A Non-Custodial wallet, Atomic Wallet, being compromised

[Wind_FURY]

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

 

[1714481487]

1714481487

[1714481487]

1714481487

[1714481487]

1714481487

[1714481487]

1714481487

[OmegaStarScream]

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

 

It's difficult to say since they haven't shared any information. This is their latest post: https://twitter.com/AtomicWallet/status/1669750121586737152

If there was a backdoor by one of the employees (without the rest of the staff knowledge), they would've fixed it but as we can see, it's been some time since they last updated the software: https://support.atomicwallet.io/article/339-release-history

Also, from my understanding of the tweet above, this "backdoor" has something to do with Ethereum (or maybe EVM chains in general), but if we check the article talking about the hack, we can see that BTC has been stolen as well.

It's actually mind-blowing how silent they are when they have 100M $ of user funds completely gone. I personally still suspect they have the private keys (or at least some of them) stored in their servers.

[Cricktor]

You can flag such update nonsense from Atomic Wallet as radio silence noise. Well, it could also be some sort of strategy. Not impossible that they found out what internal mistakes have led to this desaster and they came to the conclusion that radio silence is the least worse option.
Who knows... hard to believe, they could survice such a mess.

[Kryptowerk]

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

 

Given what we have witnissed last year alone (FTX, Yogg...) I'd say it's quite likely. If there are several devs, it just needs one rotten apple to put in a backdoor and abuse it at some point when it seems profitable.
Then again, there is also a good chance it was some vulnurability within some dependency/package in their codebase. Maybe one of their own devs found out and decided to take advantage or someone from outside.
I clearly lean towards inside job, though. Chances are just higher.

Nothing too suprising, though.
And another great example why open source MUST be the standard for critical software such as wallets in the Bitcoin space.

[RickDeckard]

Finally we get a statement[1] from Atomic Wallet after 18 days of radio silence regarding what might have caused the draining of the wallets. Here's a few highlights from it:

The team has researched various potential causes, the most probable of which are virus targeting on local users devices, infrastructure breach, malware code injection, or a man-in-the-middle attack. At the moment, none of the possible issues are confirmed as potentially causing massive breaches, as such types of attacks are very hard to recognize.

Our top priority is to help as many affected users as we can. We are actively working with crypto incidents investigators and authorities. The next step will be working on a legal framework for seizing frozen deposits and distributing them among affected users. We will update the community when there are more details on this front, and we ask for your patience.

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

It seems like that they still have no clue for what might have caused this hack. This is a bit scary - if they haven't patched anything, what is stopping the hackers from continuing to drain the wallets? Are they purposely holding the draining so that users think that it is safer now only to attack once again in a near future?

As for compensation for their users, it seems like they are aiming to freeze whatever assets they manage and then distribute them accordingly. In what grounds and how remains unclear but one thing is certain - Most of the affected users won't ever see their crypto. As of now I'm still baffled that they have any customers at all still using their service. It seems that I'm more worried than them regarding the security of their crypto, and I'm not even a user of Atomic Wallet  .
[1]https://atomicwallet.io/blog/june-3rd-event-statement

[joniboini]

As of now I'm still baffled that they have any customers at all still using their service. It seems that I'm more worried than them regarding the security of their crypto, and I'm not even a user of Atomic Wallet  .

I guess some people rely on their promise that they'll get their money back since the team is working with exchanges to freeze the stolen money. A lot of people still seem reluctant to be completely self-reliant to secure their money.

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

IIRC, they said it affect less than 1% of their users in the past[1]. How do they even confirm it? Which number are they using to calculate this? The download numbers on Play Store?

Which auditors are they referring to btw? Are they referring to Least Auditors who suggest people stop using them in the past[2]?

[1] https://cointelegraph.com/news/atomic-wallet-hack-affected-1-of-active-users-investors-claim-otherwise
[2] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/

[o_e_l_e_o]

As of now I'm still baffled that they have any customers at all still using their service.

Binance have been hacked multiple times and have lost millions in crypto and hundreds of thousands of users' data. Remains one of the biggest exchanges.
Coinbase actively sell user data to third parties and inside trade against their users. Remains one of the biggest exchanges.
Platforms like Voyager, Celsius, FTX, all go bankrupt or outright scam. People continue to lose their coins on many other such platforms going bankrupt or scamming in the months since then.
Shitcoins like Luna collapse to nothing because they were outright scams, and then people continue to buy Luna 2.0.

I agree it is literally insane that anyone is still using Atomic wallet, but I also have no doubt that they will have no problem continuing to exist and not just keep current users but attract new ones too. I also have no doubt that hot wallets will never stop being hacked.

[Yamane_Keto]

To summarize, less than 0.1% of Atomic Wallet app users have been affected.

That wallet's hack caused to lose value cryptocurrencies worth $35 million, how does this represent less than 0.1% of Atomic Wallet app users?
After more than 18 days, they did not give a specific answer to what happened, which means that their developer team is not that experienced, or that the vulnerability is deep and they did not find a mechanism to fix it, or that either they left back doors and exploited them to steal them.

Does anyone know the list of external auditors, and if they published it, to gain a little credibility here, they should publish it

[ABCbits]

Finally we get a statement[1] from Atomic Wallet after 18 days of radio silence regarding what might have caused the draining of the wallets. Here's a few highlights from it:
--snip--

There's one more thing i'd like to highlight

Atomic is essentially a software application to manage users' crypto on local devices. We don't ask for any personal information, nor do we store user accounts, etc. Atomic, as a company, has no custody; developers have never had access to users' funds.

I'd like to remind that they collect these kinds of personal data which is likely done automatically,

4. Categories of Collected Personal Data

We collect the following categories of your Personal Data:

--snip--

– Device Information. We may collect information about the device you use to access our Application, including the hardware model, operating system and version, unique device identifiers, and mobile network information. This information will never be communicated to third parties unless you provide prior specific consent.

– Analytical Information that includes information about how you use the Application.

--snip--

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

IIRC, they said it affect less than 1% of their users in the past[1]. How do they even confirm it? Which number are they using to calculate this? The download numbers on Play Store?

--snip--

To summarize, less than 0.1% of Atomic Wallet app users have been affected.

That wallet's hack caused to lose value cryptocurrencies worth $35 million, how does this represent less than 0.1% of Atomic Wallet app users?

It could be from data they automatically collect, which i mentioned above.

[DaveF]

It could be from data they automatically collect, which i mentioned above.

And since they only talk to their own back end SPV servers they have a good idea of your addresses (and the funds in them) since the wallet is asking for them.
Note, this is not just them it's how any lite wallet works if you connect to their servers. So, they may not know 100% who has what, but they can get a really good idea.


And this is a bit of a side rant, but I am going to put it out there anyway. Just because it's open source does not mean it's better or more secure. There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Yes it's better, but DO NOT let people think it's perfect, make sure when explaining wallets to people. Multiple layers of security are better. There can be a big gaping hole in the open source wallet I use, that nobody fond yet AND there might be a compromise on my system that I don't know about. BUT, since I have my warm funds secured by PSBT to a 100% offline PC it really does not matter.

-Dave

[BlackHatCoiner]

There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Most of the times that happened, we didn't have a closed-source alternative to compare. But at the times we did, you'll be glad to know that the closed-source alternative was way worse security-wise. A brilliant example is the OS. Take Linux and Windows. Both have exploits, both are decades old, both have hundreds of people working on them 'til this date, but Windows is less secure because it has far more vulnerabilities that allow the execution of code.

[Yamane_Keto]

I'd like to remind that they collect these kinds of personal data which is likely done automatically,

I hope this is the only data collected, although I question the validity of this information.

There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

In this case using a multi-signature wallet where you can choose the second signature from a hardware wallet/electrum/sparrow will reduce the potential points of vulnerabilities. The problem with closed-source wallets is limited funding, so the wallet developers may make some backdoors or sell some data, or in the best case, the limited number of developers may mean the ease of finding bugs, which is completely different in an open-source wallet that has been reviewed a lot.

[dkbit98]

And since they only talk to their own back end SPV servers they have a good idea of your addresses (and the funds in them) since the wallet is asking for them.
Note, this is not just them it's how any lite wallet works if you connect to their servers. So, they may not know 100% who has what, but they can get a really good idea.

This guys are not skilled enough to track and monitor everything, and even with this it's impossible for people to lose so much money with hacks like this.
I suspected from start that this was insider job, just one worker or ex-worker is enough to silently distribute and release malicious app update.

And this is a bit of a side rant, but I am going to put it out there anyway. Just because it's open source does not mean it's better or more secure. There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Well that is obvious, I can in theory create a malware and make it open source code... that doesn't means everyone should install it on their computers 

[Wind_FURY]

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

 

It's difficult to say since they haven't shared any information. This is their latest post: https://twitter.com/AtomicWallet/status/1669750121586737152

If there was a backdoor by one of the employees (without the rest of the staff knowledge), they would've fixed it but as we can see, it's been some time since they last updated the software: https://support.atomicwallet.io/article/339-release-history

Also, from my understanding of the tweet above, this "backdoor" has something to do with Ethereum (or maybe EVM chains in general), but if we check the article talking about the hack, we can see that BTC has been stolen as well.

It's actually mind-blowing how silent they are when they have 100M $ of user funds completely gone. I personally still suspect they have the private keys (or at least some of them) stored in their servers.

Their team released a blog three days ago, saying that there weren't any new breaches since June 3rd, more specifically no new cases reported. They also said that total percentage of users that had their coins stolen were less than 0.1% of Atomic app users.

They post it like it's something good because if there's truly a flaw, an exploit, or a backdoor then "0.1%" is just the start of a potentially massive breach.

What I want to know is, when will it be considered a more serious matter, and at what point should the users start suing the developers for negligence?

[Cricktor]

IIRC in their earlier blog posts they stated something like only ~1% of users were affected, now in their recent statement a few days ago it's ~0.1% which is a difference and it smells fishy. Does this explain anything? Of course, not! Their statement is more like fog and mirrors and in the bad situation it's embarrassingly empty of investigative findings. The amount of downplay is striking and shocking.

Three weeks have past and Atomic Wallet publishes such shit statement telling barely nothing but we have no clue or between the lines you could read it: we better tell we have no clue 'cause we screwed up really badly.

[OmegaStarScream]

So it looks like they have pushed a new "mandatory security update". I couldn't find any information about it though, there's no mention of it on their twitter account or or even the release history page: https://support.atomicwallet.io/article/339-release-history

[logfiles]

IIRC in their earlier blog posts they stated something like only ~1% of users were affected, now in their recent statement a few days ago it's ~0.1% which is a difference and it smells fishy. Does this explain anything? Of course, not! Their statement is more like fog and mirrors and in the bad situation it's embarrassingly empty of investigative findings. The amount of downplay is striking and shocking.

One honestly wonders how they came up with the ~1% or ~0.1% of the affected users?
How do they differentiate addresses/seeds created through their wallet from those create through other wallets?

Something is definitely so fishy

So it looks like they have pushed a new "mandatory security update". I couldn't find any information about it though, there's no mention of it on their twitter account or or even the release history page: https://support.atomicwallet.io/article/339-release-history
https://i.ibb.co/zNjjBvf/photo-2023-06-28-18-21-06.jpg

They should just shut down their lousy app. Much better that pushing updates that no one knows about late alone what exactly happened due to the security breach.

[moha sasa]

I own 12 coins (BTC - ETH - XRP - ADA - SOL - DOT - LTC - MATIC - BCH - AVAX - XLM - DASH)

in 2 Guarda wallets (one of them is on Win 10 PC and the other is on a Linux Mint PC) and Exodus wallet (on Samsung Android V.13)

After reading this thread I decided to remove all of my coins from Guarda & Exodus

What is the best choice for me? and Why?

+ Thanks in advance and to anyone who contributed in this thread.

[rat03gopoh]

After reading this thread I decided to remove all of my coins from Guarda & Exodus

What is the best choice for me? and Why?

Your concern has nothing to do with the Atomic Wallet incident, the reason to remove it sounds absurd, although it is true that the two wallets you used weren't the best advice but it's for other reasons.
I didnt find any better multi-coin wallet recommendations in this forum besides mycelium if you see the innate characteristics. However, the last security protection is in your hands. DWYOR

[o_e_l_e_o]

One honestly wonders how they came up with the ~1% or ~0.1% of the affected users?
How do they differentiate addresses/seeds created through their wallet from those create through other wallets?

Because they log everything you do. It's a closed source wallet which communicates exclusively through their servers. They know exactly how many users they have, and exactly which addresses belong to whom.

What is the best choice for me? and Why?

Sell all the shitcoins for BTC and then store the BTC in either an open source hardware wallet such as Passport or on an airgapped cold storage device using Electrum.

If you want to keep holding shitcoins for some reason, then you are going to be stuck using insecure or closed source wallets. Your best bet will be some multi-coin hardware wallet.