash, completing the entire money transfer process.
There are significant similarities in the laundering details, in addition to following the same money laundering pattern:
- The attackers show patience by carrying out the laundering operations for up to a week. A few days after the initial attack, they began the subsequent laundering operations. A portion of the stolen funds in the Atomic Wallet incident have been divided, but the process of combining them through Tornado Cash has yet to begin.
- (2) Automated transactions are used throughout the money laundering process. The majority of fund aggregation actions involve multiple transactions at short intervals that follow a consistent pattern.
Figure: View of Ronin Network breath first money laundering mode
Figure: View of Harmony Breathfirst money laundering mode
Based on the on-chain analysis, the following can be concluded:
- The money laundering techniques used in the Atomic Wallet incident are consistent with those used in the Ronin Network and Harmony incidents. These methods entail dividing funds among multiple accounts and transferring assets on a small scale. As a result, the attackers may be linked to North Korean hacker groups.
- However, there are findings of a significant number of false token transactions during the atomic incident’s function transfer process. Technique for increasing the difficulty of analysis, fund division, with 23 of them linked to fraudulent token transfers. This interference technique was not seen in the previous two incidents, indicating that the hackers’ money laundering tactics have improved.
- The stolen funds from the Atomic Wallet incident are still being held at various addresses.
In the last year, the notorious North Korean hacking collective has been linked to several major crypto exploits, including the Harmony Bridge hack and the Ronin Bridge hack.
What happened to the lost money?
Illicit funds obtained from the $35 million Atomic Wallet hack are reportedly on the move once more, with sanctioned Russian-based crypto exchange Garantex becoming the latest to come into contact with the hacked crypto.
Elliptic, a blockchain security firm, provided an update on the situation with the stolen Atomic Wallet funds on June 13. It claims that the Lazarus Group, a North Korean hacking collective believed to be behind the attack, used the sanctioned Russian-based crypto exchange Garantex to launder the loot.
Elliptic and many exchange partners collaborated on a significant and successful cross-community effort to freeze the stolen cryptocurrency, according to a tweet from the company. Lazarus, on the other hand, has discovered new ways to exchange their assets for Bitcoin.
Insight Into Previous Hacks
Atomic Wallet has been hacked before. In 2019, hackers stole $1 million worth of cryptocurrencies from the wallet. However, Atomic Wallet was able to recover the stolen funds.
Precautions and actions that the Atomic Wallet team took after this hack
After the recent hack, Atomic Wallet has taken several steps to improve its wallet security. These steps include:
- Hiring security firms to audit the wallet’s code.
- Implementing new security features, such as two-factor authentication.
- Educating users about security best practices.
The recent hack on Atomic Wallet is a reminder that no cryptocurrency wallet is completely immune to attack. Users should always take steps to protect their cryptocurrency assets, such as using strong passwords, enabling two-factor authentication, and being careful about clicking on links in emails.
You can consult blockchain security firms like ImmuneBytes to make your security robust and impregnable.