Bitcoin Forum

This announcement/warning made six hours ago through Atomic Wallet's Twitter account.


It's still being investigated, and no one actually knows if their software is really being compromised or not. But better be safe than to lose all of your coins/savings. If you're an Atomic Wallet user, send them out to another wallet ASAP.

I wonder why people should still be using a wallet that support only legacy address when there is Segwit today. Any bitcoin wallet, that also support altcoins or not should not be used anymore if they can not follow the recent standards.

It could be a phishing attack targeting their users. I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.

A news that will make many users disappointed if all the funds stored in the AtomicWallet wallet are lost.
There is a twitter account with the username @Christomos03 replying to a tweet made by AtomicWallet with a reply requesting that the lost funds be returned. Promptly replied by @zachxbt asking to send a DM with the transaction hash of the stolen funds.

It's been 8 hours since the information was made by AtomicWallet that they were compromised, is it still possible for Atomic walet users to transfer funds?

What about other wallets that support multiple coins?

They should be able to but if not, they can always recover their wallet somewhere else and then transfer funds from there.

I couldn't find any specific information on whether incident reports are related to a particular platform, such as desktop or mobile, or if they are related to all wallet versions. It would be helpful to have more clarity on this matter.

By the way, why is this thread in the Web wallets section?

I have seen reports of users losing their funds, and they even have no idea what happened since they never exposed their private keys or seeds.
One more reason never to trust closed source wallets.

Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/

It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
Just wanted to know now how much worth was being stolen by hackers, I saw comments on Twitter, other wallets are fine and some are drained out I start thinking now of what version of the wallet and what software they use.

I think should also be visible in the Beginners and Help section to warn newbies out there and start importing their wallets to those who are not yet affected.  Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

It's safe to use a trustworthy open-source non-custodial wallet (preferably on an airgapped device) and that has been said many times in many threads on this forum. It's not that any non-custodial wallet is recommended.


You don't make your wallet more secure, just with importing your seed phrase into a secure wallet like electrum. You should create a new wallet and send all the fund to that.

After reading some comments on both the Reddit official thread[1] and their Twitter thread[2], I feel sorry for the people that lost their funds. According to this[3] user from Twitter, he estimates that a minimum of $20m has been stolen (so far at least). Match Systems appears to have some lead[4] regarding what might have caused this hack:
If true, then I'm not sure if they will be able to stop the hacker from keep sucking away their users funds. It's just a matter of time until all wallets are drained (whoever was able to exploit this surely has a way to automate this process).

---

[1]https://safereddit.com/r/atomicwallet/comments/13z9wdw/we_are_investigating/ (https://safereddit.com/r/atomicwallet/comments/13z9wdw/we_are_investigating/)
[2]https://nitter.it/AtomicWallet/status/1664946301815910400 (https://nitter.it/AtomicWallet/status/1664946301815910400)
[3]https://nitter.it/zachxbt/status/1665151915355676674 (https://nitter.it/zachxbt/status/1665151915355676674)
[4]https://nitter.it/MatchSystems/status/1665116869450145792 (https://nitter.it/MatchSystems/status/1665116869450145792)

So many users lost thier altcoins. Even so its not fun losing a huge quantity of those tokens like XRP or ADA. This is the kind of hacks that users will question whether the Wallet developer is liable. Because if they store those tokens on exchange like Binance, users who lost tokens could have refunded.

The wallet is not opensource by the way.

Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.

Atomic wallet is a non-custodial wallet and gives you the private keys. The problem with Atomic wallet is that it's close source and there is no way to know how the keys have been generated and whether the user is the only who has access to the keys or not.

The only advantage of that wallet is the ability to integrate the wallet with automatic/instant exchange, in other words, easy to exchnage between cryptocurrencies, but I see it as a lazy user, I hope that they have not lost a lot.
Are all users lost their money? Or is there a certain reason to lose their money, I use the phone and I did not find time to track the story.

Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.

I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.

Just another in the long list of reasons to never use closed source wallets.

Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?

I have been searching around this forum, but I could not find any previous discussions about this specific topic. However, I did come across a few articles from 2018 that shed some light on the partnership between CZ Binance and Konstantin G., who is the CEO and founder of AtomicWallet and the former CEO and co-founder of Changelly.

https://www.unlock-bc.com/news/2018-05-03/changelly-partnered-with-binance-konstantin-met-with-cz-in-malta/

For those of you like me that did not remember if you left any funds in there (I had an entire $2 of tron so no big deal) just put your phone in airplane mode or disconnect your internet from you PC and check. And then if needed get your private keys. Don't start with getting the keys and importing do a time / effort analysis.


Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.

And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.

-Dave

Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating. (https://www.reddit.com/r/atomicwallet/comments/13z9wdw/we_are_investigating/)


Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

A software wallet is only as safe as the computer and OS used to run it. If the computer is compromised then malware with sufficient elevated rights can compromise the software wallet. If the software wallet itself is badly crafted, which you can't check with closed-source software, then you're screwed anyway.

Importing the BIP-39 compatible recovery words of the Atomic Wallet in another wallet only makes sense if you can exclude the possibility that those recovery words or the underlying seed wasn't already compromised. Sure, if the current attack on Atomic Wallet needs some more ongoing interaction with the Atomic Wallet software, then you may gain some ground by importing it in another verified wallet that supports all your coins and tokens. Sadly, many alternatives are closed-source, too, with very few exceptions (I believe Unstoppable Wallet is multi-coin and open-source).

Even more sadly is that those closed-source wallets mostly don't offer the use of a hardware wallet with them. If implemented properly and without malicious intends that would mostly prevent a compromise of the seed and/or private keys that are secured by the hardware wallet.

This is a rather sad news, I am rather a bit surprised that this has to happen, my astonishment is probably due to the fact that it is a non-custodial wallet that is involved in this hack, we I think we are very used to custodial wallet, and centralized platforms being hacked, a non-custodial wallet hack is rather new and shocking, and some would want to ask questions like, if a non-custodial wallet can be hacked, then which type of wallet is exactly safe?

I think the above question can only be answered after the management of Atomic wallet come out with a comprehensive reason of what lead to the hack, and let's hope they are sincere to their users and the entire crypto community at large.

oops don't know how I confused closed source with not your keys concept  ::)
I got ate up for closed source on 1splitkey, even though it was split keys people didn't trust it.
I now know that lack of understanding means lack of trust.
I closed source code as it was tesla agents that controlled systems and didn't want that repurposed via simple cli tweaks. That was my reasoning. What's theirs? Why where they so successful?
These occurrences prove that they arnt always non-custodial.

Thanks for sharing this!

I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

Sorry if my questions are kind of stupid. I have no idea about the technicalities.

I just use the wallet from time to time for smaller transactions.

You should never write any wallet in JavaScript, and in particular NodeJS & Electron (not to be confused with "Electrum" wallet which uses Python), because your project dependencies will pull literally hundreds of other dependencies, some of which are outdated, and there's no way for you to get around that situation. Instead of a bullet, it's like a hundred pieces of shrapnel from a missile and will almost certainly get you killed.


XRP, a shitcoin, does not have any reputable wallet software for it.

It would be foolish to continue using this wallet after reading about multiple reports of lost funds from all over. Even the official website has disabled software downloads, and they have stated that they are currently investigating the issue.


Every wallet stores customer seeds and private keys internally; it cannot function differently. But since this is a closed-source wallet, we cannot know what is happening in the background. Some preliminary reports claim that it was a malicious update originating from a hacked official site, but there is still no official explanation.


No, your questions are not stupid, but it is still too early to say anything because we do not know what actually happened.


If you still have funds in your wallet, it is advisable to transfer them to a safe place as soon as possible.

Well this makes me think about all those claims which stated if you own the keys then you are owner and no one can have access to your wallets/funds within. I’m shocked to see this news about atomic wallet. How does everyone going to trust any other wallet too if wallet services that claim to be non custodial? This is definitely phishing attack, because let us say it was really a compromised wallet and hacked one then either the hacker has just found out the loop hole in the non custodial system or it could be the owner himself who has turned his business into some quick disruption of money. In anyways, user is the one that gets suffered. Hope everyone rest moves their funds as quickly as possible to other wallet.

This should make us all aware that closed source wallets should be avoided at all costs even though they might be promoting themselves as a non-custodial wallet.

I saw posts on Reddit saying this could be an inside job as well.

Atomic wallet devs were warned about security risks in their wallet long ago, check out this coindesk post [1].

[1] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/

Zach claims to have successfully recovered some of the stolen funds. He said he knows what is wrong but prefers not to share it as of now[1]. Wonder why he decided to do that, maybe the attacker still has the means to exploit more? Kinda surprising the funds are even recoverable.

[1] https://twitter.com/zachxbt/status/1665226056570118146

Part of the problem that I have been saying for years is the fact that people have grown so accustomed to the security that comes with their bank and brokerage applications. Where if you do something stupid more than likely you could get your money back and if you forget your password you have way of recovering it and they have safeguards against you doing things without clicking I am sure a bunch of times.

So, people think that all financial applications including cryptocurrency ones are more or less operating the same way. And then are shocked when they do not.

For all of everybody running around screaming about everything in the financial world even back in 2008 with all the bank failures and all the other banks that imploded so far this year more or less in most occurrences people got all their money back. Now try to convince those people that they are responsible for their own actions.

I'm also going to go out on a limb here and say that it is older people that this happens too. Whether or not everybody wants to run screaming about this group or that group kids today(and I'm gonna say anybody under 30 ) have seen and heard all the disasters that happen online and because they grew up with the tech they understand a lot of its limitations.
Grandma and grandpa who you finally convinced to use online banking now think everything operates the same way, and when they had a problem with their online checking account they could call an 800 number and spend an hour getting help through the situation. Do you think they're going to understand the concept of custodial or non custodial or open source or closed source? Or the fact that if they forget the password there's absolutely nothing anybody can do about it. Yes it's a generalization, but probably fairly accurate.

-Dave

Yes this is pretty bad. So far over $35M has been hacked and they have no idea what the issue is. They should send out a mass email to all the users who use Atomic Wallet and tell them to move to another wallet or even exchange.

Importing the seed into a new wallet won't help since they most likely have the seed. You need to move to a fresh new wallet. Wonder what the cause of this could of been? This is what happens when you use a closed source wallet.

Feels bad reading some of the comments. Some people think they are going to get a refund from the Atomic Wallet company. Feel bad that they don't know its gone forever.

That's just terrible news.
Sure, anyone storing massive amounts of value in a mobile wallet is always taking a high risk and already made the first mistake here.
Still, this usually hits crypto-newbies the hardest. Couldn't find anything, is there an approximate number of how many people are affected?

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

Looks like officials from Atomic where aware of existing  security vulnerabilities (https://web.archive.org/web/20220623142131/https://leastauthority.com/blog/disclosure-of-security-vulnerabilities-in-atomic-wallet/) in their product but didn't take any step to eliminate them and/or notify users who  where trusting them. The money has outweighed the wisdom and they have chose  to stay nontransparent with customers.  

I mean, if you are dumping $45,000 in to a centralized, absolute shitcoin like XRP, then you probably aren't doing much in the way of research. :P

We don't know. Such is the nature of closed source software. Nobody knows what it is actually doing. Is it generating seed phrases from a list that the developers are secretly holding? Is it sending seed phrases over the internet to a server somewhere? Has it got a built in function to sweep all funds to a malicious address at a particular date? Who knows? This is the risk you take with closed source software.

This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.
Closed source wallets could be doing it differently and keeping logs of private keys, (we would never know) which a hacker can access if they breach their security, which you cannot verify either.

- Jay -

Other wallets might also get compromised if the computer is compromised. Even if someone has access to your wallet, I don't think they can access it unless they can crack your password or have private keys. Since it's only happened with Atomic users (we did not see the same reports from other wallet users yet), I guess OmegaStarScream might be correct. They might be fallen for phishing. But according to Atomic Wallet, 1% of their monthly active users reported that their wallet is drained. So, If their active user is 100K, 1K users' wallets were compromised. I don't think that many users could fall for the phishing trap.

Atomic might be hiding something about how are the private keys generated and them being non-custodial. I was using Atomic Wallet 2.45.1 For a while. Luckily I had nothing in my Atomic wallet, and I just uninstalled their software in case it contained any virus. Many users screamed in their tweets and complained about how much they lost. I am afraid now. I moved from Atomic to Electrum a while ago. I hope Electrum is the most secured and trusted among others!

Don't know, I've never held bitcoin on an Atomic wallet (though I did download it for desktop just to see what the UI looked like) but that's probably not how they got hacked, right?

I don't know why anyone would use Atomic other than to take advantage of their staking function, but even then if you're staking a significant amount of whatever, why would you use a closed-source wallet like that?  It must be popular amongst those who don't know much about crypto security--but then again, a lot of knowledgeable crypto users kept coins on Ledger wallets right up until they announced their back door.  That's humanity for you; it's in our nature to want to trust others....until we learn the hard way not to.

Another reminder to everyone in the crypto space about the dangers of using closed-source software that tries to implement each protocol there is for the sake of profit. Developers, especially those working with financially related products, should always bear in mind that the more complex software you build, the more vulnerabilities and bugs it will have. But given that the circle of developers and auditors is very narrow compared to open-source development, these vulnerabilities are very hard to detect timely. Of course, they actively defend "security through obscurity" and use it as an excuse because it allegedly helps protect customers from hackers, scammers, and other evil actors, but when a hack actually occurs, they start referring to their ToS and that people themselves are responsible for their private keys. It is a very convenient approach to doing business, you just make money off naive users who are unable to read guides on proper self-custody solutions, and when shit happens, you just tell people it is their problem. My prediction is that people suffering from the Atomic Wallet hack won't receive their money back, but they also won't stop using closed-source, poorly implemented software for their life savings. These just can't learn.

And don't forget the why....
If they got the report on Tuesday and were hacked on Friday then you can accept that they did not have time to fix the issues.
But when they have had it for so long it comes down to was the coding that bad? Were the issues buried so deep that they had to rebuild from scratch? Do they only have 1 programmer and they were working as fast as they could?



People invest in a lot of things that may or may not be smart to do. That does not mean they are not paying attention to other things.
If you looked at my shitcoin portfolio you would question my sanity. BUT and this is important Dave's left testicle coin currently trading at $0.02 can probably bounce to $0.10 more easily then BTC going from where it is now at $26800 all the way to $130000. Putting your entire life savings into something like XRP / Dave's testicle coin is just stupid. But if you have $50000 to gamble putting $10000 into 5 coins and hoping for the win is not a totally horrible thing. IF YOU CAN AFFORD TO LOOSE IT ALL I have some penny / dollar stocks I have bought over my 30 years of playing the markets. MOST have died. The few that made it more then 10x covered the losses of the others. So while people looked at me as asked why I invested in X I can then point to Y & Z and say those 2 more then covered it.

-Dave

Atomic wallet haven't provided anything official on what caused this loss of their customers' funds, but i have seen some people post that Atomic wallet may have to offer some compensation to the victims for damages, but from their terms of service [1], it is not going to happen. People should only use self custody wallets that are open source and have a good reputation, because if you make a wrong choice and lose your funds, you can't get it back.
[1] https://atomicwallet.io/terms-of-service

As of yet, not much real information in this topic... all assumptions for the moment...  :'(
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

I'm a long time user of Atomic Wallet and never had any problems. Their multi-coin and built-in exchange was their biggest pro for me. Used it just for playing with alt coins and pocket money.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Greets.

Nobody knows the problem. Atomic wallet is close source.

Electrum is good for bitcoin because it is completely open source. Coinomi is close source, I can not recommend it.

Did you import your Atomic wallet seed phrase on Electrum? Create another wallet on Electrum and transfer your coins there so that your coins can be safe.

For high amount of bitcoin, use a cold wallet. Electrum can be used as a cold wallet. Or get a reputed open source hardware wallet.

I mean, we are still at a stage where lots of people still keep their life savings in centralized exchange and DeFi protocols  ;D
People are advised to avoid them year in year out, but they are still dumb and lazy enough to secure their money.

This incident should be one of those real life situations that highlights why a closed source wallet even if noncustodial is very dangerous. Reproducibility should also be emphasized.

---

1 more reason to avoid the shitcoin then  :D

---

So the jerks provided an update on Reddit a few hours ago, but I gotta say it's the most useless update about such a grave situation

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

They are probably counting every user who has ever opened the Atomic Wallet app which will also include a significant amount of no-coiners, and also zombies which have never touched their funds for several months. So most likely the actual percentage of hacked active users is probably much higher (like at least 5%).

Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

Yep, I imported the seed and send the funds to an existing wallet of mine. What is sort of the same you said and has the same effect.

Greets.

I don't believe there are any. If you're willing to switch to a mobile wallet, then you have Unstoppable wallet. It has a swap feature but you can't use it with BTC, LTC, etc. It uses Uniswap (ETH), QuickSwap (MATIC), PancakeSwap (BSC), and 1Inch which is an aggregator.

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years :'(

---

I have several wallets, they took largest amounts first, and still didn't take small change amounts (2000 USDT), guess their bandwidth is limited (doing it manually?).

As already mentioned, this doesn't change anything. You should create a new wallet using a safe tool on an safe device and move all the fund to that.


No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

It could be all. A malicious update, by a maliciously altered dependency, which was maintained by some ill-intentioned developer from the Atomic Wallet dev team. There's no evidence that supports otherwise, because there is nothing transparent in the first place.

I can't imagine you to be that dumb. Unless it ain't their entire life savings (as some say), I can't justify being so confident with stuff you've no idea about. I just can't picture myself putting all my money (or most of it) in some shitcoin like XRP, which is significantly weaker in both centralization and security. Maybe I could gamble some (much less than half of it), but not all.

I personally would not open Atomic Wallet at this time, seems very risky. So importing the seed into another Wallet is a must to send the coins in a safe way.

Greets.

I don't think users that didn't used Atomic Wallet recently are safe as well. I've seen multiple reports of users on Reddit & Twitter that didn't used the application recently and still got hit by the hack. If it was me the second I heard about this I would instantly create a new wallet on a secure environment and transfer all of my funds to it.

Yes. Internally, locally... What is the difference? The point is that the seed phrase and private keys are created, stored and accessible by your wallet software. And just to clarify, it is not necessary for the file to be encrypted (although it is generally not recommended to store the keys in an unencrypted file).

Also, he can get a reputed open source hardware wallet that support multiple coins.

You can be able to get your private keys directly on Android Electrum versions below 4.4.0, but this has been removed from version 4.4.0 and above.

On desktop Electrum, if you click on wallets -> private keys -> export, you will be able to see your addresses and the corresponding private keys. Or if you click on view -> check addresses, click on addresses on the GUI and right click on any address of your choice, you will see the address private key if you click on 'private key'.

What is most important is the seed phrase, because it can generate all the private keys.

Alas, security is not easy at all, even while doing everything you stated above, you have no way of knowing when a Microsoft employee simply changes the code on Github and gets you to compile their version of the code, you need to read the whole code again and make sure it doesn't send your private keys in plain text over the internet, it's almost impossible to be 100% secured.

Of course, that's just over-exaggerating the matter, but just because it's unlikely -- it doesn't mean it can't happen, I saw a discussion on reddit the other day in regards to this subject, someone said "I'd rather just use an exchange so that if I lose my money I got someone to blame".

This brings an interesting conspiracy theory that, all of these hacks are not done for money, but for a greater goal, they simply shape the path to custodial wallets, at one point, banks will take over and will provide custodial services, where your BTC is insured by large insurance companies or the government itself, those two have deep pockets and will be able to track and potentially catch whoever steals anything from "them", so it becomes a choice of keeping your BTC"safe and insured by the government" or "at high risk" being in your custody, essentially, turning BTC into another government-controlled asset. 

it's non-custodial, open source or closed, and! it literally doesn't work. It's a torn pocket,  after what I read, that was perhaps part of the strategy. I think that sometimes it is not just knowing all the technicalities associated with a wallet, it is a mistake not to understand the products that exist, with this wallet it is demonstrated, they are pocket, $100 wallets.

That's not a good move. Importing 12 word into the new wallet you want to transfer will be meaningless because the 12 word you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.

Unstoppable wallet that I can say is a good wallet for you to transfer existing coins in Trust Wallet and Exodus by sending them to the Unstoppable wallet that you created recently.
What I say is the same as what has been explained by hosseinimr93

What is meaning of "kata"? Is japannese language?

As I said earlier, the manipulation of terminology is what gave many users a false sense of security. Custodial walle and Non-Custodial walle have no meaning, but the real difference is whether that software is a wallet or not. In the sense that all closed source wallets are not a wallet because we do not know how the private key is generated and whether the code is safe or not. The fact that a third party may know your private key means that you do not own your money.

If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.

This is poor advice.

There have been a number of paper wallet generators over the years which have also been malicious and have stolen any funds sent to the paper wallets they generate. And even if someone happens to pick legitimate paper wallet software, paper wallets are difficult to set up and use correctly without making a critical mistake, exposing your private keys to the internet, sending your change to an address you cannot access, and so on. They should not be used by newbies as a "best place to start".

The best advice for newbies who cannot review code has always been to choose an open source, reproducible, widely used, widely reviewed, and reputable wallet. This is why Electrum is so popular and so often recommended

The slight difference is that on one end it is stored in their logs and any breach on their side can access it or the software themselves can easily steal your private keys and on the other hand it is not stored in their data logs but on the user's wallet file and not directly accessible to them.

There is always a risk when dealing with soft-wares even those that are open source, but is is much safer choosing one which is open source and reputable.

- Jay -

Update: So it looks like the stolen funds (~35M $) are on the move:


Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum. My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.
Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.



Without making the wallet open source, I don't think anyone would be stupid enough to use them.

This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html (https://github.com/pointbiz/bitaddress.org/blob/master/bitaddress.org.html) is more than 10000 lines long. Less than Electrum, but still impractical.

If you're not a competent software engineer, as the folks behind software like Bitcoin Core and Electrum, then you shouldn't trust yourself more than them. The odds of messing up are far greater.

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.

If you are a newbie who cannot code, then both tasks are equally impossible. And if you are a newbie who cannot code, then you will be exponentially safer using Electrum than you would be using some random paper wallet generator you found via Google.

Paper wallets are an excellent option if you can vet the code you are using, you understand how to set up and use a truly airgapped system, and you understand how to spend from these wallets without ruining your privacy and security or losing any coins. But this is complicated to do. Suggesting them as an alternative for everyone leaving Atomic or other closed source wallets is bad advice.

Yeah Yamane_Keto, we understood what you meant, but I'm not sure you understood what you're expecting of average users either ;)

I'm the regular user we're all talking about. Understand the most basic of coding languages, far from enough to understand anything harmful or malicious on Github if it screamt out at me.

It's still many time safer, and practical, to simply trust a software you know is actively being reviewed and checked by very good developer communities. To the simple user (yours truly), Electrum and Bitcoin Core prove that, by acting very quickly when changes need to be made or holes plugged.

Yes with a but, or no with a however.
Having multiple files now means that humans are going to be human. So if some function calls something that you are not using / not interested in then you (who I assume to be human) may not examine it as well or even at all. Having it all in the 1 monolithic file forces you to read the entire thing.

There is a good and bad side to both ways.

Back to this. Has anyone here actually lost real funds? I keep hearing reports of people loosing money, but so far it's nobody here as far as I can see.

-Dave

Crazy!
Number grows with every new day and who knows how many people don't even know or they didn't report loses.
It's important not to open atomic wallet that is connected to internet, than import seed phrase backup to another wallet and move coins asap.
Few years ago I tested this atomic wallet and I never liked how it works, but closed source and amateur devs was always a red alert for me.

And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...

---

[1]https://nitter.it/zachxbt/status/1666115739764285445 (https://nitter.it/zachxbt/status/1666115739764285445)
[2]https://en.wikipedia.org/wiki/Lazarus_Group (https://en.wikipedia.org/wiki/Lazarus_Group)

Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

I think he is confusing Atomic with being Binance owned, but Trust Wallet is just as closed source as well, and ironically there is no point in trusting such wallets. You might as well store your coins on Binance. They might have a lesser chance of being hacked. Although looking at the past history of crypto exchanges, they eventually screw up, get hacked or straight up steal your money. :o ::)

I agree that any wallet which is not 100% open source is a red flag. Otherwise behind the code could be a third party, trying to take your money with a strategically planned hack.  :'(

inb4 North Korea was behind Atomic all along.

If they were ' inadvertently logging users' keys to their servers' then the app was totally fucked from the start. The ONLY thing the app should be sending to the servers is the request of the transaction lists for the addresses to figure out how much is in the owned addresses and a signed TX when broadcasting a send. There should be no way in hell that your private keys are EVER sent to them.

However, you can't fix stupid, and since it's closed source you never really know what they are doing [unless you setup a mitm attack on your own network and monitor what comes in and out].

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

-Dave

I'm thankful for bitcointalk and the educative information that's been shared here on dailies. As a newbie that registered on this platform, I used to have some crypto assets that's worth few couple of bucks on my atomic wallet until I stumbled on the some topics here about the dangers of using close source wallets, so I decided to move my assets out of atomic wallet... If not I might have been a victim too. This is an eye-opener and I hope other persons can learn from this and distance themselves from using close source wallets and exchanges in storing their funds.

Both of them are certainly a possibility. It is hard to figure out what really happened unless Atomic shares what kind of exploits are being used by the attacker. Even if they did that though, the distrust is still there since they can edit some code before making it public to steer the narrative to their preferred direction. Zach also claims to know what happened behind the scene. At the end of the day, someone would be better off using other wallets in the future.

Unless I'm mixing up some news, IIRC, they disable the downloads shortly after the attack was reported. Not sure why they allow users to download it again, especially after some reports suggesting the latest version is one of the ones that got affected.

I have used Atomic Wallet for a very short period of time for some shitcoins that needed to be moved around and where I didn't even trust the shitcoin's native wallets. I was concerned that Atomic Wallet is closed-source, did some deep research if this software had some bad history or reputation. At that time, I couldn't find deeply alarming news, so I thought, OK, why not, no large amounts of value at stake and I didn't run that software on the same computer where my trusted wallet(s) where.

As an end user I would be pissed if I had no control over updates or downloading a dead version. Forced updates can be a dangerous thing if external or internal attackers of a wallet's backend gain malicious control. With forced updates you can screw every user of the wallet when the wallet's infrastructure gets compromised. Displaying a big red warning in the user's wallet would be nice if that is done in safe way that can't be exploited by malicious actors. My hopes are not high for Atomic users as the past audits seemed to indicate that software and security quality of Atomic isn't what it should be.

There's still too much speculation of what went wrong or how the attacks were possible. A dead version in the app stores wouldn't help if the seed or private keys got compromised. And you could potentially protect only users with a forced update before attackers could do their stealing.

The communication of the wallet's company is very much sub-par. If they don't know what's going on, then why they don't shut down the backend systems and tell the users to immediately move their funds to a new safe wallet that's not affected. (Well, if you have lots of shitcoins, then good luck with finding suitable safe other wallets to hold your shitcoins.)



Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?

It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.

I am curious if there could be an alternative explanation for this hack. From what I gather, it seems that users were compromised even when they didn't have Atomic wallet actively running on their computers. Some individuals have reported not using the wallet for several months prior to the incident. In my opinion, this rules out the possibility of malicious code like trojan or spyware residing on their computers. Unless, of course, the attacker had been gathering private keys for an extended period of time leading up to the attack.

Damn, once it’s through the sinbad mixer its gonna go away forever. May be only the mixer service owner would know which seed was allotted and where the money isn’t it?
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

I am not sure how this transaction went since your post is old and by now there might be hundreds of different addresses on which the distribution might have occurred already.

But there gotta be way, there is always?

What investigation do you expect from a wallet that has a shady record right from the beginning? I could remember when they had their bounty campaign (https://bitcointalk.org/index.php?topic=4437634.0) on this forum years ago they were tagged as scammers by JollyGood (https://bitcointalk.org/index.php?action=trust;u=1807053) and for the record, some of their bounty campaign participants complaint about no receiving payment.

Same here but I come to learn that some cryptocurrency investors can go the extra just for dividends and giveaways. You wont believe that the hacking issue happens after the announcement of their 1,000,000,000 $PEPE giveaway to 10 lucky winners. (https://twitter.com/AtomicWallet/status/1663197949520740354?s=20)

How can a mixer know the seed phrase of an address that they sent coins to after mixing, that is not possible. Mixers are not investigators, they just receive funds and help their customers to conceal the origin of the funds. By the way Sinbad do not also keep logs after customers use their mixer, they delete the logs after one hour of using their service.

Even if they can do it, I doubt any mixer would do that (at least not publicly). It basically tells its users that they can and will expose their logs if they deem it necessary. Why bother using them in the future if privacy is your goal? Besides the fault of this case is more on Atomic Wallet being a terrible wallet, not necessarily a mixer or other privacy tools IMO.

I think he's not referring to the seed phrase of the hacker address, but the logs of the mixing process.

He's got a decent following on Twitter at the very least. Can't say for certain how reliable his info is since I'm not that active on social media. You can check out his Twitter if you want to know more, @zachxbt.

It should also be possible for Elliptic or ChainAlysis (which Atomic wallet is currently seeking help from[1]) but I would imagine it all depends on how the mixer works, and I doubt it would be that easy of a task.

[1] https://twitter.com/AtomicWallet/status/1666591717347262468

If Sinbad were to release logs or similar, then they are signing their own death warrant.

The whole point of privacy services is to provide privacy, not to hand consent of exposure of your information to a random third party to decide based on their own arbitrary rules. Yes, a minority of users of privacy tools (such as mixers, coinjoins, VPNs, Tor, PGP, end to end encrypted messengers, etc.) are doing illegal things, but the vast majority of users of such services are just average people who do not want random third parties and governments spying on everything that they do. Would you use a encrypted messaging with a government backdoor? Of course not. Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?

The sad thing is we do. Some of us use them without knowing that they collect data, and others, even know they collect data, still use them. Did you know whether CM collected user data such as IP and wallet addresses? I am not sure if they did. But, the Storage size (7 TB) that the FBI seized was too big for a mixer service. I don't understand what kind of data can take that much storage. Let's say mixer services promise they do not collect any data from us, and they do it without letting us know. How can we verify their claims? The only thing we can do is "Believe their promise." We often say, Do not trust, verify. But, Sometimes, we cannot verify everything.

I know some of my friends use Free VPNs. Some of them know that those VPNs collecting data from their device still don't care about it. We all are not cypherpunks! We cannot expect everyone to care about their privacy. If they are dumb enough, we can let them do it. The whole point of my post is even though we don't want to use those services that collect data; Sometimes we use them by knowing or not knowing. You never know if those services collected your data or not.

It's also too big to keep such data. Even if they did keep logs, and store in detail which private key comes from what deposit, 7 terabytes is unreasonably large size. To put in some perspective, the entire blockchain is about one tenth of that. And the fact that the feds never disclosed anything about that 7 TB makes me question it did keep logs even more. Arguing it did collect data holds less ground than arguing that the operator was an upstanding member of the piratebay, seeding and leeching movies.

They had four servers. Let's say they were running four full nodes. That may consume around 2.2 TB. But I was surprised when I saw the FBI seize four servers and 7 TB of data. It leads me to wonder what data they kept. Data of users like IP logs, Addresses and other data might be saved as text files, which shouldn't consume that much storage. They might store some additional data or operate a bunch of different services with those four servers. I don't know what they promised while on the market because I did not use their service. Did they promise that they don't collect data from users? What other service would you trust if they promised that and still collected data?

Is there any update on this sheding light on what actually happened to the stolen user funds and, more importantly, how the hack was conducted and which type of user were affected?
Is the team responisble for Atomic Wallet publicly know?
Highly unlikely any funds will be retrieved but holding folks accountable would be a first step.

This comes from their FAQ page (2021):

Someone could argue the feds have had the data which was meant to be deleted within that week, and they'd be correct. However, prior that, according to ChipMixer, every session was deleted a week after its creation.

I wouldn't, it was just that they had gained much trust. And it still might have been a honeypot, but I doubt very much.

There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen. :o

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.
And people can already get their keys, import them into other wallets and move their funds.

The rest really does not matter at this point.

Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.

-Dave

Sorry, but let me make it clear. I didn't suggest that Atomic Wallet turn off everything to "stop the theft", there's nothing that can be done about that unless the users transfer their assets manually to another wallet. What I was suggesting was to turn off everything, including development, and shut the WHOLE project down. It's stupid for it to continue in my opinion.

That I agree with.
At this point there is nothing that can be done. The trust is gone, the lack of communications is ridiculous, and so on.
The fact that you can still download and install the app is just more proof that they don't care / don't have a clue / are in on the theft.

-Dave

Yeah, the communication, even if they are trying, really is kind of bad .
Also, when opening the wallet on phone or computer there should at least be a message or something to warn users about the current situation. But there is nothing.

I used this wallet a lot over the past 2 years. Even when I was dissatisfied with the way they treated their own token.
Still to this day I have AWC-986 in my wallet and there is no way to exchange them for other altcoins. Only the new one is possible to trade. They claimed this will be possible in the first months of this year, now in June and still nothing.

Anyway, I was lucky enough to have no damage from this and moved all my stuff somewhere else. Didn't have a lot in the wallet to begin with but would have been annoying to lose those as well.

This tweet[1] is a great overview of how deep this breach was. I'll point out the tweets that stood out the most for me:
Seems like that at this time is mostly assumed that Lazarus group definitely is behind this attack. I don't know how Atomic Wallet intends to refund their clients and I also don't know if they are solvent enough to do it. The worse part of this all is that people will keep trusting CEX's  ::).

---

[1]https://nitter.it/tayvano_/status/1668935273047261185 (https://nitter.it/tayvano_/status/1668935273047261185)

I've obviously never used Atomic wallet, but am I right in saying there is no way to link it to your own node or server? In other words, it operates exclusively via Atomic's own servers? And also, do we know how the attack took place yet? Were the attackers able to remotely sign transactions, or were they able to extract private keys or seed phrases?

I am wondering if Atomic had pulled their central servers offline, whether this would have stopped further funds being stolen?

Presumably by now we show have at last some kind of news on the cause of the hacks or the vulnerability, or is ZachXBT taking a vacation? :(


Atomic Wallet is proprietary software built with (what I assume to be) Electron and thus it can only communicate with company servers, especially since the "Swap" feature is custodial and requires servers. There's no Atomic Wallet Server either.


This doesn't really sound like a Lazarus hack, because those guys are presumably competent enough to not go after only a few hundred "active wallets" if they have the god-level access in the wallet system, they'd drain the entire system and leave it to burn. It sounds to me more like a script-kiddie weaseled into the systems - which is bad news for Atomic Wallet's security if that is true.

This thread[1] is very interesting and may point towards one of the causes that led to this attack. According to him:
My first question would be how the user got a hold of (part?) the code behind Atomic Wallet. I do know they have a GitHub page[2], but I'm not sure if they publish sections of their code in there. Despite all of this I'm still baffled by the fact that Atomic continues to hold radio silence regarding this hack...

---

[1]https://nitter.it/Gustavoatca/status/1669835377517969408 (https://nitter.it/Gustavoatca/status/1669835377517969408)
[2]https://github.com/orgs/Atomicwallet (https://github.com/orgs/Atomicwallet)

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

There was an update to Atomic the end of May. So the question now becomes what that the version that introduced the vulnerability or was it perhaps the version that fixed it?
If it fixed it, then a lot of people can spend a lot of time looking at the code and find nothing.

Also, on that note does anyone know if you would see it in what was released if it was a 'supply chain' issue and a library that it was using that was the vulnerability?

-Dave

Somehow I've missed that tweet. Thank you for pointing out! Looking forward what the community will find out considering that the source code was only updated 3 days ago which isn't a lot of time for people to be aware of it.

Because I have used Atomic Wallet only for a very short time for a specific task that didn't involve any painful amount of worth for me, I don't spend too much time to look for details. It's merely my personal interest in security issues in the crypto space that attracts my attention.
[1] seems to me one of the first concrete details of what might have happened. Not that I can fully grasp it, but it looks to me like an implementation flaw in Atomic Wallet that is beyond stupidity. What did the devs of Atomic Wallet think? If this is true what [1] claims and this message protocol allows without any authentication the extraction of private keys, then Atomic Wallet devs are incompetent beyond imagination.

But there's at least one thing, that I can't wrap my head around: do the attackers need to target the specific wallet users or do they target the Atomic Wallet backend infrastructure? I ask this, because there were reports of Atomic users who lost funds who didn't open Atomic Wallet for a long time. Though such user reports have to be taken with a big pile of grains of salt.

Two weeks and still counting and I find the radio silence and no signs at all on the Atomic Wallet website totally baffling, too. That is definitely not how such a hack should be handled.

Sinbad will not attempt that because if they do, the whole purpose of privacy is defeated and it will go a long way to say how fast or slow data is dished out with pressure.
Exchanges are the fastest to release eve with minimal pressure in order to be in the haven book of the government.
If they make such announcement it will create much more panic than we have. But in the real sense, they failed, that is the only viable option to mitigate losses now.

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

 8)

It's difficult to say since they haven't shared any information. This is their latest post: https://twitter.com/AtomicWallet/status/1669750121586737152

If there was a backdoor by one of the employees (without the rest of the staff knowledge), they would've fixed it but as we can see, it's been some time since they last updated the software: https://support.atomicwallet.io/article/339-release-history

Also, from my understanding of the tweet above, this "backdoor" has something to do with Ethereum (or maybe EVM chains in general), but if we check the article talking about the hack, we can see that BTC has been stolen as well.

It's actually mind-blowing how silent they are when they have 100M $ of user funds completely gone. I personally still suspect they have the private keys (or at least some of them) stored in their servers.

You can flag such update nonsense from Atomic Wallet as radio silence noise. Well, it could also be some sort of strategy. Not impossible that they found out what internal mistakes have led to this desaster and they came to the conclusion that radio silence is the least worse option.
Who knows... hard to believe, they could survice such a mess.

Given what we have witnissed last year alone (FTX, Yogg...) I'd say it's quite likely. If there are several devs, it just needs one rotten apple to put in a backdoor and abuse it at some point when it seems profitable.
Then again, there is also a good chance it was some vulnurability within some dependency/package in their codebase. Maybe one of their own devs found out and decided to take advantage or someone from outside.
I clearly lean towards inside job, though. Chances are just higher.

Nothing too suprising, though.
And another great example why open source MUST be the standard for critical software such as wallets in the Bitcoin space.

Finally we get a statement[1] from Atomic Wallet after 18 days of radio silence regarding what might have caused the draining of the wallets. Here's a few highlights from it:
It seems like that they still have no clue for what might have caused this hack. This is a bit scary - if they haven't patched anything, what is stopping the hackers from continuing to drain the wallets? Are they purposely holding the draining so that users think that it is safer now only to attack once again in a near future?

As for compensation for their users, it seems like they are aiming to freeze whatever assets they manage and then distribute them accordingly. In what grounds and how remains unclear but one thing is certain - Most of the affected users won't ever see their crypto. As of now I'm still baffled that they have any customers at all still using their service. It seems that I'm more worried than them regarding the security of their crypto, and I'm not even a user of Atomic Wallet  :D.

---

[1]https://atomicwallet.io/blog/june-3rd-event-statement (https://atomicwallet.io/blog/june-3rd-event-statement)

I guess some people rely on their promise that they'll get their money back since the team is working with exchanges to freeze the stolen money. A lot of people still seem reluctant to be completely self-reliant to secure their money.

IIRC, they said it affect less than 1% of their users in the past[1]. How do they even confirm it? Which number are they using to calculate this? The download numbers on Play Store?

Which auditors are they referring to btw? Are they referring to Least Auditors who suggest people stop using them in the past[2]?

[1] https://cointelegraph.com/news/atomic-wallet-hack-affected-1-of-active-users-investors-claim-otherwise
[2] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/

Binance have been hacked multiple times and have lost millions in crypto and hundreds of thousands of users' data. Remains one of the biggest exchanges.
Coinbase actively sell user data to third parties and inside trade against their users. Remains one of the biggest exchanges.
Platforms like Voyager, Celsius, FTX, all go bankrupt or outright scam. People continue to lose their coins on many other such platforms going bankrupt or scamming in the months since then.
Shitcoins like Luna collapse to nothing because they were outright scams, and then people continue to buy Luna 2.0.

I agree it is literally insane that anyone is still using Atomic wallet, but I also have no doubt that they will have no problem continuing to exist and not just keep current users but attract new ones too. I also have no doubt that hot wallets will never stop being hacked.

That wallet's hack caused to lose value cryptocurrencies worth $35 million, how does this represent less than 0.1% of Atomic Wallet app users?
After more than 18 days, they did not give a specific answer to what happened, which means that their developer team is not that experienced, or that the vulnerability is deep and they did not find a mechanism to fix it, or that either they left back doors and exploited them to steal them.

Does anyone know the list of external auditors, and if they published it, to gain a little credibility here, they should publish it

There's one more thing i'd like to highlight


I'd like to remind that they collect these kinds of personal data which is likely done automatically,

---

It could be from data they automatically collect, which i mentioned above.

And since they only talk to their own back end SPV servers they have a good idea of your addresses (and the funds in them) since the wallet is asking for them.
Note, this is not just them it's how any lite wallet works if you connect to their servers. So, they may not know 100% who has what, but they can get a really good idea.

---

And this is a bit of a side rant, but I am going to put it out there anyway. Just because it's open source does not mean it's better or more secure. There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Yes it's better, but DO NOT let people think it's perfect, make sure when explaining wallets to people. Multiple layers of security are better. There can be a big gaping hole in the open source wallet I use, that nobody fond yet AND there might be a compromise on my system that I don't know about. BUT, since I have my warm funds secured by PSBT to a 100% offline PC it really does not matter.

-Dave

Most of the times that happened, we didn't have a closed-source alternative to compare. But at the times we did, you'll be glad to know that the closed-source alternative was way worse security-wise. A brilliant example is the OS. Take Linux and Windows. Both have exploits, both are decades old, both have hundreds of people working on them 'til this date, but Windows is less secure because it has far more vulnerabilities that allow the execution of code.

I hope this is the only data collected, although I question the validity of this information.


In this case using a multi-signature wallet where you can choose the second signature from a hardware wallet/electrum/sparrow will reduce the potential points of vulnerabilities. The problem with closed-source wallets is limited funding, so the wallet developers may make some backdoors or sell some data, or in the best case, the limited number of developers may mean the ease of finding bugs, which is completely different in an open-source wallet that has been reviewed a lot.

This guys are not skilled enough to track and monitor everything, and even with this it's impossible for people to lose so much money with hacks like this.
I suspected from start that this was insider job, just one worker or ex-worker is enough to silently distribute and release malicious app update.

Well that is obvious, I can in theory create a malware and make it open source code... that doesn't means everyone should install it on their computers  :D

Their team released a blog three days ago, saying that there weren't any new breaches since June 3rd, more specifically no new cases reported. They also said that total percentage of users that had their coins stolen were less than 0.1% of Atomic app users.

They post it like it's something good because if there's truly a flaw, an exploit, or a backdoor then "0.1%" is just the start of a potentially massive breach.

What I want to know is, when will it be considered a more serious matter, and at what point should the users start suing the developers for negligence?

IIRC in their earlier blog posts they stated something like only ~1% of users were affected, now in their recent statement a few days ago it's ~0.1% which is a difference and it smells fishy. Does this explain anything? Of course, not! Their statement is more like fog and mirrors and in the bad situation it's embarrassingly empty of investigative findings. The amount of downplay is striking and shocking.

Three weeks have past and Atomic Wallet publishes such shit statement telling barely nothing but we have no clue or between the lines you could read it: we better tell we have no clue 'cause we screwed up really badly.

So it looks like they have pushed a new "mandatory security update". I couldn't find any information about it though, there's no mention of it on their twitter account or or even the release history page: https://support.atomicwallet.io/article/339-release-history

https://i.ibb.co/zNjjBvf/photo-2023-06-28-18-21-06.jpg

One honestly wonders how they came up with the ~1% or ~0.1% of the affected users?
How do they differentiate addresses/seeds created through their wallet from those create through other wallets?

Something is definitely so fishy

---

They should just shut down their lousy app. Much better that pushing updates that no one knows about late alone what exactly happened due to the security breach.

I own 12 coins (BTC - ETH - XRP - ADA - SOL - DOT - LTC - MATIC - BCH - AVAX - XLM - DASH)

in 2 Guarda wallets (one of them is on Win 10 PC and the other is on a Linux Mint PC) and Exodus wallet (on Samsung Android V.13)

After reading this thread I decided to remove all of my coins from Guarda & Exodus

What is the best choice for me? and Why?

+ Thanks in advance and to anyone who contributed in this thread.

Your concern has nothing to do with the Atomic Wallet incident, the reason to remove it sounds absurd, although it is true that the two wallets you used weren't the best advice but it's for other reasons.
I didnt find any better multi-coin wallet recommendations in this forum besides mycelium if you see the innate characteristics. However, the last security protection is in your hands. DWYOR

Because they log everything you do. It's a closed source wallet which communicates exclusively through their servers. They know exactly how many users they have, and exactly which addresses belong to whom.

Sell all the shitcoins for BTC and then store the BTC in either an open source hardware wallet such as Passport or on an airgapped cold storage device using Electrum.

If you want to keep holding shitcoins for some reason, then you are going to be stuck using insecure or closed source wallets. Your best bet will be some multi-coin hardware wallet.

You have limited options for a good, open source multi-currency wallet, and those options may be limited to Unstoppable wallet which may have sync issues or slow sync.

The best thing is to be wise in your investments and try to reduce altcoin investment, because you do not diversify your investments, but rather increase the risk potential while reducing the return on investment. In this case, hardware wallets give a safe and easy-to-manage option instead of software wallets.

Find a suitable option here https://wallets.thebitcoinhole.com/ and ask the community if it is suitable for you.

The only wallet that comes to my mind that ticks the box of being open source and having their code reproducible[1] is Trezor Model T[2]. As it currently stands and considering some recent decisions I can no longer recommend moha sasa to buy it, but I guess that he is also free to read up on the recent changes that Trezor made and decide for himself if he's comfortable with them.

If it was me I would follow the suggestion made by o_e_l_e_o @moha sasa - the coins that you are currently holding basically are the ones that keep appearing on the news over and over again in the past months/years and I understand that you might want to try your luck in securing profits in the long run. However, as I don't fully understand their applicability/usage/"worthiness"(?) in the real world I would also sell them all and buy bitcoin instead.

Note: While searching for an open source wallet for holding your coins you may find Keystone[3]. However be advise that it may not be as open source as it looks considering that you have to sign an NDA[4] in order to view sections of the code that aren't available in their GitHub.

---

[1]https://walletscrutiny.com/hardware/trezorT/ (https://walletscrutiny.com/hardware/trezorT/)
[2]https://trezor.io/trezor-model-t (https://trezor.io/trezor-model-t)
[3]https://github.com/KeystoneHQ (https://github.com/KeystoneHQ)
[4]https://walletscrutiny.com/hardware/cobovaultessential/ (https://walletscrutiny.com/hardware/cobovaultessential/)

Both Guarda and Exodus Wallet are not open source there's a chance that there are some flaws or back doors in the wallet which is yet to be known since no hack or dev exit scam has happened.
The best choice is for you to get a hardware wallet due to ease of use ^{(however you need to learn how to use it safely in other not to expose your crypto to danger)}, secure transactions, security, etc.

Best choice for you is to stop using so much shitcoins and switch to using mostly Bitcoin.
As a gradual transition you can try using Unstoppable wallet, that works on mobile devices and it is open source, but I am not sure if it support all the coins you mentioned.
Best choice is using open source hardware wallets like Trezor, Bitbox or Keystone because they have good support for coins.
Don't use any closed source or custodial wallets.

I remember having read somewhere (sorry, no sources to quote) that Atomic Wallet uses a hash of the recovery words as a wallet identifier and this wallet identifier appears to be communicated to the backend for whatever reasons. So Atomic Wallet knows exactly how many distinct wallets there are and talk back to their infrastructure.

Download numbers are not very accurate and might be counted multiple times for a single individual. The internal wallet identifier of active wallets is much more accurate, but no public data.

Just did a quick look around, has there been ANY update anywhere on this?

At this point they are not ever going to be considered secure again, but they seem to have just stopped mentioning it and as far as I can tell so have a lot of the online places that I read.

Just seems odd that all of a sudden, no more discussion. Although, the other side of it is how much more then 'they suck, don't use them' can be said.

-Dave

None that i have heard or seen of, i think the bigger issue here is that Atomic Wallet doesn't know what caused the mass attack of their customers, so i don't think we are looking forward to any update. It is closed source, they don't know what caused the hack, then it can happen again!
They are closed source, so they were not really "safe" even before the hack, and no matter how many times we can say 'don't use them', so many people are still using Atomic Wallet. If after all the recent events regarding the collapse of centralized exchanges and earning platforms, people still use them to store their funds and to earn APY, surely people are still going to use Atomic Wallet to hold their funds after this hack.

that

We don't know that THEY don't know what happened. All we know is that WE don't know since they have not told us.

But the lack up updates, even to the extent of not posting a 'we don't know what went wrong still looking' is just a total lack of customer service / caring.

Their reputation is so shot at this point it probably does not matter for people here who pay attention, but since they are still out there someone else is still going to loose their funds :(

-Dave

They care more about promoting their service than even customer safety, and I wouldn't be surprised if the recent hack was caused by a former employee or an internal attack. I tried to search for words such as atomic wallet, atomic wallet review using some browsers and different IP addresses and I did not find any details about this hack on the first page. even google keywords like atomic wallet hack will get link like Atomic Wallet Claims 'Less Than 0.1%' of Users Affected by $100M Hack (https://decrypt.co/145765/atomic-wallet-claims-less-than-0-1-of-users-affected-by-100m-hack)


Our role should be to showing how bad this wallet is as a first result in search engines and convincing ChangeNOW's third-party services to stop supporting them (although ChangeNOW has a long history of suspicious activity)

For anyone that wants to keep updated regarding Atomic Wallet hack, this[1] twitter account may be useful to follow. They share relevant updates regarding anything to due with the hack which is still enshrouded in a veil of mystery. I have some reasons to believe that Atomic will eventually cease to exist in the next couple of months.

---

[1]https://nitter.nl/whathappenedwaw (https://nitter.nl/whathappenedwaw)

Because it's closed source doesn't mean that they do not know what caused the hack, they probably do. It should actually be BECAUSE it's closed source that the community should be more suspicious. The Atomic developers can check the code, but the open source community can't. What could go wrong?

¯\_(ツ)_/¯

I was one of those hacked. I always use atomic wallet on a dedicated laptop that is not used for anything else other than a wallet. I couldn't get my EOS to send, so support recommended I download the wallet to another device and I did, to my cell phone on May 31, from the Apple store. I believe that my account was compromised when I entered the seed phrase on  my Iphone. What do you think?

Except your iPhone was compromised there is no way to know if your wallet was breached when you imported it into your mobile device.

The time frame between you importing the seedphrase and the wallet hack announcement is very close and since they probably released an update late it is very plausible that their system malfunction caused you to not be able to send you EOS coins out.

I think Atomic being a closed source wallet should not be used, along with other closed source, custodial wallets.

- Jay -

Did you thoroughly check that you downloaded the correct app from Apple store? While it's rare, sometimes malicious apps can sneak into Apple store, too. Apple store verifications are not without errors and oversights.

How did you enter your wallet recovery words on your iPhone? Carefully typing by hand (assuming the keyboard app is safe) from an analog source or did you use some copy/paste actions from a digital source?

There's a lot that can go wrong if you're not aware of pitfalls and your descriptions lacks quite some details to judge what might have gone wrong. To be clear: I don't want to defend Atomic Wallet in any way. They brushed away valid security concerns of their product from past audit(s) without addressing them properly. I'm not convinced that Atomic Wallet knows what they're doing with their complex product.

Sorry for your loss, but downloading the same Atomic Wallet software into another device couldn't have helped to protect you, that is because with the number of Atomic Wallet users who had their wallets compromised, it surely wasn't a local issue, but one that was wrong with the Atomic wallet software.

You should have used your seed phrase to import your wallet into a recommended software like Electrum, and send your funds immediately into another wallet with an Electrum seed phrase. It is going to be difficult to know exactly why you were hacked because even Atomic Wallet haven't provided an update on what caused the multiple attacks to their customers. Don't use closed source wallets, use open source wallets like Electrum, Sparrow or BlueWallet, or open source hardware wallets like Passport to store your funds.

Very likely, though not conclusive.

This particular issue involved lots of innocent users, and the team behind atomic wallet have not yet given any clear explanation about the exploit.

---

They were never secure in the first place (in regard to not having an open source code)  ;)

Pretty messed up wallet and the team behind it. I would treat it the same as a centralized exchange or a service that has already been completely compromised.

Exactly, I saw a lot of complaints regarding this Atomic wallet the same on this thread (https://bitcointalk.org/index.php?topic=5460583.0) which you also commented on those links of hacked issues.

What do you think?  
The hacked activities were made by their team who is behind on this major issue?  (because I'm thinking this way)
Newbies should stay away from this wallet since there are a lot of issues and it's not completely open source.

We can only speculate, but from what i have read about the hack, many people are suspecting this to be what happened, it was probably an inside job, maybe someone in their team added something malicious to their code, but until Atomic Wallet tells us what happened, we can only speculate, that's why closed source wallets aren't good.
Newbies should not only stay away from Atomic Wallet, but all closed source wallets, like Trust Wallet, the victims this time is users of Atomic Wallet, but who knows the closed source wallet that is next.

I'd actually trust a centralized exchange more than that. At least if you register on some popular, regulated exchange you know that you're sending your coins to some licensed company. Sure, it can go bankrupt or/and hacked, but at least you know it isn't your fault. There is no way to know with certainty you made some mistake here during wallet creation. The software is closed-source; the developers can rip you off, blame it to you, and you could have nothing to say in your defense.

After a small hiatus from my side, I remembered to check back on this event for any updates - It didn't come as a surprise but it has been now 3 months after the drainage of millions of users assets and no kind of update has been given to them (other than the one made 06/20[1]) by Atomic Wallet. Plus, their users are still being silenced by the company[2]. For anyone still thinking in using this service - don't do it if you care for your assets.

---

[1]https://atomicwallet.io/blog/june-3rd-event-statement (https://atomicwallet.io/blog/june-3rd-event-statement)
[2]https://libreddit.pussthecat.org/user/atomicwallet (https://libreddit.pussthecat.org/user/atomicwallet)

It is disgraceful honestly, they say they are removing the posts because of privacy and security reasons, when did people posting about the money they lost in a hacked wallet and also requesting for updates become a security and privacy risk. Disgraceful behaviour from Atomic Wallet, after this i don't think any update should even be expected from them on this case, i hope people who still use this wallet understands that they are closed source and they are now acting shady.

They made an update to June 3rd Event Statement the other say.
Still says  'not our fault, looking in to it'
https://atomicwallet.io/blog/articles/june-3rd-event-statement

I'm guessing that they hope it just quietly fades away and drops from peoples memories.

-Dave

And that's exactly what's going to happen, the people who lost funds aren't getting it back for sure, so the only reason why people probably need answers as to what exactly happened is to mitigate a future occurrence. But again, why would people still be using Atomic wallet or any other closed source wallet after what happened, you'll think that most of them would have moved to well reviewed open source wallets like Electrum, but you'd be surprised at the number of victims there would be if another closed source wallet or centralized exchange is hacked or compromised today.

They should probably start shutting down they're infrastructure, stop downloads of their software, post warnings in their website. A smart hacker could be collecting a list of wallets they can steal coins from and they're probably preparing the logistics of how they can take all of them in one attack.

Shower thought. It's 2025, Bitcoin is in a bull cycle priced at $100,000 per coin, THEN the Atomic Wallet hacker steals more than $1 Billion in Bitoin in one hour.

¯\_(ツ)_/¯

Please find the snip from the same article.


Giving lame excuses and what's more, encouraging the users to keep using the same closed source wallet.
If they cared so much about the people, they would have announced that they would be moving towards open source, but not to be.

Anyone who will still trust them is responsible for their loss if the same hack happens again.

When I read DaveF's update I had such an intense urge to rant on this [censored] wallet provider giving the probably lamest excuse next to being completely silent. But then self-imposed forum behavior protocol rules were auto-triggered and I slept over it (multiple times moving between rant and na, not worth it, you ranted already, nothing new to say).

Nearly four months have passed and this wallet provider has nothing more to post publicly than "not our fault, looking in to it"?? That's not even a bad joke, that's worse than that. My gutt feeling tells me, they know exactly why they are basically not telling anything. But that's just my speculative thoughts.

Users of Atomic Wallet should take appropriate action and consequences. Anyone who loses coins with Atomic Wallet in the future has to blame themselves for being ignorant and reckless.

So it looks like Atomic Wallet has absolutely no interest in revealing what was happening to its infrastructure, and  tried to put profit over its users or is trying its best to avoid absolute collapse. Whatever is happening, it does not look good for Atomic at all.

Do we have the data revealing how many users were using the atomic wallet before the hack and how many people are still using this wallet?

To be frank, even if they tell us, what happened, we shouldn't trust them and should not be using that wallet again.

They claim to have 5 million users[1]. It's difficult to say how many have left though, since there is no trading volume, or live data to look at but I don't think many have left because not that many people have lost their funds (again, according to the team).

No, we cannot get that data, but Atomic wallet claims that the hack only affected less than 0.1% of their userbase, so if that is true, maybe so many people who don't know the right thing to do would still be using Atomic wallet.
Even if they were not hacked, it is still not recommended to use closed source wallets like Atomic wallet or Trust wallet.

Maybe, I say maybe, that little smart hacker is Atomic wallet themselves. Just a wild conspiracy theory there!  :D

Lol. Would you trust data coming from a company that literally has nothing to say about their software ripping off millions of users' coins? I'm quite having the impression Atomic wallet is closed-source for if it wasn't, even an undergraduate student of CS would be capable of correcting their repo.

Hahaha then let's add more to that conspiracy theory. Maybe, just "maybe", Atomic Wallet's developers are state-sponsored developers waiting for the right time to cause a wave of chaos which perhaps could make a bear-market-causing-crash. - They will execute their exploit/back-door during the new ATH of the next bull cycle, most probably it will be on 2025 or 2026.

Plus did anyone notice that the exploits stop when users start to "notice things".

¯\_(ツ)_/¯

Everyone who hears this news should stop using it even if they do not fall in this 0.1% category. Once hacked, it can be exploit again either by the  hackers or by the team themselves.


Trust Wallet is even more widely used than the Atomic wallet. By the way, if all closed source wallets are not recommended, why do we use/promote Ledger Nano (Hardware Wallet) ? It is also a closed source as I know.

It doesn't matter if it's widely used. A closed source wallet should not be recommended to anyone when there are several open source wallets
The problem with a closed source wallet is that you are most of the time in the blind until a hack happens - Trust Wallet Hacked. Understanding How It Happened and What to Do Next  (https://coindoo.com/trust-wallet-hacked/)

Who is we?

AFAIK, I haven't seen members recommend ledger Nano for a while. It's receiving heavy criticism even when they tried to make a comeback by faking their source code status (https://bitcointalk.org/index.php?topic=5467841.0)

It is not recommended to use closed source wallets because you cannot review the code, and not because all closed source wallets are unsafe, but we can agree that it is much better to use a well reviewed open source wallet, than a closed source wallet that the code cannot be reviewed. Too many people wrongly think that open source automatically means safety, it doesn't.

Ledger, just like Trezor is a hardware wallet that has been 'around' for a long time, and even though they were closed source, their devices were still recommended until they launched the ledger recover service, as a company that should help you store your keys offline, they ought to know that it is unsafe sending it to third parties, when they initially said it couldn't leave the secure element chip. This is the main reason why Ledger shouldn't be recommended, and other things, like being closed source and telling lies.

I would be interested to find out what math they used exactly to calculate that only 0.1% atomic users got affected by this issue  ::)
In best case this can only be people who contacted them and reported loss of coins with transactions they didnt make, and nobody knows how many people never contacted atomic amateurs.
New statement can be used for bitcoin wallet: not open source, not your coins.

I just mean that we usually say that hardware wallets are safe and when we talk about hardware wallet, most common ones are Trezor and Ledger, Anyways now with so many issues with closed source wallets, i would avoid the closed source hardware wallets too.


That is what i was thinking too. The centralized wallets do not give you the private keys and the closed source ones, can still know our private keys through the source code, without the need to make the user being aware of it.  :(

Importing the seed phrase of a compromised or closed source wallet into a good and well reviewed software wallet like Electrum is not good practice, your wallet can still be compromised because you are still using a seed phrase that you can't verify how it was generated. What you should do is create a new wallet in Electrum and send out all your funds from the closed source or compromised wallet into the new wallet you have created and verified.

Unless you absolutely have to, you shouldn't be importing your seed or keys into multiple wallets regardless if they are open-source or not. Luckily, it doesn't cost anything to generate a new seed and create a new wallet, and it's safer than using the same one in multiple software.

The person you quoted also doesn't seem to know that importing a seed phrase into a second software isn't equivalent to having sent the coins from software A to software B. The import only duplicates the old wallet, and your seed is now entered into two or more software depending on how many times you imported the seed. The coins haven't "moved" anywhere.

And still no update. Really wonder if they are looking into it or hoping it goes away.
Since people are still using it and talking about using it and so on, I guess people don't care about their crypto.

If you want to use a wallet like this how about I just post a bunch of addresses that belong to me and I'll send you some crypto back later if I feel like it.
If not I'll just keep it. Seems to be the same service as Atomic.

-Dave

I really do not understand the affiliation of the people with atomic wallet who are still using it ? Or maybe they are not aware of this vulnerability in the atomic wallet  ???

We are not short of Non-Custodial wallets in the market that we have no option but to use the Atomic wallet  ???

The one who knows about the history of atomic wallet and still does not quit it, i am sorry that they have no idea how to protect their assets. They will only learn lessons once they themselves lose their money. :(

It still does not tell what happened. That is IMO still the issue.
Even a 'we don't know and are still looking into it' is better then this.
Was it on their end in terms of the servers. Was is on the app end? Was it a malicious library / supply chain attack?

So now according to them some funds are frozen. Great. What is the next step? Do they have a next step?

-Dave

Just as an FYI:

https://www.coindesk.com/policy/2023/11/29/crypto-mixer-sanctioned-by-us-treasury-for-north-korea-allegations-as-fbi-and-finish-police-seize-website/
https://www.elliptic.co/blog/analysis/35-million-atomic-wallet-hacker-funnels-crypto-to-north-korea-s-favored-mixer


But still no real info coming out of atomic about what happened or how it happened.

-Dave

That should already tell something and it's not good news. How many months have already passed? I lost track and kind of don't care anymore, too. I don't expect any honest statement of truth from Atomic, anyway.

Atomic is either itself incapable or incompetent to execute own investigations or too cheap to pay a capable forensic company to do it for them OR they know what happened and have chosen to keep the facts burried under a pile of silence and nonsense bits of "news" about it.

With such a post-mortem handling policy Atomic has forfeited all trustworthiness in my opinion. I wouldn't use this wallet anymore and ever again. I used this wallet only briefly to collect fork coins of older Bitcoin UTXOs a few years ago and I moved my coins out of this wallet quickly and long before the last incident happened.

You're absolutely right, but it's not the idea to say I'm not interested, the collective interest is necessary for the support of the entire crypto ecosystem, a response to what happened has to be demanded, That allows support for the crypto environment, entrepreneurs, and end-users.

I wouldn't get my hopes up that Atomic Wallet will release any comments, especially anything that makes them look bad or guilty. I don't doubt they have money for advertising and they will spend it to keep showing their wallet in good light. Crypto users quickly forget. Blind them with an airdrop or two, a special deal, or perhaps an NFT with promises of huge profits in the future, and many of them will come back to using Atomic Wallet, having forgotten all about this incident a long time ago.

such topics will not appear first when searching, these wallets do not give any warnings, and there is no guarantee that they have fixed everything. Therefore, good marketing in this industry is able to cover up software failures, and unfortunately some will return to using the wallet with the increase in the price of Bitcoin. I only hope that these topics will have more discussion on social media.