I've obviously never used Atomic wallet, but am I right in saying there is no way to link it to your own node or server? In other words, it operates exclusively via Atomic's own servers? And also, do we know how the attack took place yet? Were the attackers able to remotely sign transactions, or were they able to extract private keys or seed phrases?
I am wondering if Atomic had pulled their central servers offline, whether this would have stopped further funds being stolen?
Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 5. (Read 2551 times)
This tweet[1] is a great overview of how deep this breach was. I'll point out the tweets that stood out the most for me:
.
[1]https://nitter.it/tayvano_/status/1668935273047261185
Quote
The timeline is also notably diff when comparing a hack like BitKeep.
Usually when draining 1k+ addies, hackers write scripts and just blast it out.
This results in most addies being drained in the same minute or two w a trailing tail for the remainder of the hour:
Usually when draining 1k+ addies, hackers write scripts and just blast it out.
This results in most addies being drained in the same minute or two w a trailing tail for the remainder of the hour:
Quote
But for the Atomic Wallet incident, the initial theft transactions ran for like 20 fucking hours.
😳
~Fri Jun 2 @ 9pm UTC - Sat Jun 3 @ 5pm UTC
aka
~Sat Jun 3 @ 6am KST – Sun Jun 4 @ 2am KST
😳
~Fri Jun 2 @ 9pm UTC - Sat Jun 3 @ 5pm UTC
aka
~Sat Jun 3 @ 6am KST – Sun Jun 4 @ 2am KST
Quote
And, yeah, I know, that graph only goes until 10:00am UTC.
Thats bc they actually started to launder the largest thefts *while* still draining wallets, swapping tokens, and draining more wallets.
Seems like that at this time is mostly assumed that Lazarus group definitely is behind this attack. I don't know how Atomic Wallet intends to refund their clients and I also don't know if they are solvent enough to do it. The worse part of this all is that people will keep trusting CEX's Thats bc they actually started to launder the largest thefts *while* still draining wallets, swapping tokens, and draining more wallets.
.[1]https://nitter.it/tayvano_/status/1668935273047261185
That I agree with.
At this point there is nothing that can be done. The trust is gone, the lack of communications is ridiculous, and so on.
The fact that you can still download and install the app is just more proof that they don't care / don't have a clue / are in on the theft.
-Dave
Yeah, the communication, even if they are trying, really is kind of bad .
Also, when opening the wallet on phone or computer there should at least be a message or something to warn users about the current situation. But there is nothing.
I used this wallet a lot over the past 2 years. Even when I was dissatisfied with the way they treated their own token.
Still to this day I have AWC-986 in my wallet and there is no way to exchange them for other altcoins. Only the new one is possible to trade. They claimed this will be possible in the first months of this year, now in June and still nothing.
Anyway, I was lucky enough to have no damage from this and moved all my stuff somewhere else. Didn't have a lot in the wallet to begin with but would have been annoying to lose those as well.
There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen. 
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.
And people can already get their keys, import them into other wallets and move their funds.
The rest really does not matter at this point.
Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.
-Dave
Sorry, but let me make it clear. I didn't suggest that Atomic Wallet turn off everything to "stop the theft", there's nothing that can be done about that unless the users transfer their assets manually to another wallet. What I was suggesting was to turn off everything, including development, and shut the WHOLE project down. It's stupid for it to continue in my opinion.
That I agree with.
At this point there is nothing that can be done. The trust is gone, the lack of communications is ridiculous, and so on.
The fact that you can still download and install the app is just more proof that they don't care / don't have a clue / are in on the theft.
-Dave
There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.
And people can already get their keys, import them into other wallets and move their funds.
The rest really does not matter at this point.
Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.
-Dave
Sorry, but let me make it clear. I didn't suggest that Atomic Wallet turn off everything to "stop the theft", there's nothing that can be done about that unless the users transfer their assets manually to another wallet. What I was suggesting was to turn off everything, including development, and shut the WHOLE project down. It's stupid for it to continue in my opinion.
There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
If they screwed up enough to have people get access to the users private keys then turning off their servers will make 0 difference.
And people can already get their keys, import them into other wallets and move their funds.
The rest really does not matter at this point.
Like I have always said, I have some coins in another multicoin wallet that is closed source.
The amount of funds I have in it are worth less then the phone it's on, and I use cheap(ish) phones.
-Dave
There are two people in Twitter who are compiling a list of stolen assets from Atomic Wallet users. ZachXBT has listed over $60 million stolen, and Elliptic has reached $100 million stolen.
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
I believe Atomic Wallet developers should start telling their own users to transfer their assets somewhere more secure because the obviously have failed in their social contract as a Wallet. Turn off their infrastructure, development, everything. How many more users must lose their savings?
Did they promise that they don't collect data from users?
This comes from their FAQ page (2021):What other service would you trust if they promised that and still collected data?
I wouldn't, it was just that they had gained much trust. And it still might have been a honeypot, but I doubt very much. 
It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.
I am curious if there could be an alternative explanation for this hack. From what I gather, it seems that users were compromised even when they didn't have Atomic wallet actively running on their computers. Some individuals have reported not using the wallet for several months prior to the incident. In my opinion, this rules out the possibility of malicious code like trojan or spyware residing on their computers. Unless, of course, the attacker had been gathering private keys for an extended period of time leading up to the attack.
Is there any update on this sheding light on what actually happened to the stolen user funds and, more importantly, how the hack was conducted and which type of user were affected?
Is the team responisble for Atomic Wallet publicly know?
Highly unlikely any funds will be retrieved but holding folks accountable would be a first step.
It's also too big to keep such data. Even if they did keep logs, and store in detail which private key comes from what deposit, 7 terabytes is unreasonably large size. To put in some perspective, the entire blockchain is about one tenth of that. And the fact that the feds never disclosed anything about that 7 TB makes me question it did keep logs even more.
They had four servers. Let's say they were running four full nodes. That may consume around 2.2 TB. But I was surprised when I saw the FBI seize four servers and 7 TB of data. It leads me to wonder what data they kept. Data of users like IP logs, Addresses and other data might be saved as text files, which shouldn't consume that much storage. They might store some additional data or operate a bunch of different services with those four servers. I don't know what they promised while on the market because I did not use their service. Did they promise that they don't collect data from users? What other service would you trust if they promised that and still collected data? But, the Storage size (7 TB) that the FBI seized was too big for a mixer service.
It's also too big to keep such data. Even if they did keep logs, and store in detail which private key comes from what deposit, 7 terabytes is unreasonably large size. To put in some perspective, the entire blockchain is about one tenth of that. And the fact that the feds never disclosed anything about that 7 TB makes me question it did keep logs even more. Arguing it did collect data holds less ground than arguing that the operator was an upstanding member of the piratebay, seeding and leeching movies. Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?
The sad thing is we do. Some of us use them without knowing that they collect data, and others, even know they collect data, still use them. Did you know whether CM collected user data such as IP and wallet addresses? I am not sure if they did. But, the Storage size (7 TB) that the FBI seized was too big for a mixer service. I don't understand what kind of data can take that much storage. Let's say mixer services promise they do not collect any data from us, and they do it without letting us know. How can we verify their claims? The only thing we can do is "Believe their promise." We often say, Do not trust, verify. But, Sometimes, we cannot verify everything. I know some of my friends use Free VPNs. Some of them know that those VPNs collecting data from their device still don't care about it. We all are not cypherpunks! We cannot expect everyone to care about their privacy. If they are dumb enough, we can let them do it. The whole point of my post is even though we don't want to use those services that collect data; Sometimes we use them by knowing or not knowing. You never know if those services collected your data or not.
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?
If Sinbad were to release logs or similar, then they are signing their own death warrant.The whole point of privacy services is to provide privacy, not to hand consent of exposure of your information to a random third party to decide based on their own arbitrary rules. Yes, a minority of users of privacy tools (such as mixers, coinjoins, VPNs, Tor, PGP, end to end encrypted messengers, etc.) are doing illegal things, but the vast majority of users of such services are just average people who do not want random third parties and governments spying on everything that they do. Would you use a encrypted messaging with a government backdoor? Of course not. Would you use a VPN which collects logs and hands them over to third parties? Of course not. Why would anyone use a mixing service which collects logs and hands them over to third parties?
-snip-
It should also be possible for Elliptic or ChainAlysis (which Atomic wallet is currently seeking help from[1]) but I would imagine it all depends on how the mixer works, and I doubt it would be that easy of a task.
[1] https://twitter.com/AtomicWallet/status/1666591717347262468
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?
Even if they can do it, I doubt any mixer would do that (at least not publicly). It basically tells its users that they can and will expose their logs if they deem it necessary. Why bother using them in the future if privacy is your goal? Besides the fault of this case is more on Atomic Wallet being a terrible wallet, not necessarily a mixer or other privacy tools IMO. How can a mixer know the seed phrase of an address that they sent coins to after mixing, that is not possible.
I think he's not referring to the seed phrase of the hacker address, but the logs of the mixing process.Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?
He's got a decent following on Twitter at the very least. Can't say for certain how reliable his info is since I'm not that active on social media. You can check out his Twitter if you want to know more, @zachxbt. 
Damn, once it’s through the sinbad mixer its gonna go away forever. May be only the mixer service owner would know which seed was allotted and where the money isn’t it?
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?
How can a mixer know the seed phrase of an address that they sent coins to after mixing, that is not possible. Mixers are not investigators, they just receive funds and help their customers to conceal the origin of the funds. By the way Sinbad do not also keep logs after customers use their mixer, they delete the logs after one hour of using their service. But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?
hero member
Activity: 2660
Merit: 651
Want top-notch marketing for your project, Hire me
It's still being investigated, and no one actually knows if their software is really being compromised or not. But better be safe than to lose all of your coins/savings. If you're an Atomic Wallet user, send them out to another wallet ASAP.
What investigation do you expect from a wallet that has a shady record right from the beginning? I could remember when they had their bounty campaign on this forum years ago they were tagged as scammers by JollyGood and for the record, some of their bounty campaign participants complaint about no receiving payment.I wonder why people should still be using a wallet that support only legacy address when there is Segwit today. Any bitcoin wallet, that also support altcoins or not should not be used anymore if they can not follow the recent standards.
Same here but I come to learn that some cryptocurrency investors can go the extra just for dividends and giveaways. You wont believe that the hacking issue happens after the announcement of their 1,000,000,000 $PEPE giveaway to 10 lucky winners. 
Update: So it looks like the stolen funds (~35M $) are on the move:
Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/
On June 5, blockchain compliance analytics firm Elliptic reported that its Investigations Team has traced funds from the $35 million Atomic Wallet hack to crypto mixer Sinbad.io.
Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/
Damn, once it’s through the sinbad mixer its gonna go away forever. May be only the mixer service owner would know which seed was allotted and where the money isn’t it?
But I am curious, if they already know that funds are on the move then is it possible for middle services like sinbad mixer to expose them for the sake of goodness and users money?
I am not sure how this transaction went since your post is old and by now there might be hundreds of different addresses on which the distribution might have occurred already.
But there gotta be way, there is always?
It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server.
I am curious if there could be an alternative explanation for this hack. From what I gather, it seems that users were compromised even when they didn't have Atomic wallet actively running on their computers. Some individuals have reported not using the wallet for several months prior to the incident. In my opinion, this rules out the possibility of malicious code like trojan or spyware residing on their computers. Unless, of course, the attacker had been gathering private keys for an extended period of time leading up to the attack.
Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:
BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.
It couldn't have been a malicious update since many of the victims of the Atomic Wallet hack claim they were using an old version of a wallet when unauthorized asset draining occurred. It also doesn't look like hackers accessing dozen of computers with wallets installed, extracting secret information, and moving coins to the addresses they control: if it were the case, more users would have been affected. The most plausible explanation of what happened would be that Atomic Wallet is a semi-custodial wallet pretending to be fully non-custodial; it generates and keeps user information server-side for unknown purposes, probably for ensuring the proper functioning of some parts of the software like swaps or in-built exchanges. Users affected by this hack should have something in common: most likely they all were using the same in-built service that somehow leaked private keys when communicating with the server. Quote
The application that Atomic Wallet built was not built in a secure manner.
Either someone pushed a malicious version of the application that stole users' keys.
Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.
Source: https://twitter.com/tayvano_/status/1665519797470367744Either someone pushed a malicious version of the application that stole users' keys.
Or they were inadvertently logging users' keys to their servers and those servers were accessed by a malicious actor.
BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.
Jump to: