A Non-Custodial wallet, Atomic Wallet, being compromised

[BlackHatCoiner]

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical.

My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.

If you're not a competent software engineer, as the folks behind software like Bitcoin Core and Electrum, then you shouldn't trust yourself more than them. The odds of messing up are far greater.

[NotATether]

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical. 

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.

[o_e_l_e_o]

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

If you are a newbie who cannot code, then both tasks are equally impossible. And if you are a newbie who cannot code, then you will be exponentially safer using Electrum than you would be using some random paper wallet generator you found via Google.

Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.

Paper wallets are an excellent option if you can vet the code you are using, you understand how to set up and use a truly airgapped system, and you understand how to spend from these wallets without ruining your privacy and security or losing any coins. But this is complicated to do. Suggesting them as an alternative for everyone leaving Atomic or other closed source wallets is bad advice.

[buwaytress]

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

Yeah Yamane_Keto, we understood what you meant, but I'm not sure you understood what you're expecting of average users either

I'm the regular user we're all talking about. Understand the most basic of coding languages, far from enough to understand anything harmful or malicious on Github if it screamt out at me.

It's still many time safer, and practical, to simply trust a software you know is actively being reviewed and checked by very good developer communities. To the simple user (yours truly), Electrum and Bitcoin Core prove that, by acting very quickly when changes need to be made or holes plugged.

[DaveF]

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum.

This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical. 

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.

Yes with a but, or no with a however.
Having multiple files now means that humans are going to be human. So if some function calls something that you are not using / not interested in then you (who I assume to be human) may not examine it as well or even at all. Having it all in the 1 monolithic file forces you to read the entire thing.

There is a good and bad side to both ways.

Back to this. Has anyone here actually lost real funds? I keep hearing reports of people loosing money, but so far it's nobody here as far as I can see.

-Dave

[dkbit98]

Update: So it looks like the stolen funds (~35M $) are on the move:

Crazy!
Number grows with every new day and who knows how many people don't even know or they didn't report loses.
It's important not to open atomic wallet that is connected to internet, than import seed phrase backup to another wallet and move coins asap.
Few years ago I tested this atomic wallet and I never liked how it works, but closed source and amateur devs was always a red alert for me.

[RickDeckard]

Update: So it looks like the stolen funds (~35M $) are on the move:

On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.

Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/

And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...
[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group

[albon]

And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...
[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group

Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

The application that Atomic Wallet built was not built in a secure manner.

Either someone pushed a malicious version of the application that stole users' keys.

Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.

Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

[goldkingcoiner]

Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?

I think he is confusing Atomic with being Binance owned, but Trust Wallet is just as closed source as well, and ironically there is no point in trusting such wallets. You might as well store your coins on Binance. They might have a lesser chance of being hacked. Although looking at the past history of crypto exchanges, they eventually screw up, get hacked or straight up steal your money.

I agree that any wallet which is not 100% open source is a red flag. Otherwise behind the code could be a third party, trying to take your money with a strategically planned hack.  

inb4 North Korea was behind Atomic all along.

[DaveF]

And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...
[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group

Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

The application that Atomic Wallet built was not built in a secure manner.

Either someone pushed a malicious version of the application that stole users' keys.

Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.

Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

If they were ' inadvertently logging users' keys to their servers' then the app was totally fucked from the start. The ONLY thing the app should be sending to the servers is the request of the transaction lists for the addresses to figure out how much is in the owned addresses and a signed TX when broadcasting a send. There should be no way in hell that your private keys are EVER sent to them.

However, you can't fix stupid, and since it's closed source you never really know what they are doing [unless you setup a mitm attack on your own network and monitor what comes in and out].

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

-Dave

[sokani]

I'm thankful for bitcointalk and the educative information that's been shared here on dailies. As a newbie that registered on this platform, I used to have some crypto assets that's worth few couple of bucks on my atomic wallet until I stumbled on the some topics here about the dangers of using close source wallets, so I decided to move my assets out of atomic wallet... If not I might have been a victim too. This is an eye-opener and I hope other persons can learn from this and distance themselves from using close source wallets and exchanges in storing their funds.

[joniboini]

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack

Both of them are certainly a possibility. It is hard to figure out what really happened unless Atomic shares what kind of exploits are being used by the attacker. Even if they did that though, the distrust is still there since they can edit some code before making it public to steer the narrative to their preferred direction. Zach also claims to know what happened behind the scene. At the end of the day, someone would be better off using other wallets in the future.

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened.

Unless I'm mixing up some news, IIRC, they disable the downloads shortly after the attack was reported. Not sure why they allow users to download it again, especially after some reports suggesting the latest version is one of the ones that got affected.

[Cricktor]

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

I have used Atomic Wallet for a very short period of time for some shitcoins that needed to be moved around and where I didn't even trust the shitcoin's native wallets. I was concerned that Atomic Wallet is closed-source, did some deep research if this software had some bad history or reputation. At that time, I couldn't find deeply alarming news, so I thought, OK, why not, no large amounts of value at stake and I didn't run that software on the same computer where my trusted wallet(s) where.

As an end user I would be pissed if I had no control over updates or downloading a dead version. Forced updates can be a dangerous thing if external or internal attackers of a wallet's backend gain malicious control. With forced updates you can screw every user of the wallet when the wallet's infrastructure gets compromised. Displaying a big red warning in the user's wallet would be nice if that is done in safe way that can't be exploited by malicious actors. My hopes are not high for Atomic users as the past audits seemed to indicate that software and security quality of Atomic isn't what it should be.

There's still too much speculation of what went wrong or how the attacks were possible. A dead version in the app stores wouldn't help if the seed or private keys got compromised. And you could potentially protect only users with a forced update before attackers could do their stealing.

The communication of the wallet's company is very much sub-par. If they don't know what's going on, then why they don't shut down the backend systems and tell the users to immediately move their funds to a new safe wallet that's not affected. (Well, if you have lots of shitcoins, then good luck with finding suitable safe other wallets to hold your shitcoins.)

Zach also claims to know what happened behind the scene.

Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?

[witcher_sense]

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

The application that Atomic Wallet built was not built in a secure manner.

Either someone pushed a malicious version of the application that stole users' keys.

Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.

Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.

[Stalker22]

It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.

I am curious if there could be an alternative explanation for this hack. From what I gather, it seems that users were compromised even when they didn't have Atomic wallet actively running on their computers. Some individuals have reported not using the wallet for several months prior to the incident. In my opinion, this rules out the possibility of malicious code like trojan or spyware residing on their computers. Unless, of course, the attacker had been gathering private keys for an extended period of time leading up to the attack.

[Flexystar]

Update: So it looks like the stolen funds (~35M $) are on the move:

On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.

Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/

Damn, once it’s through the sinbad mixer its gonna go away forever. May be only the mixer service owner would know which seed was allotted and where the money isn’t it?
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

I am not sure how this transaction went since your post is old and by now there might be hundreds of different addresses on which the distribution might have occurred already.

But there gotta be way, there is always?

[suzanne5223]

It's still being investigated, and no one actually knows if their software is really being compromised or not. But better be safe than to lose all of your coins/savings. If you're an Atomic Wallet user, send them out to another wallet ASAP.

What investigation do you expect from a wallet that has a shady record right from the beginning? I could remember when they had their bounty campaign on this forum years ago they were tagged as scammers by JollyGood and for the record, some of their bounty campaign participants complaint about no receiving payment.

I wonder why people should still be using a wallet that support only legacy address when there is Segwit today. Any bitcoin wallet, that also support altcoins or not should not be used anymore if they can not follow the recent standards.

Same here but I come to learn that some cryptocurrency investors can go the extra just for dividends and giveaways. You wont believe that the hacking issue happens after the announcement of their 1,000,000,000 $PEPE giveaway to 10 lucky winners.

[Z-tight]

Damn, once it’s through the sinbad mixer its gonna go away forever. May be only the mixer service owner would know which seed was allotted and where the money isn’t it?
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

How can a mixer know the seed phrase of an address that they sent coins to after mixing, that is not possible. Mixers are not investigators, they just receive funds and help their customers to conceal the origin of the funds. By the way Sinbad do not also keep logs after customers use their mixer, they delete the logs after one hour of using their service.

[joniboini]

But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

Even if they can do it, I doubt any mixer would do that (at least not publicly). It basically tells its users that they can and will expose their logs if they deem it necessary. Why bother using them in the future if privacy is your goal? Besides the fault of this case is more on Atomic Wallet being a terrible wallet, not necessarily a mixer or other privacy tools IMO.

How can a mixer know the seed phrase of an address that they sent coins to after mixing, that is not possible.

I think he's not referring to the seed phrase of the hacker address, but the logs of the mixing process.

Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?

He's got a decent following on Twitter at the very least. Can't say for certain how reliable his info is since I'm not that active on social media. You can check out his Twitter if you want to know more, @zachxbt.

[OmegaStarScream]

-snip-

It should also be possible for Elliptic or ChainAlysis (which Atomic wallet is currently seeking help from[1]) but I would imagine it all depends on how the mixer works, and I doubt it would be that easy of a task.

[1] https://twitter.com/AtomicWallet/status/1666591717347262468