Atomic Wallet was hacked and lost $35 million. Is it accidental or self-inflicted?
Last weekend, the encrypted wallet Atomic Wallet was hacked.
According to the statistics of on-chain detective ZachXBT, the total amount stolen in this attack has exceeded 35 million US dollars, involving BTC, ETH, USDT, Tron, BSC, ADA, Ripple, Polkadot, Cosmos, Algo, Avax, XLM, LTC and Doge, etc. Assets; the largest personal loss was 7.95 million USDT (TRC version), and the top five victims had a cumulative loss of about 17 million US dollars, accounting for nearly half.
On June 3, a number of Atomic Wallet users posted on social media that their wallet assets had been stolen. Atomic Wallet then posted: "We have received reports of wallet theft and are doing everything we can to investigate and analyze the cause. If there are more More relevant news will be released as soon as possible.”
After waiting for nearly two days, Atomic Wallet officially released a vague tweet this morning, "Currently less than 1% of monthly active users have been affected/reported, and the security investigation is ongoing; Atomic Wallet has placed the victim The addresses are notified to major exchanges and blockchain analysis firms to trace and stop the transfer of stolen funds.” Atomic Wallet did not respond to user concerns such as hacker attack vectors, how to avoid risks, and subsequent compensation.
Encrypted KOL「Tay」Through the analysis of collecting victims' addresses, it is found that the earliest attack occurred at 5:45 on June 3 (UTC+8), and the latest stolen transaction occurred at 23:30 UTC on June 3 (UTC+8); The stolen assets are collected to a new address, and then through uniswap, mm swap, sunswap and other DEXs, each token is exchanged for the basic token of the chain and transferred to the new address again (waiting for subsequent operations).
After the attack, buffalu, CEO of encryption infrastructure company Jito Labs, and Brian, head of business, helped a victim recover $1 million in losses.
How did the hacker achieve the attack? Founder of Btc 21.de「Joko」image description
(Victim Forum)
Some victims also reported that the private key of their Atomic Wallet account has never been backed up or authorized on other platforms, and they did not use a SIM card, and rarely connected to their home WiFi, but all ADA assets were still stolen by hackers. However, there is one detail worth noting. The user is using Atomic Wallet Android version 1.13.20, and the latest version is 1.15.1 (updated on May 23, 2023), so it is not ruled out that there may be security vulnerabilities in the old version of the wallet.
「Tay」The analysis believes that Atomic Wallet's application is not built in a secure manner, either someone pushes a malicious version of the application and steals the user's key; or they (Atomic Wallet) inadvertently record the user's private key to their own servers that are accessed by malicious actors.
image description
(Least Authority Announcement)
In February 2022, Least Authority published a report stating that the company, first hired in early 2021 to examine Atomic's system design and its corresponding core, desktop and mobile coding implementations, concluded that there were vulnerabilities that put users at "significant risk" and deficiencies, the report was submitted to Atomic in April 2021. Atomic responded to the findings in November 2021, indicating updates and improvements had been made. However, in reviewing the modified version offered by Atomic Wallet, Least Authority found that a large number of issues remained unresolved and posed a security risk to users. Least Authority officially issued a warning to users to warn of risks in accordance with auditing standards and disclosure policies. However, this warning still did not attract Atomic Wallet's attention, and to some extent it also laid a hidden mine for today's attack.
In response to the theft of Atomic Wallet, the founder of the security company SlowMistcosineThe comment said: "It is ironic that such sensitive information as the mnemonic/private key is handed over to a wallet that is not responsible for security or the security level is not high enough. The information asymmetry here is too serious, even I can't answer it Which wallets are continuously secure... mnemonics/private keys should be hidden in encryption chips, offline environments or trusted environments, and multi-signature/MPC can be used to eliminate single points of failure."
It is understood that Atomic Wallet positions itself as a decentralized, non-custodial application that does not own the user's private key. It claims to currently support more than 1,000 cryptocurrencies and has more than 5 million users worldwide. "Atomic Wallet acts as an interface that enables users to access their blockchain funds. The wallet and its operations are protected by encryption, and key data such as private keys and backup phrases are safely stored on the user's local device through a reliable encryption algorithm." superior."
Terms of ServiceTerms of ServiceIt is clearly stated in that the developer shall not bear any responsibility for the damage suffered by the user on the chain. "Under no circumstances will Atomic Wallet be liable for damages for services exceeding $50."
Finally, we need to remind all the victims that fake accounts pretending to be Atomic Wallet have posted refund tweets on Twitter, and users will be redirected to phishing websites after clicking, so they need to be more vigilant. When searching for the official account on Twitter, look for the blue V certification - the fake account uses the gold V certification to confuse the public, the official account is:@AtomicWallet。
