A Non-Custodial wallet, Atomic Wallet, being compromised

[WhyFhy]

Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.

Atomic wallet is a non-custodial wallet and gives you the private keys. The problem with Atomic wallet is that it's close source and there is no way to know how the keys have been generated and whether the user is the only who has access to the keys or not.

oops don't know how I confused closed source with not your keys concept 
I got ate up for closed source on 1splitkey, even though it was split keys people didn't trust it.
I now know that lack of understanding means lack of trust.
I closed source code as it was tesla agents that controlled systems and didn't want that repurposed via simple cli tweaks. That was my reasoning. What's theirs? Why where they so successful?
These occurrences prove that they arnt always non-custodial.

[AHOYBRAUSE]

Thanks for sharing this!

I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

Sorry if my questions are kind of stupid. I have no idea about the technicalities.

I just use the wallet from time to time for smaller transactions.

[NotATether]

I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.

Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.

I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.

You should never write any wallet in JavaScript, and in particular NodeJS & Electron (not to be confused with "Electrum" wallet which uses Python), because your project dependencies will pull literally hundreds of other dependencies, some of which are outdated, and there's no way for you to get around that situation. Instead of a bullet, it's like a hundred pieces of shrapnel from a missile and will almost certainly get you killed.

Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/

Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating.

~snip

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

XRP, a shitcoin, does not have any reputable wallet software for it.

[Stalker22]

Thanks for sharing this!

I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.

It would be foolish to continue using this wallet after reading about multiple reports of lost funds from all over. Even the official website has disabled software downloads, and they have stated that they are currently investigating the issue.

But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

Every wallet stores customer seeds and private keys internally; it cannot function differently. But since this is a closed-source wallet, we cannot know what is happening in the background. Some preliminary reports claim that it was a malicious update originating from a hacked official site, but there is still no official explanation.

Sorry if my questions are kind of stupid. I have no idea about the technicalities.

No, your questions are not stupid, but it is still too early to say anything because we do not know what actually happened.

I just use the wallet from time to time for smaller transactions.

If you still have funds in your wallet, it is advisable to transfer them to a safe place as soon as possible.

[Flexystar]

Well this makes me think about all those claims which stated if you own the keys then you are owner and no one can have access to your wallets/funds within. I’m shocked to see this news about atomic wallet. How does everyone going to trust any other wallet too if wallet services that claim to be non custodial? This is definitely phishing attack, because let us say it was really a compromised wallet and hacked one then either the hacker has just found out the loop hole in the non custodial system or it could be the owner himself who has turned his business into some quick disruption of money. In anyways, user is the one that gets suffered. Hope everyone rest moves their funds as quickly as possible to other wallet.

[libert19]

This should make us all aware that closed source wallets should be avoided at all costs even though they might be promoting themselves as a non-custodial wallet.

I saw posts on Reddit saying this could be an inside job as well.

Atomic wallet devs were warned about security risks in their wallet long ago, check out this coindesk post [1].

[1] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/

[joniboini]

Zach claims to have successfully recovered some of the stolen funds. He said he knows what is wrong but prefers not to share it as of now[1]. Wonder why he decided to do that, maybe the attacker still has the means to exploit more? Kinda surprising the funds are even recoverable.

[1] https://twitter.com/zachxbt/status/1665226056570118146

[DaveF]

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

Part of the problem that I have been saying for years is the fact that people have grown so accustomed to the security that comes with their bank and brokerage applications. Where if you do something stupid more than likely you could get your money back and if you forget your password you have way of recovering it and they have safeguards against you doing things without clicking I am sure a bunch of times.

So, people think that all financial applications including cryptocurrency ones are more or less operating the same way. And then are shocked when they do not.

For all of everybody running around screaming about everything in the financial world even back in 2008 with all the bank failures and all the other banks that imploded so far this year more or less in most occurrences people got all their money back. Now try to convince those people that they are responsible for their own actions.

I'm also going to go out on a limb here and say that it is older people that this happens too. Whether or not everybody wants to run screaming about this group or that group kids today(and I'm gonna say anybody under 30 ) have seen and heard all the disasters that happen online and because they grew up with the tech they understand a lot of its limitations.
Grandma and grandpa who you finally convinced to use online banking now think everything operates the same way, and when they had a problem with their online checking account they could call an 800 number and spend an hour getting help through the situation. Do you think they're going to understand the concept of custodial or non custodial or open source or closed source? Or the fact that if they forget the password there's absolutely nothing anybody can do about it. Yes it's a generalization, but probably fairly accurate.

-Dave

[adaseb]

Yes this is pretty bad. So far over $35M has been hacked and they have no idea what the issue is. They should send out a mass email to all the users who use Atomic Wallet and tell them to move to another wallet or even exchange.

Importing the seed into a new wallet won't help since they most likely have the seed. You need to move to a fresh new wallet. Wonder what the cause of this could of been? This is what happens when you use a closed source wallet.

Feels bad reading some of the comments. Some people think they are going to get a refund from the Atomic Wallet company. Feel bad that they don't know its gone forever.

[Kryptowerk]

That's just terrible news.
Sure, anyone storing massive amounts of value in a mobile wallet is always taking a high risk and already made the first mistake here.
Still, this usually hits crypto-newbies the hardest. Couldn't find anything, is there an approximate number of how many people are affected?

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

[satscraper]

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

Looks like officials from Atomic where aware of existing  security vulnerabilities in their product but didn't take any step to eliminate them and/or notify users who  where trusting them. The money has outweighed the wisdom and they have chose  to stay nontransparent with customers.  

[o_e_l_e_o]

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

I mean, if you are dumping $45,000 in to a centralized, absolute shitcoin like XRP, then you probably aren't doing much in the way of research.

But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?

We don't know. Such is the nature of closed source software. Nobody knows what it is actually doing. Is it generating seed phrases from a list that the developers are secretly holding? Is it sending seed phrases over the internet to a server somewhere? Has it got a built in function to sweep all funds to a malicious address at a particular date? Who knows? This is the risk you take with closed source software.

[un_rank]

Every wallet stores customer seeds and private keys internally; it cannot function differently.

This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.
Closed source wallets could be doing it differently and keeping logs of private keys, (we would never know) which a hacker can access if they breach their security, which you cannot verify either.

- Jay -

[John Abraham]

If the computer is compromised then malware with sufficient elevated rights can compromise the software wallet. If the software wallet itself is badly crafted, which you can't check with closed-source software, then you're screwed anyway.

Other wallets might also get compromised if the computer is compromised. Even if someone has access to your wallet, I don't think they can access it unless they can crack your password or have private keys. Since it's only happened with Atomic users (we did not see the same reports from other wallet users yet), I guess OmegaStarScream might be correct. They might be fallen for phishing. But according to Atomic Wallet, 1% of their monthly active users reported that their wallet is drained. So, If their active user is 100K, 1K users' wallets were compromised. I don't think that many users could fall for the phishing trap.

Atomic might be hiding something about how are the private keys generated and them being non-custodial. I was using Atomic Wallet 2.45.1 For a while. Luckily I had nothing in my Atomic wallet, and I just uninstalled their software in case it contained any virus. Many users screamed in their tweets and complained about how much they lost. I am afraid now. I moved from Atomic to Electrum a while ago. I hope Electrum is the most secured and trusted among others!

[The Sceptical Chymist]

I wonder why people should still be using a wallet that support only legacy address when there is Segwit today. Any bitcoin wallet, that also support altcoins or not should not be used anymore if they can not follow the recent standards.

Don't know, I've never held bitcoin on an Atomic wallet (though I did download it for desktop just to see what the UI looked like) but that's probably not how they got hacked, right?

I don't know why anyone would use Atomic other than to take advantage of their staking function, but even then if you're staking a significant amount of whatever, why would you use a closed-source wallet like that?  It must be popular amongst those who don't know much about crypto security--but then again, a lot of knowledgeable crypto users kept coins on Ledger wallets right up until they announced their back door.  That's humanity for you; it's in our nature to want to trust others....until we learn the hard way not to.

[witcher_sense]

Another reminder to everyone in the crypto space about the dangers of using closed-source software that tries to implement each protocol there is for the sake of profit. Developers, especially those working with financially related products, should always bear in mind that the more complex software you build, the more vulnerabilities and bugs it will have. But given that the circle of developers and auditors is very narrow compared to open-source development, these vulnerabilities are very hard to detect timely. Of course, they actively defend "security through obscurity" and use it as an excuse because it allegedly helps protect customers from hackers, scammers, and other evil actors, but when a hack actually occurs, they start referring to their ToS and that people themselves are responsible for their private keys. It is a very convenient approach to doing business, you just make money off naive users who are unable to read guides on proper self-custody solutions, and when shit happens, you just tell people it is their problem. My prediction is that people suffering from the Atomic Wallet hack won't receive their money back, but they also won't stop using closed-source, poorly implemented software for their life savings. These just can't learn.

[DaveF]

That's just terrible news.
Sure, anyone storing massive amounts of value in a mobile wallet is always taking a high risk and already made the first mistake here.
Still, this usually hits crypto-newbies the hardest. Couldn't find anything, is there an approximate number of how many people are affected?

Will be interesting to see if this turns out to be an inside job or if it was "just" a bug exploited by someone. Many questions here, how and who...

And don't forget the why....
If they got the report on Tuesday and were hacked on Friday then you can accept that they did not have time to fix the issues.
But when they have had it for so long it comes down to was the coding that bad? Were the issues buried so deep that they had to rebuild from scratch? Do they only have 1 programmer and they were working as fast as they could?

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

I mean, if you are dumping $45,000 in to a centralized, absolute shitcoin like XRP, then you probably aren't doing much in the way of research.
...

People invest in a lot of things that may or may not be smart to do. That does not mean they are not paying attention to other things.
If you looked at my shitcoin portfolio you would question my sanity. BUT and this is important Dave's left testicle coin currently trading at $0.02 can probably bounce to $0.10 more easily then BTC going from where it is now at $26800 all the way to $130000. Putting your entire life savings into something like XRP / Dave's testicle coin is just stupid. But if you have $50000 to gamble putting $10000 into 5 coins and hoping for the win is not a totally horrible thing. IF YOU CAN AFFORD TO LOOSE IT ALL I have some penny / dollar stocks I have bought over my 30 years of playing the markets. MOST have died. The few that made it more then 10x covered the losses of the others. So while people looked at me as asked why I invested in X I can then point to Y & Z and say those 2 more then covered it.

-Dave

[Z-tight]

Atomic wallet haven't provided anything official on what caused this loss of their customers' funds, but i have seen some people post that Atomic wallet may have to offer some compensation to the victims for damages, but from their terms of service [1], it is not going to happen. People should only use self custody wallets that are open source and have a good reputation, because if you make a wrong choice and lose your funds, you can't get it back.

UNDER NO CIRCUMSTANCES WILL ATOMIC WALLET BE LIABLE TO YOU FOR DAMAGES ARISING OUT OF THE SERVICES EXCEEDING $50.

[1] https://atomicwallet.io/terms-of-service

[thefirstnamelessdude]

As of yet, not much real information in this topic... all assumptions for the moment... 
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

I'm a long time user of Atomic Wallet and never had any problems. Their multi-coin and built-in exchange was their biggest pro for me. Used it just for playing with alt coins and pocket money.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Greets.

[Charles-Tim]

As of yet, not much real information in this topic... all assumptions for the moment... 
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

Nobody knows the problem. Atomic wallet is close source.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Electrum is good for bitcoin because it is completely open source. Coinomi is close source, I can not recommend it.

Did you import your Atomic wallet seed phrase on Electrum? Create another wallet on Electrum and transfer your coins there so that your coins can be safe.

For high amount of bitcoin, use a cold wallet. Electrum can be used as a cold wallet. Or get a reputed open source hardware wallet.