Bitcoin Forum

Atomic Wallet has suffered a serious security breach which has allowed hackers to steal user funds[1]. It is not only on Windows, but also MacOS (Linux I'm not sure. You should not assume your funds are safe.)

Huge apologies, I meant to write unsafe but somehow the autocorrect changed it to "safe" which is completely false.

Just read it as "your funds are not safe".

The so-called non-custodial wallet must have been sending your wallet info to their servers, that's the only way the hackers could've got to it.

Steps to perform right now:

- Please note the assets that are in your wallet and their derivation paths[2] (if you must type in your password to do this, do it while you are disconnected from the internet. Do not reconnect until Atomic is completely uninstalled.)
- Uninstall Atomic Wallet immediately.
- Sweep your funds to a Bitcoin wallet, your ETH funds to an Ethereum wallet, your XMR funds to a moneto wallet, etc from inside the wallet software - Do not make any transactions from Atomic Wallet. If you need to transfer obscure tokens, swap them on a centralized exchange for a decentralized asset such as Bitcoin or ETH.

---

[1]: https://www.cryptopolitan.com/atomic-wallet-users-report-losses-as-platform-falls-victim-to-hack/
[2]: https://support.atomicwallet.io/article/146-list-of-derivation-paths

Already existing topic:

A Non-Custodial wallet, Atomic Wallet, being compromised (https://bitcointalk.org/index.php?topic=5454994.msg62349200#msg62349200)

Not in a prominent enough board; most newbies will never find it and will lose their funds as a result.

That is correct. Also that some people on the thread may think that it is as a result of phishing attack but which I do not think. I like your idea of telling people to install Atomic wallet and sweep the coins entirely into another wallet.

Or to just import the seed phrase on another wallet, then create another seed phrase on the wallet which you can send the coins to the address of the seed phrase generated newly on the wallet.

Just like I commented on that thread, I wonder why some people may be using a wallet that its bitcoin address is still a legacy address. If no good updates on bitcoin, how would the the wallet entirely be.

There are better wallets that can be used. Especially bitcoin wallets which are open source like Electrum and Bluewallet.

Also I think unstoppable or metamask wallet will be good for altcoins. I do not know much about altcoins.

I think this is the best time to consider having multiple non-custodial wallets for backup because once this will also happens to your wallet, you just going to quickly send it to another wallet for safety. unlike when it happens and you don't have any backup with you, I'm sure you will get panicked once you see the news about your wallet and sometimes you have a massive amount of bitcoins which will go to cause you major breakdowns or you might going to send your bitcoins to a wrong address, so it's better to relax and get your bitcoins as soon as possible to avoid such scenarios.

I believe this board and the beginner's board are the most frequented by newcomers on the forum, thus his thread will be visible to them.

I was unaware of the other posts because I don't frequent technical conversations. As a result, I believe this thread will be the one to immediately communicate with the information, and it will have more engagements than the other threads.

What is the cause for this hack?
Isn’t we are protected with the private keys already and also the password authentication as an extra security.

What does it mean they send our wallet info to their servers. Isn’t the verification of transaction is done locally when through the application at the time of broadcasting?

So when we verify it with our password then it should not be connected to the internet anymore as the info is anyway sent to the pool and miner does the rest (confirmation etc).

Also thanks for the notification. Gives another reason to hold Bitcoin in my hardware wallet.

I think what he meant is you're the one who know your private key, but the Atomic wallet developer also know your private key and it's stored in their server. So if the hacker can find a loophole of the server, the hacker know the private key of Atomic wallet users.

Password authentication doesn't protect from hack, it just add an extra security to prevent someone can access your wallet if they control your device.

That is a crazy thing, and that is a big risk for those of us who store our funds in their service wallet, I hope this does not cause great losses to other users.

In other words, if the server has been broken, then any security in the user's wallet will be easily supplied by hackers.
Because this hacker can be said to stab from inside, not from the outside of the user's wallet.

By the way, whether they are the developers of the atomic server froze transactions on their services or not, to anticipate theft, when they realize that they are being hack.

It happened just yesterday, and it looks like a phishing attack. For its users, I think they still have a chance to get their assets out of the atomic wallet right away. These hackers are really perverse to non-custodial wallets. When there is a chance, they will really take it.

So the community here in cryptocurrency will not lose to worry about this kind of news of robbery in its wallet accounts. The security of non-custodial wallets still needs to be improved so that trust and peace of mind are not lost.

8 months ago, some guy on YouTube had his atomic wallet hacked and all ($900) worth of Bitcoins were stolen from it. (for some reason the idiot hacker did not steal his other assets.) He had 2FA enabled and changed his password multiple times: https://youtu.be/0QBu4BncFqQ

It is incredibly shocking how lax the security of this wallet is, if a random guy can just break into your secured wallet and steal the coins inside.

The same for Ledger Recovery Service which splits seed words to three shards. Ledger claims that it is safe but who knows. As a Bitcoin users, you put your keys, seed words into hands of Ledger and two more entities. I am sorry but I can not trust anyone to hold my seed, private key. With Ledger Recovery Service, risk will be trippled.

People just get it wrong. Password of a wallet only protect your wallet file, encrypt that file and prevent hackers to access the file too easily. However, if hackers know your wallet seeds, the wallet password is non sense.

Same with 2-factor authentication, if hacks happen at serious scale, it can not save you.

atomic wallet is not just a wallet. its a built-in exchange. and im GUESSING that the exploit is more to do with the mechanisms of exchanging funds rather than just the wallet function.

after all even though the user chooses a altcoin to swap with and presses send. the user is not choosing a destination address or manually choosing where his funds go to.. (he doesnt communicate with the swap recipient to get their address)

behind the scenes alot more has to happen in the actual exchange process like choosing destinations of who gets the btc in that exchange for an altcoin. thus details are transfered/received with a central server....
a phone wallet is not a node that makes connections to 5million other phones. it connects to a central server which hosts all the bids/asks offers and manages the swaps by the server supplying/setting the destinations for the swaps and making the signing process calls.. its not as decentralised as people think.

so a guy at the server or a hacker can simply make the destination addresses of a swap become the "hackers" address. because users doing swaps dont manually type in the address of whom they are swapping with.. the server does all that

I'm sorry, but isn't the Atomic wallet supposed to be non-custodial? If so, how do they have access to private keys? Has this information been confirmed, because in another thread someone mentioned that it could be a phishing attack that targeted Atomic's users, not that private keys were leaked. More and more wallets are being compromised, including a few hardware ones. A year ago, I read an article regarding TrustWallet. I can't recall any details, but it seems to be a rather frequent issue, which makes us wonder: are our funds truly safe? What can we do in order to be 100% certain that we're secured, and worst of all, is it even possible?

People are complaining that their coins got vanished out of the blue. How can someone steal the funds without the seed phrase ?
It's really shocking to see a non-custodial wallet get hacked like this. This shows our coins aren't safe anywhere.
While the investigation is still on, it makes me wonder if all the non-custodial wallets are risky. Any of these wallets can suffer the same fate.

You are not correct, a self custody wallet like Electrum that is open source is safe if the user backs up their seed phrase safely, and in more than one location, as well as practising great operational security too. But when a wallet is closed source, even if it is a self custody wallet, it isn't safe because you don't know how they generate the seed phrase or keys, or if everything they tell their users is true. Needless to say that Atomic wallet is closed source, so there may have been a flaw in how they are generating their users keys and seed phrase and probably an attacker has exploited this to steal funds.

Atomic wallet might be a non-custodian wallet but just like trust wallet, it is a closed-source wallet. Malicious apps can be imputed to the code by criminals or even compromised staff can carry out this attack. One of the benefits of open-sourced wallets is that these attack or bad codes can be identified easily and corrections could be made before it causes any harm. So the not your keys, not your coins message should be added with the need to use only open-sourced wallets. It is sad to see people lose their hard-earned income because they believed that since they own the keys their funds are safe. Victims are waiting for more news from the company's officials.

This is most likely a data breach, but a really nasty reveal of how these "self-custodial wallets" aren't so "self-custodial" at all. utterly disappointing. Someone got a hold of sensitive data from the Atomic Wallet's servers, supposedly from a security flaw within the piles of codes that atomic has made. They abused such flaw and then from there, the hacking of wallets begun. Picture it this way, you're renting an apartment (atomic wallet user) from your kind landlord (Atomic Wallet itself), you have your key and all that to protect you from thieves, but at the same time your landlord requires a copy of every key you would have for your apartment as well, until such a day came around when your landlord's main abode got broken into from a security flaw, and then from there the pandemonium begins as the thieves got a hold of every key in their property, stealing everything they could from every room.

That's basically how it went down.

I saw this thread there too but was not given too much attention because I am not using Atomic Wallet but with this NotATether thread I became conscious about the wallet. And this is not the first time NotATether has warned users of bitcoin and other Cryptocurrencies to move their pins/funds from custodian wallets to non custodian wallets but people give deaf ears. He even made a thread of "Not your coins, not your fund". People should use custodian wallets if they are using the coins instantly and not keeping it there for a long period of time.

This is not good news - of course it is sad news especially as we may soon find out how much user assets were stolen as a result of the hack. This hacking case is currently under investigation, and if indeed some of the members of this community are still store funds there - then immediately make withdrawal to another wallet. This thread should stay on top for some time for good visibility.

Atomic wallet is a self custody wallet, it isn't a custodial wallet. But Atomic wallet is closed source and any wallet that is closed source is not recommended, with open source wallets users can verify the codes, but if the wallet is closed source you have to trust what the developers tell you about how they generate the keys of their users. The best choice of wallet should be one that is open source, self custody and has a good reputation.

For online wallets I would only use Mycelium or Electrum bitcoin wallets. These are open source bitcoin-only wallets that have been around since 2011.

Wallets that store altcoins aka crapcoins aka scam-tokens are much more complex than bitcoin-only wallets making them much easier to hack into.

Altcoins are a total scam and and untold billions have been lost to them. When will idiots ever learn??

Atomic wallet is a   non-custodian  (https://atomicwallet.io/academy/articles/custodial-non-custodial-wallets-comparison) wallet but it is a closed source  (https://support.atomicwallet.io/article/184-why-is-atomic-wallet-not-open-source) wallet.
 

The question is can we call a closed-source wallet as a non-custodial wallet?

If we follow Atomic Wallet's non-custodial wallet definition, which is "Non-custodial wallets give you full control over your funds and in most cases provide serverless solutions. The keys stored in an encrypted manner on the user’s device and never leave it out." Does someone truly have full control over one fund, while acknowledging the system that controls their own funds is unknown or closed?

Specifically for Bitcoin, there are more trusted and especially, an open-sourced, transparent wallet, that is popularly used by many people such as Electrum. On the other hand, in this case, there is a rumour user's seed phrases are sent to the server and the system of the wallet itself is enclosed. I don't think it deserved to be called a non-custody wallet.

I think with all the given preference, I think the appropriate answer would be NO because noncustodial would mean that the users has full control of his keys for example the open source electrum wallet would be a perfect example of the proposed noncustodial wallets this atomic wallet is claiming to be, and don't understand why its presumably call a noncustodial wallet when there is some breach of the user funds in the wallet.

Tsk. I don't know what to expect to other wallet that is claimed "non-custodial" wallet anymore. If this kind of structure are followed by other those "non-custodial" wallets then people should think twice using and installing them. Unless they are open source and can be installed by available binaries released of the software for own build.

There has been a lot of cases where the companies use "buzzwords" to attract customers who would later lose their money. Like Binance calling the centralized alt-platform a DEX, or closed source wallets call themselves safe and throw around terms like "non-custodial".

When it comes to security, when certain things are lacking your security is as good as compromised. So when you see a wallet developing team making a silly reasoning like this trying to justify being closed-source, you should know that something is seriously wrong:

Leave it be, this is a time sensitive warning news that has to be available in every boards on the forum, this is the best way it can get to many people as possible, do you not know that some people only visit few boards on this forum and call it a day?

Some people visits altcoin discussion board for example and once they say one or two things in this board they leave, so OP knows what he is doing.

It is time to start giving up on third party crypto wallet companies, they don't know what they are doing anymore, crypto wallet recovery seed are meant to be offline, they don't have to sync anything like this in the cloud, this is why I always frown on any crypto wallets that are giving their users the option to sync their recovery seed into a cloud storage.

If they are advancing their customers to store their recovery seed in the cloud storage then there are probably doing the data with the wallet's data.

One of the victims said that he's into cybersecurity and he didn't know what happened but AFAIK, the funds were sent back to the victims CMIIW.
Knowing that a guy who's profession is into cybersecurity lost his funds onto this wallet, this losses their credibility and even before this incident has happend this is a common thing for most non custodial wallets. And that is to never leave your huge funds there, I can't imagine having millions worth of crypto and storing it on a wallet like this. Maybe they're just confident because they've been using it for years but for an added security, I think they're aware that they should have used something better and a more secured wallet with a small investment needed for the purchase of it and that's a hardware wallet.

One of the victim to this lost nearly over $2.8m - which is so sad thinking about how this person maybe feeling right now. The overall losses have reached over $35M.

It's true that there are risks in storing crypto, even if you are using hardware wallets. How this is a lot. I just hope Atomic wallet will compensate these victims.

By the looks of how things are going nowadays, cyber security will be the growth story for the next 50 to 100 years!

Mycelium wallet supports erc20 smart contract though, so readjust your point, Mycelium is not a Bitcoin only wallet, and this isn't suppose to make the crypto wallet less secured in anyway, sorry if you think like that.

My advice to all crypto newbies is to start using old crypto wallets, go oldies and know peace, Mycelium and few others are old masters in this crypto space, but many newbies want something new.

I doubt that Atomic wallet team will pay for this loss, because the money is big, it's up to 35million dollars that the hackers have stolen, and their main target are users with higher numbers of asset to USD in their wallet.

We don't have any proof that this is really an outside hack or they are playing a hoax to get investors' money. But if it's a real wallet vulnerability, then either open source wallet or closed wallet will be attacked equally. This is one of the many risks of investing in bitcoin. Don't always say that just choosing an open source and non-custodial wallet is 100% safe. With the recent events of Ledger and the hacks in the crypto industry, we should emphasize the risks of investing in this market so that everyone becomes more careful and vigilant.

alot of people in this topic think:
open-source means serverless control.. its does not mean this. it means you can read the source code. that is it

non custodian means serverless control.. it does not mean this. it means you hold the keys. but the software can still make API/RPC (remote calls) into the software where by a remote user can control what the software on your device does

take for example the exchange feature of this wallet. the user handling their phone device just selects an altcoin to trade with. but does not do anything like choosing a bitcoin address to send funds to..
.. instead its the server that hosts all the bids/asks of the exchange and holds all the recipient addresses of all the coins of a trade. its the server that tells a users device a bitcoin address to send funds to and gets the device to sign the transactions and takes that transaction and sends it onto the peer to peer network to bet into a block

just owning the keys is one security. but if that software has remote access to commands, which tell the software/device how to spend funds.. that is a security vulnerability.

Wallet is a very important thing in people's life, especially online based wallets.  One of the reasons we often hear that online wallets get hacked is because we share wallet access to different places.We use wallet access in multiple places due to which hackers hack wallet with all our information from there.  I have noticed that many people keep all their money in one wallet, but this is our biggest mistake.Everyone should keep money in multiple wallets.Using hardware wallets instead of software wallets. Because software wallets are easily hacked.  And unknown tokens cannot be add wallet without justification.

That's a different story and it can not happen at the same time with being open source. Unless the project is unpopular and nobody cares enough to look through the source code, such an obvious attack vector is found rather quickly.

most people that see the word "open source".. just end up trusting the devs and not actually reading the code themselves.. so even open source can employ exploits and bugs which are not found until the attack happens.. and its only then that people then look for the cause and call it out as a fault

The Wallet software is no longer available for download at atomicwallet.io. Does anyone know where I can download the current or older versions?

Yes, I also read this news today, the amount of losses is impressive. It is sad that this happens in our time when it is possible to conduct audits and other security measures for the application. I expect other wallets to pay more attention to internal security and other users will not experience what users of this application have experienced.

I have several cryptocurrencies that I stake in Atomic Wallet. Unstaking usually takes a few days. Has anyone seen any information on what to do in this situation? Or maybe any suggestions? I'm using the desktop version and haven't opened the wallet in over a week.

Coming from a crypto wallet that'd non-custodial like they claimed, and some people use Atomic wallet to store funds through 2019 bears and 2021 bulls, I don't know what to believe in this crypto space anymore, for my altcoins I will now have to rely on someone that can pay the damages, it's why I still somehow believe that Trust wallet is better than the rest, if anything bad happens from their side they will take responsibility,  I do hope that atomic wallet developers take this responsibility and pay back all those affected, because clearly it's their own freaking fault.

This is what happens when something called open source is not really open source, I just pray they are able to pay their users back, 30 million dollars is not a small loss from investors and many lives depend on their crypto portfolio.

Why people keep saying open source is safer? When was the last time any of you have taken a time and go search for security bugs in any open source project? Nobody pays for such activity. On the other hand, malicious actors have huge monetary incentives to pour over open source code and find ways to steal coins. Quite possibly Atomic theft code is hiding in some open source Javascript library they inadvertently imported into their Electron app.

Don't open the wallet until they unstake and then transfer the coins out to other wallets or exchanges (if you need to convert them into other cryptos first).

Looks like Atomic Wallet had a major oopsie! Time to uninstall faster than a hacker can say gotcha!

ah this is crazy , how bad is the security of this detention wallet , they can enter without a seed , can not believe how smart this person is to infiltrate every wallet , hopefully the investigation can be resolved and there are not many victims here ,

Yeah, about that!
It happens when you let third parties to manage your funds, when will people learn that bitcoin is money and since there is no central safe keeping party to insure the safety of your funds, you should never put your funds in the hands of crypto-bank wannabes.


Everytime you want to move some coins, you should generate change addresses offline, move what you have and send the change to the addresses which you generated offline using an address generator which has no access to the internet.

There is no such a thing as a safe and secure wallet in crypto world.

You are your bank, the safety of your coins depends on mathematics and you alone, don't let others to keep them safe because you'd be disappointed.

---

You are either up for the task, or you should stick with central banks.

Well, after I read it here I checked my wallet and it was untouched.

Had no problem loving some stuff somewhere else, even left some coins there just to see what happens ( of course just some small $ ) .

Guess the hacker has some kind of tool to find the wealthy wallets so he doesn't waste his time.
I mean, even atomic said/claimed only 1% of the wallets they have are affected.

Still, enough damage was done and I'm not sure atomic will come back from this. They also did a lot of empty promises about their own token. Still can't trade or exchange those old AWCp86 token anywhere and only watching the price drop by around 70% over the months.  :'( ::)

It's terrible to lose your money in this way, I've lost it too, but there is still a lot of work to be done on wallet security.

I think that in most cases, these exchanges are stealing people's money while claiming it's the worst of hackers. But what do I know, there's no evidence to back this up because they have been wiping their trails clean so far. But one day, all will be out in the open and everyone will know.

Since Atomic Wallet was not a custodial wallet, users weren't exactly putting their funds in the hands of the company behind the wallet. They had control over their own funds but the problem was that because the wallet is closed source they didn't know who else also has access to their keys and consequently their funds.

Damn, that's why open source is the best option. I don't think Atomic Wallet will recover from that, who would put their coins there after that accident?

After this incident? I don't think people will trust again atomic wallet after claiming their wallet is a "non-custodial" yet there are servers behind saving everyone's private key or seed. They should close or end their wallet's service. But before that they should be responsible their users lost funds.

The worst thing its we have received a few big blows on wallets this year.

Ledger on hardware wallets, and now this from atomic.... that arent good news, the only we can think know its, who are gonna be the next? who its lying and surviving yet?.

This its not good for the crypto community in the eye of the people who its not in crypto, only gives them more shit to talk and with some "reliable" facts.

I feel really sorry for those who lose their funds. And thank you NotATether to spread the new and try to save the funds of the mayority of people.

Is there any evidence for this?

This was told by the representative of a cybersecurity company Match Systems Joseph Anderson. According to him, Atomic Wallet stored all private keys of users on their servers. (https://au.topnews.media/2023/06/13/atomic-wallet-management-summoned-for-questioning/)

Now they say the loss is more than a $100 millions!!

The other day they made a statement (https://atomicwallet.io/blog/june-3rd-event-statement) in which they said that they were cooperating with various investigators, but they did not find the reasons for the hack. And after that, they say that they carefully study everything to make sure that users are safe, and recommend updating the wallet software to the latest versions. It is rather strange to talk about security if the reason for the hack is not determined.

They also stated that they do not store users' private keys. This has been questioned before by various investigators.

In general, nothing becomes clearer from the statement of Atomic Wallet, they are just trying to put a good face on a bad game.

You know what the worst part of this types of wallets is? They demand your trust in their product but they do not accept any kind of liability. A kind of a blind trust if you ask me.

We all know that in the end, some people will not care about their security and still continue using closed source wallets. So maybe at least these users should demand that the developers be liable for any damage. I'd say that's the least they can ask for their trust in a software they can't trust any other way.