A Non-Custodial wallet, Atomic Wallet, being compromised

[o_e_l_e_o]

But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

If Sinbad were to release logs or similar, then they are signing their own death warrant.

The whole point of privacy services is to provide privacy, not to hand consent of exposure of your information to a random third party to decide based on their own arbitrary rules. Yes, a minority of users of privacy tools (such as mixers, coinjoins, VPNs, Tor, PGP, end to end encrypted messengers, etc.) are doing illegal things, but the vast majority of users of such services are just average people who do not want random third parties and governments spying on everything that they do. Would you use a encrypted messaging with a government backdoor? Of course not. Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?

[1714232026]

1714232026

[John Abraham]

Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?

The sad thing is we do. Some of us use them without knowing that they collect data, and others, even know they collect data, still use them. Did you know whether CM collected user data such as IP and wallet addresses? I am not sure if they did. But, the Storage size (7 TB) that the FBI seized was too big for a mixer service. I don't understand what kind of data can take that much storage. Let's say mixer services promise they do not collect any data from us, and they do it without letting us know. How can we verify their claims? The only thing we can do is "Believe their promise." We often say, Do not trust, verify. But, Sometimes, we cannot verify everything.

I know some of my friends use Free VPNs. Some of them know that those VPNs collecting data from their device still don't care about it. We all are not cypherpunks! We cannot expect everyone to care about their privacy. If they are dumb enough, we can let them do it. The whole point of my post is even though we don't want to use those services that collect data; Sometimes we use them by knowing or not knowing. You never know if those services collected your data or not.

[BlackHatCoiner]

But, the Storage size (7 TB) that the FBI seized was too big for a mixer service.

It's also too big to keep such data. Even if they did keep logs, and store in detail which private key comes from what deposit, 7 terabytes is unreasonably large size. To put in some perspective, the entire blockchain is about one tenth of that. And the fact that the feds never disclosed anything about that 7 TB makes me question it did keep logs even more. Arguing it did collect data holds less ground than arguing that the operator was an upstanding member of the piratebay, seeding and leeching movies.

[John Abraham]

It's also too big to keep such data. Even if they did keep logs, and store in detail which private key comes from what deposit, 7 terabytes is unreasonably large size. To put in some perspective, the entire blockchain is about one tenth of that. And the fact that the feds never disclosed anything about that 7 TB makes me question it did keep logs even more.

They had four servers. Let's say they were running four full nodes. That may consume around 2.2 TB. But I was surprised when I saw the FBI seize four servers and 7 TB of data. It leads me to wonder what data they kept. Data of users like IP logs, Addresses and other data might be saved as text files, which shouldn't consume that much storage. They might store some additional data or operate a bunch of different services with those four servers. I don't know what they promised while on the market because I did not use their service. Did they promise that they don't collect data from users? What other service would you trust if they promised that and still collected data?

[Kryptowerk]

It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.

I am curious if there could be an alternative explanation for this hack. From what I gather, it seems that users were compromised even when they didn't have Atomic wallet actively running on their computers. Some individuals have reported not using the wallet for several months prior to the incident. In my opinion, this rules out the possibility of malicious code like trojan or spyware residing on their computers. Unless, of course, the attacker had been gathering private keys for an extended period of time leading up to the attack.

Is there any update on this sheding light on what actually happened to the stolen user funds and, more importantly, how the hack was conducted and which type of user were affected?
Is the team responisble for Atomic Wallet publicly know?
Highly unlikely any funds will be retrieved but holding folks accountable would be a first step.

[BlackHatCoiner]

Did they promise that they don't collect data from users?

This comes from their FAQ page (2021):

Your session lasts for 7 days. After that, your session and all its data will be removed. You can also destroy your session before time is up. We keep statistical data ie. how much was donated.

Someone could argue the feds have had the data which was meant to be deleted within that week, and they'd be correct. However, prior that, according to ChipMixer, every session was deleted a week after its creation.

What other service would you trust if they promised that and still collected data?

I wouldn't, it was just that they had gained much trust. And it still might have been a honeypot, but I doubt very much.

[Wind_FURY]

There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

[DaveF]

There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.
And people can already get their keys, import them into other wallets and move their funds.

The rest really does not matter at this point.

Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.

-Dave

[Wind_FURY]

There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.

And people can already get their keys, import them into other wallets and move their funds.

The rest really does not matter at this point.

Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.

-Dave

Sorry, but let me make it clear. I didn't suggest that Atomic Wallet turn off everything to "stop the theft", there's nothing that can be done about that unless the users transfer their assets manually to another wallet. What I was suggesting was to turn off everything, including development, and shut the WHOLE project down. It's stupid for it to continue in my opinion.

[DaveF]

There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.

And people can already get their keys, import them into other wallets and move their funds.

The rest really does not matter at this point.

Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.

-Dave

Sorry, but let me make it clear. I didn't suggest that Atomic Wallet turn off everything to "stop the theft", there's nothing that can be done about that unless the users transfer their assets manually to another wallet. What I was suggesting was to turn off everything, including development, and shut the WHOLE project down. It's stupid for it to continue in my opinion.

That I agree with.
At this point there is nothing that can be done. The trust is gone, the lack of communications is ridiculous, and so on.
The fact that you can still download and install the app is just more proof that they don't care / don't have a clue / are in on the theft.

-Dave

[AHOYBRAUSE]

That I agree with.
At this point there is nothing that can be done. The trust is gone, the lack of communications is ridiculous, and so on.
The fact that you can still download and install the app is just more proof that they don't care / don't have a clue / are in on the theft.

-Dave

Yeah, the communication, even if they are trying, really is kind of bad .
Also, when opening the wallet on phone or computer there should at least be a message or something to warn users about the current situation. But there is nothing.

I used this wallet a lot over the past 2 years. Even when I was dissatisfied with the way they treated their own token.
Still to this day I have AWC-986 in my wallet and there is no way to exchange them for other altcoins. Only the new one is possible to trade. They claimed this will be possible in the first months of this year, now in June and still nothing.

Anyway, I was lucky enough to have no damage from this and moved all my stuff somewhere else. Didn't have a lot in the wallet to begin with but would have been annoying to lose those as well.

[RickDeckard]

This tweet[1] is a great overview of how deep this breach was. I'll point out the tweets that stood out the most for me:

The timeline is also notably diff when comparing a hack like BitKeep.

Usually when draining 1k+ addies, hackers write scripts and just blast it out.

This results in most addies being drained in the same minute or two w a trailing tail for the remainder of the hour:

But for the Atomic Wallet incident, the initial theft transactions ran for like 20 fucking hours.

😳

~Fri Jun 2 @ 9pm UTC - Sat Jun 3 @ 5pm UTC
aka
~Sat Jun 3 @ 6am KST – Sun Jun 4 @ 2am KST

And, yeah, I know, that graph only goes until 10:00am UTC.

Thats bc they actually started to launder the largest thefts *while* still draining wallets, swapping tokens, and draining more wallets.

Seems like that at this time is mostly assumed that Lazarus group definitely is behind this attack. I don't know how Atomic Wallet intends to refund their clients and I also don't know if they are solvent enough to do it. The worse part of this all is that people will keep trusting CEX's  .
[1]https://nitter.it/tayvano_/status/1668935273047261185

[o_e_l_e_o]

I've obviously never used Atomic wallet, but am I right in saying there is no way to link it to your own node or server? In other words, it operates exclusively via Atomic's own servers? And also, do we know how the attack took place yet? Were the attackers able to remotely sign transactions, or were they able to extract private keys or seed phrases?

I am wondering if Atomic had pulled their central servers offline, whether this would have stopped further funds being stolen?

[NotATether]

Presumably by now we show have at last some kind of news on the cause of the hacks or the vulnerability, or is ZachXBT taking a vacation?

I've obviously never used Atomic wallet, but am I right in saying there is no way to link it to your own node or server? In other words, it operates exclusively via Atomic's own servers? And also, do we know how the attack took place yet? Were the attackers able to remotely sign transactions, or were they able to extract private keys or seed phrases?

I am wondering if Atomic had pulled their central servers offline, whether this would have stopped further funds being stolen?

Atomic Wallet is proprietary software built with (what I assume to be) Electron and thus it can only communicate with company servers, especially since the "Swap" feature is custodial and requires servers. There's no Atomic Wallet Server either.

Seems like that at this time is mostly assumed that Lazarus group definitely is behind this attack. I don't know how Atomic Wallet intends to refund their clients and I also don't know if they are solvent enough to do it. The worse part of this all is that people will keep trusting CEX's  .

This doesn't really sound like a Lazarus hack, because those guys are presumably competent enough to not go after only a few hundred "active wallets" if they have the god-level access in the wallet system, they'd drain the entire system and leave it to burn. It sounds to me more like a script-kiddie weaseled into the systems - which is bad news for Atomic Wallet's security if that is true.

[RickDeckard]

This thread[1] is very interesting and may point towards one of the causes that led to this attack. According to him:

Whisper (SHH) is a protocol and communication layer that provides secure and private messaging functionality on the Ethereum network. It enables users to send encrypted messages directly to specific recipients without the need for intermediaries

All the hacker needs to do is send the message with the backdoor command to the address they want to hack. It will return an SSH to the hacker's private key (a message that only they can read, containing the victim's wallet information).

My first question would be how the user got a hold of (part?) the code behind Atomic Wallet. I do know they have a GitHub page[2], but I'm not sure if they publish sections of their code in there. Despite all of this I'm still baffled by the fact that Atomic continues to hold radio silence regarding this hack...
[1]https://nitter.it/Gustavoatca/status/1669835377517969408
[2]https://github.com/orgs/Atomicwallet

[OmegaStarScream]

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

[DaveF]

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

There was an update to Atomic the end of May. So the question now becomes what that the version that introduced the vulnerability or was it perhaps the version that fixed it?
If it fixed it, then a lot of people can spend a lot of time looking at the code and find nothing.

Also, on that note does anyone know if you would see it in what was released if it was a 'supply chain' issue and a library that it was using that was the vulnerability?

-Dave

[RickDeckard]

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

Somehow I've missed that tweet. Thank you for pointing out! Looking forward what the community will find out considering that the source code was only updated 3 days ago which isn't a lot of time for people to be aware of it.

[Cricktor]

... Despite all of this I'm still baffled by the fact that Atomic continues to hold radio silence regarding this hack...
[1]https://nitter.it/Gustavoatca/status/1669835377517969408

Because I have used Atomic Wallet only for a very short time for a specific task that didn't involve any painful amount of worth for me, I don't spend too much time to look for details. It's merely my personal interest in security issues in the crypto space that attracts my attention.
[1] seems to me one of the first concrete details of what might have happened. Not that I can fully grasp it, but it looks to me like an implementation flaw in Atomic Wallet that is beyond stupidity. What did the devs of Atomic Wallet think? If this is true what [1] claims and this message protocol allows without any authentication the extraction of private keys, then Atomic Wallet devs are incompetent beyond imagination.

But there's at least one thing, that I can't wrap my head around: do the attackers need to target the specific wallet users or do they target the Atomic Wallet backend infrastructure? I ask this, because there were reports of Atomic users who lost funds who didn't open Atomic Wallet for a long time. Though such user reports have to be taken with a big pile of grains of salt.

Two weeks and still counting and I find the radio silence and no signs at all on the Atomic Wallet website totally baffling, too. That is definitely not how such a hack should be handled.

[Zoomic]

But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

If Sinbad were to release logs or similar, then they are signing their own death warrant.

Sinbad will not attempt that because if they do, the whole purpose of privacy is defeated and it will go a long way to say how fast or slow data is dished out with pressure.
Exchanges are the fastest to release eve with minimal pressure in order to be in the haven book of the government.

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they make such announcement it will create much more panic than we have. But in the real sense, they failed, that is the only viable option to mitigate losses now.