A Non-Custodial wallet, Atomic Wallet, being compromised - page 4.

dkbit98

legendary

Activity: 2212

Merit: 7064

Quote from: DaveF on June 22, 2023, 09:35:45 AM

And since they only talk to their own back end SPV servers they have a good idea of your addresses (and the funds in them) since the wallet is asking for them.
Note, this is not just them it's how any lite wallet works if you connect to their servers. So, they may not know 100% who has what, but they can get a really good idea.

This guys are not skilled enough to track and monitor everything, and even with this it's impossible for people to lose so much money with hacks like this.
I suspected from start that this was insider job, just one worker or ex-worker is enough to silently distribute and release malicious app update.

Quote from: DaveF on June 22, 2023, 09:35:45 AM

And this is a bit of a side rant, but I am going to put it out there anyway. Just because it's open source does not mean it's better or more secure. There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Well that is obvious, I can in theory create a malware and make it open source code... that doesn't means everyone should install it on their computers Cheesy

Yamane_Keto

hero member

Activity: 406

Merit: 443

Quote from: ABCbits on June 22, 2023, 07:51:05 AM

I'd like to remind that they collect these kinds of personal data which is likely done automatically,

I hope this is the only data collected, although I question the validity of this information.

Quote from: DaveF on June 22, 2023, 09:35:45 AM

There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

In this case using a multi-signature wallet where you can choose the second signature from a hardware wallet/electrum/sparrow will reduce the potential points of vulnerabilities. The problem with closed-source wallets is limited funding, so the wallet developers may make some backdoors or sell some data, or in the best case, the limited number of developers may mean the ease of finding bugs, which is completely different in an open-source wallet that has been reviewed a lot.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: DaveF on June 22, 2023, 09:35:45 AM

There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Most of the times that happened, we didn't have a closed-source alternative to compare. But at the times we did, you'll be glad to know that the closed-source alternative was way worse security-wise. A brilliant example is the OS. Take Linux and Windows. Both have exploits, both are decades old, both have hundreds of people working on them 'til this date, but Windows is less secure because it has far more vulnerabilities that allow the execution of code.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: ABCbits on June 22, 2023, 07:51:05 AM

It could be from data they automatically collect, which i mentioned above.

And since they only talk to their own back end SPV servers they have a good idea of your addresses (and the funds in them) since the wallet is asking for them.
Note, this is not just them it's how any lite wallet works if you connect to their servers. So, they may not know 100% who has what, but they can get a really good idea.

And this is a bit of a side rant, but I am going to put it out there anyway. Just because it's open source does not mean it's better or more secure. There have been some GLARING security bugs that have been found in open source software that were there for YEARS and nobody caught it. 1000s of pairs of eyes on it and all of a sudden.....oops.

Yes it's better, but DO NOT let people think it's perfect, make sure when explaining wallets to people. Multiple layers of security are better. There can be a big gaping hole in the open source wallet I use, that nobody fond yet AND there might be a compromise on my system that I don't know about. BUT, since I have my warm funds secured by PSBT to a 100% offline PC it really does not matter.

-Dave

ABCbits

legendary

Activity: 2870

Merit: 7490

Crypto Swap Exchange

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

Finally we get a statement[1] from Atomic Wallet after 18 days of radio silence regarding what might have caused the draining of the wallets. Here's a few highlights from it:
--snip--

There's one more thing i'd like to highlight

Quote from: joniboini on June 21, 2023, 07:51:25 PM

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

Quote

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

IIRC, they said it affect less than 1% of their users in the past[1]. How do they even confirm it? Which number are they using to calculate this? The download numbers on Play Store?

--snip--

Quote from: Yamane_Keto on June 22, 2023, 05:27:28 AM

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

To summarize, less than 0.1% of Atomic Wallet app users have been affected.

That wallet's hack caused to lose value cryptocurrencies worth $35 million, how does this represent less than 0.1% of Atomic Wallet app users?

It could be from data they automatically collect, which i mentioned above.

Yamane_Keto

hero member

Activity: 406

Merit: 443

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

To summarize, less than 0.1% of Atomic Wallet app users have been affected.

That wallet's hack caused to lose value cryptocurrencies worth $35 million, how does this represent less than 0.1% of Atomic Wallet app users?
After more than 18 days, they did not give a specific answer to what happened, which means that their developer team is not that experienced, or that the vulnerability is deep and they did not find a mechanism to fix it, or that either they left back doors and exploited them to steal them.

Does anyone know the list of external auditors, and if they published it, to gain a little credibility here, they should publish it

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

As of now I'm still baffled that they have any customers at all still using their service.

Binance have been hacked multiple times and have lost millions in crypto and hundreds of thousands of users' data. Remains one of the biggest exchanges.
Coinbase actively sell user data to third parties and inside trade against their users. Remains one of the biggest exchanges.
Platforms like Voyager, Celsius, FTX, all go bankrupt or outright scam. People continue to lose their coins on many other such platforms going bankrupt or scamming in the months since then.
Shitcoins like Luna collapse to nothing because they were outright scams, and then people continue to buy Luna 2.0.

I agree it is literally insane that anyone is still using Atomic wallet, but I also have no doubt that they will have no problem continuing to exist and not just keep current users but attract new ones too. I also have no doubt that hot wallets will never stop being hacked.

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

As of now I'm still baffled that they have any customers at all still using their service. It seems that I'm more worried than them regarding the security of their crypto, and I'm not even a user of Atomic Wallet Cheesy

.

I guess some people rely on their promise that they'll get their money back since the team is working with exchanges to freeze the stolen money. A lot of people still seem reluctant to be completely self-reliant to secure their money.

Quote from: RickDeckard on June 21, 2023, 05:06:52 PM

Quote

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

IIRC, they said it affect less than 1% of their users in the past[1]. How do they even confirm it? Which number are they using to calculate this? The download numbers on Play Store?

Which auditors are they referring to btw? Are they referring to Least Auditors who suggest people stop using them in the past[2]?

[1] https://cointelegraph.com/news/atomic-wallet-hack-affected-1-of-active-users-investors-claim-otherwise
[2] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/

RickDeckard

legendary

Activity: 1148

Merit: 3117

Finally we get a statement[1] from Atomic Wallet after 18 days of radio silence regarding what might have caused the draining of the wallets. Here's a few highlights from it:

Quote

The team has researched various potential causes, the most probable of which are virus targeting on local users devices, infrastructure breach, malware code injection, or a man-in-the-middle attack. At the moment, none of the possible issues are confirmed as potentially causing massive breaches, as such types of attacks are very hard to recognize.

Quote

Our top priority is to help as many affected users as we can. We are actively working with crypto incidents investigators and authorities. The next step will be working on a legal framework for seizing frozen deposits and distributing them among affected users. We will update the community when there are more details on this front, and we ask for your patience.

Quote

To summarize, less than 0.1% of Atomic Wallet app users have been affected. No new cases have been reported since June 3rd. None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest Atomic app versions. Builds are verified by external auditors. Our security infrastructure has been updated, and the investigation is still ongoing.

It seems like that they still have no clue for what might have caused this hack. This is a bit scary - if they haven't patched anything, what is stopping the hackers from continuing to drain the wallets? Are they purposely holding the draining so that users think that it is safer now only to attack once again in a near future?

As for compensation for their users, it seems like they are aiming to freeze whatever assets they manage and then distribute them accordingly. In what grounds and how remains unclear but one thing is certain - Most of the affected users won't ever see their crypto. As of now I'm still baffled that they have any customers at all still using their service. It seems that I'm more worried than them regarding the security of their crypto, and I'm not even a user of Atomic Wallet Cheesy

.

[1]https://atomicwallet.io/blog/june-3rd-event-statement

Kryptowerk

legendary

Activity: 2114

Merit: 1403

Disobey.

Quote from: Wind_FURY on June 19, 2023, 12:57:39 AM

Quote from: OmegaStarScream on June 18, 2023, 07:23:03 AM

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

Cool

Given what we have witnissed last year alone (FTX, Yogg...) I'd say it's quite likely. If there are several devs, it just needs one rotten apple to put in a backdoor and abuse it at some point when it seems profitable.
Then again, there is also a good chance it was some vulnurability within some dependency/package in their codebase. Maybe one of their own devs found out and decided to take advantage or someone from outside.
I clearly lean towards inside job, though. Chances are just higher.

Nothing too suprising, though.
And another great example why open source MUST be the standard for critical software such as wallets in the Bitcoin space.

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

You can flag such update nonsense from Atomic Wallet as radio silence noise. Well, it could also be some sort of strategy. Not impossible that they found out what internal mistakes have led to this desaster and they came to the conclusion that radio silence is the least worse option.
Who knows... hard to believe, they could survice such a mess.

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: Wind_FURY on June 19, 2023, 12:57:39 AM

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

Cool

It's difficult to say since they haven't shared any information. This is their latest post: https://twitter.com/AtomicWallet/status/1669750121586737152

If there was a backdoor by one of the employees (without the rest of the staff knowledge), they would've fixed it but as we can see, it's been some time since they last updated the software: https://support.atomicwallet.io/article/339-release-history

Also, from my understanding of the tweet above, this "backdoor" has something to do with Ethereum (or maybe EVM chains in general), but if we check the article talking about the hack, we can see that BTC has been stolen as well.

It's actually mind-blowing how silent they are when they have 100M $ of user funds completely gone. I personally still suspect they have the private keys (or at least some of them) stored in their servers.

Wind_FURY

legendary

Activity: 2898

Merit: 1823

Quote from: OmegaStarScream on June 18, 2023, 07:23:03 AM

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

How high is the possbility that the AtomicWallet developers backdoored their own software? Because it's so unexplainable why they still haven't shut their whole infrastructure down, or that they still allow for the wallet to be downloaded?

The Bitcoin community, and all of cryptocurrencies would receive another massive "LOSS" if some nefarious motive was found in the source code.

I would hate to post another tin-foil hat idea, but if there was something in the code, I would say that someone in Atomic's team is a plant.

Cool

Zoomic

sr. member

Activity: 616

Merit: 271

Quote from: o_e_l_e_o on June 10, 2023, 03:45:28 AM

Quote from: Flexystar on June 09, 2023, 01:26:02 PM

But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?

If Sinbad were to release logs or similar, then they are signing their own death warrant.

Sinbad will not attempt that because if they do, the whole purpose of privacy is defeated and it will go a long way to say how fast or slow data is dished out with pressure.
Exchanges are the fastest to release eve with minimal pressure in order to be in the haven book of the government.

Quote from: Wind_FURY on June 14, 2023, 08:57:54 AM

I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?

If they make such announcement it will create much more panic than we have. But in the real sense, they failed, that is the only viable option to mitigate losses now.

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

... Despite all of this I'm still baffled by the fact that Atomic continues to hold radio silence regarding this hack...

[1]https://nitter.it/Gustavoatca/status/1669835377517969408

Because I have used Atomic Wallet only for a very short time for a specific task that didn't involve any painful amount of worth for me, I don't spend too much time to look for details. It's merely my personal interest in security issues in the crypto space that attracts my attention.
[1] seems to me one of the first concrete details of what might have happened. Not that I can fully grasp it, but it looks to me like an implementation flaw in Atomic Wallet that is beyond stupidity. What did the devs of Atomic Wallet think? If this is true what [1] claims and this message protocol allows without any authentication the extraction of private keys, then Atomic Wallet devs are incompetent beyond imagination.

But there's at least one thing, that I can't wrap my head around: do the attackers need to target the specific wallet users or do they target the Atomic Wallet backend infrastructure? I ask this, because there were reports of Atomic users who lost funds who didn't open Atomic Wallet for a long time. Though such user reports have to be taken with a big pile of grains of salt.

Two weeks and still counting and I find the radio silence and no signs at all on the Atomic Wallet website totally baffling, too. That is definitely not how such a hack should be handled.

RickDeckard

legendary

Activity: 1148

Merit: 3117

Quote from: OmegaStarScream on June 18, 2023, 07:23:03 AM

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

Somehow I've missed that tweet. Thank you for pointing out! Looking forward what the community will find out considering that the source code was only updated 3 days ago which isn't a lot of time for people to be aware of it.

DaveF

legendary

Activity: 3500

Merit: 6320

Crypto Swap Exchange

Quote from: OmegaStarScream on June 18, 2023, 07:23:03 AM

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

There was an update to Atomic the end of May. So the question now becomes what that the version that introduced the vulnerability or was it perhaps the version that fixed it?
If it fixed it, then a lot of people can spend a lot of time looking at the code and find nothing.

Also, on that note does anyone know if you would see it in what was released if it was a 'supply chain' issue and a library that it was using that was the vulnerability?

-Dave

OmegaStarScream

staff

Activity: 3500

Merit: 6152

Quote from: RickDeckard on June 18, 2023, 06:43:43 AM

-snip-

If you check the tweeter's previous post, you can see that he linked this GitHub page: https://github.com/osarjuhcnus/atomicwalletsdesktopource#readme

So apparently, someone who lost money from this hack decompiled Atomicwallet and posted its source code for people to try and find the vulnerability.

RickDeckard

legendary

Activity: 1148

Merit: 3117

This thread[1] is very interesting and may point towards one of the causes that led to this attack. According to him:

Quote

Whisper (SHH) is a protocol and communication layer that provides secure and private messaging functionality on the Ethereum network. It enables users to send encrypted messages directly to specific recipients without the need for intermediaries

Quote

All the hacker needs to do is send the message with the backdoor command to the address they want to hack. It will return an SSH to the hacker's private key (a message that only they can read, containing the victim's wallet information).

My first question would be how the user got a hold of (part?) the code behind Atomic Wallet. I do know they have a GitHub page[2], but I'm not sure if they publish sections of their code in there. Despite all of this I'm still baffled by the fact that Atomic continues to hold radio silence regarding this hack...

[1]https://nitter.it/Gustavoatca/status/1669835377517969408
[2]https://github.com/orgs/Atomicwallet

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Presumably by now we show have at last some kind of news on the cause of the hacks or the vulnerability, or is ZachXBT taking a vacation? Sad

Quote from: o_e_l_e_o on June 15, 2023, 04:11:27 AM

I've obviously never used Atomic wallet, but am I right in saying there is no way to link it to your own node or server? In other words, it operates exclusively via Atomic's own servers? And also, do we know how the attack took place yet? Were the attackers able to remotely sign transactions, or were they able to extract private keys or seed phrases?

I am wondering if Atomic had pulled their central servers offline, whether this would have stopped further funds being stolen?

Atomic Wallet is proprietary software built with (what I assume to be) Electron and thus it can only communicate with company servers, especially since the "Swap" feature is custodial and requires servers. There's no Atomic Wallet Server either.

Quote from: RickDeckard on June 14, 2023, 05:27:47 PM

Seems like that at this time is mostly assumed that Lazarus group definitely is behind this attack. I don't know how Atomic Wallet intends to refund their clients and I also don't know if they are solvent enough to do it. The worse part of this all is that people will keep trusting CEX's Roll Eyes

.

This doesn't really sound like a Lazarus hack, because those guys are presumably competent enough to not go after only a few hundred "active wallets" if they have the god-level access in the wallet system, they'd drain the entire system and leave it to burn. It sounds to me more like a script-kiddie weaseled into the systems - which is bad news for Atomic Wallet's security if that is true.

Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 4. (Read 2558 times)