A Non-Custodial wallet, Atomic Wallet, being compromised

[logfiles]

Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?

I mean, we are still at a stage where lots of people still keep their life savings in centralized exchange and DeFi protocols  
People are advised to avoid them year in year out, but they are still dumb and lazy enough to secure their money.

This incident should be one of those real life situations that highlights why a closed source wallet even if noncustodial is very dangerous. Reproducibility should also be emphasized.

XRP, a shitcoin, does not have any reputable wallet software for it.

1 more reason to avoid the shitcoin then  


So the jerks provided an update on Reddit a few hours ago, but I gotta say it's the most useless update about such a grave situation

update...

At the moment less than 1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago. Security investigation is ongoing. We report victim addresses to major exchanges & blockchain analytics to trace and block the stolen funds.

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

[1714592849]

1714592849

[NotATether]

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

They are probably counting every user who has ever opened the Atomic Wallet app which will also include a significant amount of no-coiners, and also zombies which have never touched their funds for several months. So most likely the actual percentage of hacked active users is probably much higher (like at least 5%).

[thefirstnamelessdude]

Coinomi is close source, I can not recommend it.

Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

Did you import your Atomic wallet seed phrase on Electrum? Create another wallet on Electrum and transfer your coins there so that your coins can be safe.

Yep, I imported the seed and send the funds to an existing wallet of mine. What is sort of the same you said and has the same effect.

Greets.

[OmegaStarScream]

-snip-
Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

I don't believe there are any. If you're willing to switch to a mobile wallet, then you have Unstoppable wallet. It has a swap feature but you can't use it with BTC, LTC, etc. It uses Uniswap (ETH), QuickSwap (MATIC), PancakeSwap (BSC), and 1Inch which is an aggregator.

[enquirer]

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years

Less than 1%!! Really?

How do they determine if the users were less than 1%. Why don't they value what has been drain in monetary terms instead of stupid percentages.

They are probably counting every user who has ever opened the Atomic Wallet app which will also include a significant amount of no-coiners, and also zombies which have never touched their funds for several months. So most likely the actual percentage of hacked active users is probably much higher (like at least 5%).

I have several wallets, they took largest amounts first, and still didn't take small change amounts (2000 USDT), guess their bandwidth is limited (doing it manually?).

[hosseinimr93]

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

As already mentioned, this doesn't change anything. You should create a new wallet using a safe tool on an safe device and move all the fund to that.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet).

No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

[BlackHatCoiner]

Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

It could be all. A malicious update, by a maliciously altered dependency, which was maintained by some ill-intentioned developer from the Atomic Wallet dev team. There's no evidence that supports otherwise, because there is nothing transparent in the first place.

People are advised to avoid them year in year out, but they are still dumb and lazy enough to secure their money.

I can't imagine you to be that dumb. Unless it ain't their entire life savings (as some say), I can't justify being so confident with stuff you've no idea about. I just can't picture myself putting all my money (or most of it) in some shitcoin like XRP, which is significantly weaker in both centralization and security. Maybe I could gamble some (much less than half of it), but not all.

[thefirstnamelessdude]

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet).

No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

I personally would not open Atomic Wallet at this time, seems very risky. So importing the seed into another Wallet is a must to send the coins in a safe way.

Greets.

[RickDeckard]

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet).

No need to import your seed phrase into other wallets. Create a new wallet and send all your coins to that.
Note that both Exodus and trustwallet are close-source and there's a possibility that the same thing will happen to them.

I personally would not open Atomic Wallet at this time, seems very risky. So importing the seed into another Wallet is a must to send the coins in a safe way.

Greets.

I don't think users that didn't used Atomic Wallet recently are safe as well. I've seen multiple reports of users on Reddit & Twitter that didn't used the application recently and still got hit by the hack. If it was me the second I heard about this I would instantly create a new wallet on a secure environment and transfer all of my funds to it.

[Stalker22]

Every wallet stores customer seeds and private keys internally; it cannot function differently.

This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.

Yes. Internally, locally... What is the difference? The point is that the seed phrase and private keys are created, stored and accessible by your wallet software. And just to clarify, it is not necessary for the file to be encrypted (although it is generally not recommended to store the keys in an unencrypted file).

[Charles-Tim]

-snip-
Yeah, I know. They have a shady past and development is near zero. It was the first thing on hand and it did the job.
Feel free to suggest other multi-coin desktop wallets with a built-in exchange. I think none are open source and really trustworthy?

I don't believe there are any. If you're willing to switch to a mobile wallet, then you have Unstoppable wallet. It has a swap feature but you can't use it with BTC, LTC, etc. It uses Uniswap (ETH), QuickSwap (MATIC), PancakeSwap (BSC), and 1Inch which is an aggregator.

Also, he can get a reputed open source hardware wallet that support multiple coins.

This is incorrect, electrum does not store your private keys, it is stored on your wallet file locally (on your device) and encrypted with your password.

You can be able to get your private keys directly on Android Electrum versions below 4.4.0, but this has been removed from version 4.4.0 and above.

On desktop Electrum, if you click on wallets -> private keys -> export, you will be able to see your addresses and the corresponding private keys. Or if you click on view -> check addresses, click on addresses on the GUI and right click on any address of your choice, you will see the address private key if you click on 'private key'.

What is most important is the seed phrase, because it can generate all the private keys.

[mikeywith]

Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.

And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.

Alas, security is not easy at all, even while doing everything you stated above, you have no way of knowing when a Microsoft employee simply changes the code on Github and gets you to compile their version of the code, you need to read the whole code again and make sure it doesn't send your private keys in plain text over the internet, it's almost impossible to be 100% secured.

Of course, that's just over-exaggerating the matter, but just because it's unlikely -- it doesn't mean it can't happen, I saw a discussion on reddit the other day in regards to this subject, someone said "I'd rather just use an exchange so that if I lose my money I got someone to blame".

This brings an interesting conspiracy theory that, all of these hacks are not done for money, but for a greater goal, they simply shape the path to custodial wallets, at one point, banks will take over and will provide custodial services, where your BTC is insured by large insurance companies or the government itself, those two have deep pockets and will be able to track and potentially catch whoever steals anything from "them", so it becomes a choice of keeping your BTC"safe and insured by the government" or "at high risk" being in your custody, essentially, turning BTC into another government-controlled asset. 

[airbin]

As of yet, not much real information in this topic... all assumptions for the moment... 
Will be interesting to know what the real cause is! Malicious update, malicious dependency or a (long hidden) exploit or even an inside job?

I'm a long time user of Atomic Wallet and never had any problems. Their multi-coin and built-in exchange was their biggest pro for me. Used it just for playing with alt coins and pocket money.

I use the Windows desktop version (2.65.0) and haven't updated recently. I also didn't open the wallet recently, not sure exactly when I did last but surely it was more than 14 days ago. Checked my addresses via an online explorer and all funds were still there. Moved my BTC out with Electrum and moved my DOGE out with Coinomi. Beter safe than sorry!

Greets.

it's non-custodial, open source or closed, and! it literally doesn't work. It's a torn pocket,  after what I read, that was perhaps part of the strategy. I think that sometimes it is not just knowing all the technicalities associated with a wallet, it is a mistake not to understand the products that exist, with this wallet it is demonstrated, they are pocket, $100 wallets.

[yudi09]

>> Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.

That's not a good move. Importing 12 word into the new wallet you want to transfer will be meaningless because the 12 word you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.

But they use something "nonstandard derivation" for non-BTC coins and I haven't been able to import the seed into other wallets (Exodus, Trust wallet). I had quite a bit of USDT-TRX on it, as a hedge against Bitcoin volatility in my retirement years

Unstoppable wallet that I can say is a good wallet for you to transfer existing coins in Trust Wallet and Exodus by sending them to the Unstoppable wallet that you created recently.
What I say is the same as what has been explained by hosseinimr93

[Not your key not your BTC]

That's not a good move. Importing 12 kata into the new wallet you want to transfer will be meaningless because the 12 kata you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.

What is meaning of "kata"? Is japannese language?

[Yamane_Keto]

As I said earlier, the manipulation of terminology is what gave many users a false sense of security. Custodial walle and Non-Custodial walle have no meaning, but the real difference is whether that software is a wallet or not. In the sense that all closed source wallets are not a wallet because we do not know how the private key is generated and whether the code is safe or not. The fact that a third party may know your private key means that you do not own your money.

If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.

[o_e_l_e_o]

If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.

This is poor advice.

There have been a number of paper wallet generators over the years which have also been malicious and have stolen any funds sent to the paper wallets they generate. And even if someone happens to pick legitimate paper wallet software, paper wallets are difficult to set up and use correctly without making a critical mistake, exposing your private keys to the internet, sending your change to an address you cannot access, and so on. They should not be used by newbies as a "best place to start".

The best advice for newbies who cannot review code has always been to choose an open source, reproducible, widely used, widely reviewed, and reputable wallet. This is why Electrum is so popular and so often recommended

[un_rank]

Yes. Internally, locally... What is the difference? The point is that the seed phrase and private keys are created, stored and accessible by your wallet software.

The slight difference is that on one end it is stored in their logs and any breach on their side can access it or the software themselves can easily steal your private keys and on the other hand it is not stored in their data logs but on the user's wallet file and not directly accessible to them.

There is always a risk when dealing with soft-wares even those that are open source, but is is much safer choosing one which is open source and reputable.

- Jay -

[OmegaStarScream]

Update: So it looks like the stolen funds (~35M $) are on the move:

On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.

Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/

[Yamane_Keto]

This is poor advice.

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum. My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.
Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.

Update: So it looks like the stolen funds (~35M $) are on the move:

Without making the wallet open source, I don't think anyone would be stupid enough to use them.