Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 6. (Read 2558 times)

I have used Atomic Wallet for a very short period of time for some shitcoins that needed to be moved around and where I didn't even trust the shitcoin's native wallets. I was concerned that Atomic Wallet is closed-source, did some deep research if this software had some bad history or reputation. At that time, I couldn't find deeply alarming news, so I thought, OK, why not, no large amounts of value at stake and I didn't run that software on the same computer where my trusted wallet(s) where.

As an end user I would be pissed if I had no control over updates or downloading a dead version. Forced updates can be a dangerous thing if external or internal attackers of a wallet's backend gain malicious control. With forced updates you can screw every user of the wallet when the wallet's infrastructure gets compromised. Displaying a big red warning in the user's wallet would be nice if that is done in safe way that can't be exploited by malicious actors. My hopes are not high for Atomic users as the past audits seemed to indicate that software and security quality of Atomic isn't what it should be.

There's still too much speculation of what went wrong or how the attacks were possible. A dead version in the app stores wouldn't help if the seed or private keys got compromised. And you could potentially protect only users with a forced update before attackers could do their stealing.

The communication of the wallet's company is very much sub-par. If they don't know what's going on, then why they don't shut down the backend systems and tell the users to immediately move their funds to a new safe wallet that's not affected. (Well, if you have lots of shitcoins, then good luck with finding suitable safe other wallets to hold your shitcoins.)



Sounds like click-bait of this dude. So, for what reason this "Zach" doesn't reveal his knowings?

Both of them are certainly a possibility. It is hard to figure out what really happened unless Atomic shares what kind of exploits are being used by the attacker. Even if they did that though, the distrust is still there since they can edit some code before making it public to steer the narrative to their preferred direction. Zach also claims to know what happened behind the scene. At the end of the day, someone would be better off using other wallets in the future.

Unless I'm mixing up some news, IIRC, they disable the downloads shortly after the attack was reported. Not sure why they allow users to download it again, especially after some reports suggesting the latest version is one of the ones that got affected.

I'm thankful for bitcointalk and the educative information that's been shared here on dailies. As a newbie that registered on this platform, I used to have some crypto assets that's worth few couple of bucks on my atomic wallet until I stumbled on the some topics here about the dangers of using close source wallets, so I decided to move my assets out of atomic wallet... If not I might have been a victim too. This is an eye-opener and I hope other persons can learn from this and distance themselves from using close source wallets and exchanges in storing their funds.

If they were ' inadvertently logging users' keys to their servers' then the app was totally fucked from the start. The ONLY thing the app should be sending to the servers is the request of the transaction lists for the addresses to figure out how much is in the owned addresses and a signed TX when broadcasting a send. There should be no way in hell that your private keys are EVER sent to them.

However, you can't fix stupid, and since it's closed source you never really know what they are doing [unless you setup a mitm attack on your own network and monitor what comes in and out].

Side thought, when this happens why the hell do these wallet people not push a 'dead' version out to the app stores. Should be sitting there and ready to go. Just one that displays a big warning about what happened. And get do some other things. But no way to interact with the net. Should be sitting there ready to be deployed with a deadman switch when something like this happens.

-Dave

I think he is confusing Atomic with being Binance owned, but Trust Wallet is just as closed source as well, and ironically there is no point in trusting such wallets. You might as well store your coins on Binance. They might have a lesser chance of being hacked. Although looking at the past history of crypto exchanges, they eventually screw up, get hacked or straight up steal your money.

I agree that any wallet which is not 100% open source is a red flag. Otherwise behind the code could be a third party, trying to take your money with a strategically planned hack.  

inb4 North Korea was behind Atomic all along.

Fortunately, a large group, including me, was not affected by what happened to the Atmoic Wallet, as I immediately transferred my funds to another wallet after I found many reports of stolen funds by many users in the tweets of the official account of the Atmoic Wallet, I feel sad because I saw a lot of they lost thousands of dollars due to the Lazarus Group, who are responsible for these hacks.

Do you guys agree with what @tayvano_ mentioned on her Twitter account about some of the possibilities of the root causes of this Atomic Wallet hack:

Source: https://twitter.com/tayvano_/status/1665519797470367744

BTW, I hope that the exchanges will support this case and freeze the stolen funds of these criminal gangs and that the Atomic team will be able to compensate the losses of the affected users.

And another update: According to ZachXBT[1], it seems that the entity responsible for the hack was the Lazarus Group[2]/DPRK (considering the patterns of how the crypto was laundered). It seems that North Korea is having (another) field day with this hack...

---

[1]https://nitter.it/zachxbt/status/1666115739764285445
[2]https://en.wikipedia.org/wiki/Lazarus_Group

Crazy!
Number grows with every new day and who knows how many people don't even know or they didn't report loses.
It's important not to open atomic wallet that is connected to internet, than import seed phrase backup to another wallet and move coins asap.
Few years ago I tested this atomic wallet and I never liked how it works, but closed source and amateur devs was always a red alert for me.

Yes with a but, or no with a however.
Having multiple files now means that humans are going to be human. So if some function calls something that you are not using / not interested in then you (who I assume to be human) may not examine it as well or even at all. Having it all in the 1 monolithic file forces you to read the entire thing.

There is a good and bad side to both ways.

Back to this. Has anyone here actually lost real funds? I keep hearing reports of people loosing money, but so far it's nobody here as far as I can see.

-Dave

Yeah Yamane_Keto, we understood what you meant, but I'm not sure you understood what you're expecting of average users either

I'm the regular user we're all talking about. Understand the most basic of coding languages, far from enough to understand anything harmful or malicious on Github if it screamt out at me.

It's still many time safer, and practical, to simply trust a software you know is actively being reviewed and checked by very good developer communities. To the simple user (yours truly), Electrum and Bitcoin Core prove that, by acting very quickly when changes need to be made or holes plugged.

If you are a newbie who cannot code, then both tasks are equally impossible. And if you are a newbie who cannot code, then you will be exponentially safer using Electrum than you would be using some random paper wallet generator you found via Google.

Paper wallets are an excellent option if you can vet the code you are using, you understand how to set up and use a truly airgapped system, and you understand how to spend from these wallets without ruining your privacy and security or losing any coins. But this is complicated to do. Suggesting them as an alternative for everyone leaving Atomic or other closed source wallets is bad advice.

That's the problem with shipping your codebase as a giga-large single file - particularly as an HTML file - even I don't have the patience to read or understand what all that code is doing. Electrum is easier to navigate because you can trace the control flow through multiple files, and that eliminates a lot of the irrelevant code that is not likely to be of interest to hackers.

This is the same as expecting from a newbie to write the paper wallet software themselves. It's ridiculous to expect from a newbie to know how to read / write code. And no, it's neither practical to read that. If you open up bitaddress.org's source code, you'll notice bitaddress.org.html is more than 10000 lines long. Less than Electrum, but still impractical.

If you're not a competent software engineer, as the folks behind software like Bitcoin Core and Electrum, then you shouldn't trust yourself more than them. The odds of messing up are far greater.

At least you can read the code related to paper wallets and check every line in it, which is impossible for a wallet like Electrum. My talk if you don't want to trust any developer, I know a lot of skeptical people who like to check everything themselves.
Setting up and managing paper wallets is not difficult for someone who can read every line, perhaps it is not the best option in terms of privacy and dynamism, but everything has a cost.



Without making the wallet open source, I don't think anyone would be stupid enough to use them.

Update: So it looks like the stolen funds (~35M $) are on the move:


Also according to Atomic Wallet, no stolen funds have been reported in the last 40 hours: https://news.bitcoin.com/atomic-wallet-hack-team-claims-no-assets-have-been-lost-in-more-than-40-hours/

The slight difference is that on one end it is stored in their logs and any breach on their side can access it or the software themselves can easily steal your private keys and on the other hand it is not stored in their data logs but on the user's wallet file and not directly accessible to them.

There is always a risk when dealing with soft-wares even those that are open source, but is is much safer choosing one which is open source and reputable.

- Jay -

This is poor advice.

There have been a number of paper wallet generators over the years which have also been malicious and have stolen any funds sent to the paper wallets they generate. And even if someone happens to pick legitimate paper wallet software, paper wallets are difficult to set up and use correctly without making a critical mistake, exposing your private keys to the internet, sending your change to an address you cannot access, and so on. They should not be used by newbies as a "best place to start".

The best advice for newbies who cannot review code has always been to choose an open source, reproducible, widely used, widely reviewed, and reputable wallet. This is why Electrum is so popular and so often recommended

As I said earlier, the manipulation of terminology is what gave many users a false sense of security. Custodial walle and Non-Custodial walle have no meaning, but the real difference is whether that software is a wallet or not. In the sense that all closed source wallets are not a wallet because we do not know how the private key is generated and whether the code is safe or not. The fact that a third party may know your private key means that you do not own your money.

If you do not know how to read the code, it is best to start with a paper wallet that generates private keys in a simple way or trusts individuals or a community to review the code.

What is meaning of "kata"? Is japannese language?

That's not a good move. Importing 12 word into the new wallet you want to transfer will be meaningless because the 12 word you import are from the initial wallet you are using.
The good thing is to send coins from the wallet you are using to the new wallet you are going to use.

Unstoppable wallet that I can say is a good wallet for you to transfer existing coins in Trust Wallet and Exodus by sending them to the Unstoppable wallet that you created recently.
What I say is the same as what has been explained by hosseinimr93