Atomic Wallet suffers a hack with a loss of 35 million dollars, was it an unintentional mistake or self-inflicted?

Written by: Qin Xiaofeng, Odaily Planet Daily

Last weekend, the crypto wallet Atomic Wallet suffered a hacking attack.

According to on-chain detective ZachXBT, the total amount stolen in this attack has exceeded $35 million, involving multiple assets including BTC, ETH, USDT, Tron, BSC, ADA, Ripple, Polkadot, Cosmos, Algo, Avax, XLM, LTC, and Doge; the largest individual loss was 7.95 million USDT (TRC version), with the top five victims collectively losing about $17 million, accounting for nearly half.

On June 3, multiple Atomic Wallet users reported on social media that their wallet assets had been stolen. Atomic Wallet subsequently stated, "We have received reports of wallets being stolen and are doing everything we can to investigate and analyze the reasons. We will release more relevant information as soon as possible."

After waiting for nearly two days, this morning Atomic Wallet officially released a vague tweet, stating, "Currently, less than 1% of monthly active users are affected/reported, and a security investigation is ongoing; Atomic Wallet has informed major exchanges and blockchain analysis companies of the victim addresses to track and prevent the transfer of stolen funds." Atomic Wallet did not respond to user concerns regarding the medium of the hacking attack, how to mitigate risks, and subsequent compensation.

Crypto KOL "Tay" analyzed the addresses of the victims and found that the earliest attack occurred on June 3 at 5:45 AM (UTC+8), and the latest stolen transaction happened on June 3 at 11:30 PM UTC (UTC+8); the hacker first aggregated the stolen assets to a new address and then exchanged various tokens for the base token of that chain through DEXs like uniswap, mm swap, and sunswap, before transferring them to a new address (awaiting further operations).

After the attack, Jito Labs' CEO Buffalu and business leader Brian stepped in to help one victim successfully recover $1 million in losses.

How did the hacker execute the attack? Joko, the founder of btc21.de, suspects that Atomic Wallet has a "malicious patch" that sends the private key to the attacker once the user opens the application. This inference comes from community discussions, with one victim stating that their assets were stolen within a minute of logging into Atomic Wallet.

(Victim Forum)

Some victims also reported that their Atomic Wallet account private keys had never been backed up or authorized on other platforms, and they did not use a SIM card, rarely connected to home WiFi, yet all their ADA assets were still stolen by hackers. However, one detail worth noting is that this user was using Atomic Wallet Android version 1.13.20, while the latest version is 1.15.1 (updated on May 23, 2023), so it cannot be ruled out that the old version wallet had security vulnerabilities.

"Tay" analyzed that the Atomic Wallet application was not built in a secure manner; either someone pushed a malicious version of the application that stole users' keys, or they (Atomic Wallet) inadvertently recorded users' private keys on their own servers, which were accessed by malicious actors.

It is worth noting that as early as a year ago, the security company Least Authority disclosed security vulnerabilities in Atomic Wallet and warned users to be aware of the risks.

(Least Authority Announcement)

In February 2022, Least Authority released a report stating that the company was first hired to examine Atomic's system design and its corresponding core, desktop, and mobile coding implementations in early 2021, concluding that there were vulnerabilities and deficiencies that posed "significant risks" to users. This report was submitted to Atomic in April 2021. Atomic responded to the findings in November 2021, indicating that updates and improvements had been made. However, Least Authority found that many issues remained unresolved in the modified version of Atomic Wallet provided during the review, posing security risks to users. According to auditing standards and disclosure policies, Least Authority formally issued a warning to users to alert them to the risks. However, this warning still did not attract the attention of Atomic Wallet, which in some ways laid the groundwork for today's attack.

Regarding the Atomic Wallet theft incident, the founder of the security company SlowMist, Yu Xian, commented, "It is ironic to entrust such sensitive information as mnemonic phrases/private keys to wallets that are not sufficiently responsible for security or have inadequate security levels. The information asymmetry here is too severe; even I find it difficult to answer which wallets are continuously secure… Mnemonic phrases/private keys should be hidden in a secure chip, offline environment, or trusted environment, and can also use multi-signature/MPC to avoid single points of failure."

It is understood that Atomic Wallet positions itself as a decentralized, non-custodial application that does not hold user private keys, claiming to support over 1,000 cryptocurrencies and having over 5 million users worldwide. "Atomic Wallet serves as an interface that allows users to access their blockchain funds. The wallet and its operations are encrypted, and critical data such as private keys and backup phrases are securely stored on the user's local device using reliable encryption algorithms."

Due to its non-custodial nature, Atomic Wallet also clearly states in its terms of service that developers are not responsible for any on-chain damages suffered by users. "In no event shall Atomic Wallet be liable for damages exceeding $50 caused by the service."

Finally, it is important to remind all victims that there are already fake accounts on Twitter impersonating Atomic Wallet to post refund tweets. Clicking on these will redirect users to phishing websites, so vigilance is required. When searching for the official account on Twitter, look for the blue V verification—fake accounts use gold V verification to confuse users. The official account is: @AtomicWallet.