Lazarus Strikes Again? Atomic Wallet Loses $35M in Cryptocurrency

The well-known digital currency wallet, Atomic, has recently become the target of a sophisticated cybercrime operation, with some suspecting the involvement of Lazarus, the notorious hacking collective believed to have North Korean affiliations. This information was made public on Tuesday via a report from Elliptic, a firm specializing in blockchain analysis.

On Saturday, Atomic’s developers released a statement acknowledging that a small percentage of its user base had been affected by a security breach, with funds having been illicitly withdrawn from their wallets. While not more than 1% of the wallet’s active monthly users were impacted, these incidents prompted a wave of reports on social media platform Reddit, with users expressing their concerns about the sudden disappearance of their digital assets.

A blockchain investigator known only by the alias ‘ZachXBT’ has estimated the total value of the stolen digital assets to be around $35 million. These assets span a range of cryptocurrencies, including but not limited to Bitcoin (BTC), Ethereum (ETH), Tether (USDT), Dogecoin (DOGE), Litecoin (LTC), BNB coin (BNB), Polygon (MATIC), and Tron-based USDT.

Elliptic’s report further indicates that the stolen assets were directed towards a digital entity named Sindbad.io, a mixing service believed to be a follow-up operation to the previously identified and sanctioned mixer, Blender.io. Sindbad.io has been previously associated with other hacking incidents tied to the Lazarus group, showcasing a recurring pattern of behavior. Elliptic was also able to identify links between the wallets involved in this recent breach and those used in earlier attacks perpetrated by Lazarus.

During the preceding year, cybersecurity auditing firm Least Authority had indicated that Atomic Wallet could potentially be susceptible to such breaches. Concerns revolved around Atomic’s cryptographic methodology, its departure from optimal wallet design practices, and questionable utilization of Electron, a tool used for the creation of desktop applications. Furthermore, Least Authority pointed to a lack of comprehensive project documentation as a point of vulnerability. This blog post has since been taken down.

Dyma Budorin, CEO of blockchain security firm Hacken, suggested several potential reasons behind the security breach. One theory involved the algorithm used by Atomic to generate recovery phrases for wallets. If the sequence of words produced was not sufficiently random, it could have been vulnerable to brute-force attacks by hackers. Non-custodial wallets like Atomic give users autonomy over their digital assets, making recovery phrases crucial for fund retrieval in case of device or password loss. However, this very convenience could also allow malicious actors to replicate the wallet and pilfer the funds, given access to the recovery phrase.

Budorin also conjectured that hackers may have decrypted the users’ private keys using transaction data visible on the Bitcoin blockchain, a method detailed in a recent paper by researchers from the University of California, San Diego. An alternative theory related to the Android version of Atomic’s application was suggested, which Hacken observed to be reliant on an outdated and susceptible dependency for transaction authentication.

Other plausible scenarios include a supply chain attack on the wallet manufacturer, an intrusion into Atomic’s website, or the accidental or deliberate leaking of users’ private keys to Atomic’s centralized server. The security firm suggested that over $1 million of the stolen funds from a single user have been successfully recovered by Jito Labs, a startup working on scaling the Solana blockchain.

Budorin stressed that this incident underscores significant security issues within digital wallet designs. He emphasized that digital wallet providers should focus on building robust security architecture while adhering to the best industry practices.

In response to the breach, Atomic’s CEO Konstantin Gladych stated that he was not at liberty to speculate about the causes behind the hack, thereby leaving room for further investigation and speculation in the crypto community.