Zach claims to have successfully recovered some of the stolen funds. He said he knows what is wrong but prefers not to share it as of now[1]. Wonder why he decided to do that, maybe the attacker still has the means to exploit more? Kinda surprising the funds are even recoverable.
[1] https://twitter.com/zachxbt/status/1665226056570118146
Topic: A Non-Custodial wallet, Atomic Wallet, being compromised - page 8. (Read 2334 times)
This should make us all aware that closed source wallets should be avoided at all costs even though they might be promoting themselves as a non-custodial wallet.
I saw posts on Reddit saying this could be an inside job as well.
Atomic wallet devs were warned about security risks in their wallet long ago, check out this coindesk post [1].
[1] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/
I saw posts on Reddit saying this could be an inside job as well.
Atomic wallet devs were warned about security risks in their wallet long ago, check out this coindesk post [1].
[1] https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/
Well this makes me think about all those claims which stated if you own the keys then you are owner and no one can have access to your wallets/funds within. I’m shocked to see this news about atomic wallet. How does everyone going to trust any other wallet too if wallet services that claim to be non custodial? This is definitely phishing attack, because let us say it was really a compromised wallet and hacked one then either the hacker has just found out the loop hole in the non custodial system or it could be the owner himself who has turned his business into some quick disruption of money. In anyways, user is the one that gets suffered. Hope everyone rest moves their funds as quickly as possible to other wallet.
Thanks for sharing this!
I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
It would be foolish to continue using this wallet after reading about multiple reports of lost funds from all over. Even the official website has disabled software downloads, and they have stated that they are currently investigating the issue.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?
Does Atomic store customers seeds or how is it even possible?
Every wallet stores customer seeds and private keys internally; it cannot function differently. But since this is a closed-source wallet, we cannot know what is happening in the background. Some preliminary reports claim that it was a malicious update originating from a hacked official site, but there is still no official explanation.
Sorry if my questions are kind of stupid. I have no idea about the technicalities.
No, your questions are not stupid, but it is still too early to say anything because we do not know what actually happened.
I just use the wallet from time to time for smaller transactions.
If you still have funds in your wallet, it is advisable to transfer them to a safe place as soon as possible.
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.
You should never write any wallet in JavaScript, and in particular NodeJS & Electron (not to be confused with "Electrum" wallet which uses Python), because your project dependencies will pull literally hundreds of other dependencies, some of which are outdated, and there's no way for you to get around that situation. Instead of a bullet, it's like a hundred pieces of shrapnel from a missile and will almost certainly get you killed.
Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/
Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating.Quote
~snip
Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?
XRP, a shitcoin, does not have any reputable wallet software for it.
Thanks for sharing this!
I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?
Sorry if my questions are kind of stupid. I have no idea about the technicalities.
I just use the wallet from time to time for smaller transactions.
I am a long time atomic user and never had any problems with it. Reading this makes me overthink using it in the future.
But I wonder, how can wallets be compromised? How will hackers gain access?
Does Atomic store customers seeds or how is it even possible?
Sorry if my questions are kind of stupid. I have no idea about the technicalities.
I just use the wallet from time to time for smaller transactions.
Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.
Atomic wallet is a non-custodial wallet and gives you the private keys. The problem with Atomic wallet is that it's close source and there is no way to know how the keys have been generated and whether the user is the only who has access to the keys or not. 
I got ate up for closed source on 1splitkey, even though it was split keys people didn't trust it.
I now know that lack of understanding means lack of trust.
I closed source code as it was tesla agents that controlled systems and didn't want that repurposed via simple cli tweaks. That was my reasoning. What's theirs? Why where they so successful?
These occurrences prove that they arnt always non-custodial.
legendary
Activity: 2226
Merit: 1049
Leading Crypto Sports Betting & Casino Platform
This is a rather sad news, I am rather a bit surprised that this has to happen, my astonishment is probably due to the fact that it is a non-custodial wallet that is involved in this hack, we I think we are very used to custodial wallet, and centralized platforms being hacked, a non-custodial wallet hack is rather new and shocking, and some would want to ask questions like, if a non-custodial wallet can be hacked, then which type of wallet is exactly safe?
I think the above question can only be answered after the management of Atomic wallet come out with a comprehensive reason of what lead to the hack, and let's hope they are sincere to their users and the entire crypto community at large.
I think the above question can only be answered after the management of Atomic wallet come out with a comprehensive reason of what lead to the hack, and let's hope they are sincere to their users and the entire crypto community at large.
It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
So IMO it would be better if Atomic wallet move their coins/token by importing recovery words to other wallet rather than opening their Atomic wallet application.
A software wallet is only as safe as the computer and OS used to run it. If the computer is compromised then malware with sufficient elevated rights can compromise the software wallet. If the software wallet itself is badly crafted, which you can't check with closed-source software, then you're screwed anyway.
Importing the BIP-39 compatible recovery words of the Atomic Wallet in another wallet only makes sense if you can exclude the possibility that those recovery words or the underlying seed wasn't already compromised. Sure, if the current attack on Atomic Wallet needs some more ongoing interaction with the Atomic Wallet software, then you may gain some ground by importing it in another verified wallet that supports all your coins and tokens. Sadly, many alternatives are closed-source, too, with very few exceptions (I believe Unstoppable Wallet is multi-coin and open-source).
Even more sadly is that those closed-source wallets mostly don't offer the use of a hardware wallet with them. If implemented properly and without malicious intends that would mostly prevent a compromise of the seed and/or private keys that are secured by the hardware wallet.
Interesting posts of their Subreddit: https://www.reddit.com/r/atomicwallet/
Why can't I find one helpful Reddit post, ever? I mean, look at the first reply of We are investigating.Quote
My wife and I just noticed we lost all of our XRP! Over 90,000 tokens fucking gone what the hell is going on?!
Edit: All our Bitcoin is gone as well we were just so surprised about the XRP we didn't realize. We keep hugging each other we thought this was supposed to be cold storage.
I love how the reply email tells us not to share our keys "we don't" and to contact exchanges so they can block addresses like this was somehow our fault.
FUCK YOU Atomic Wallet
Edit: All our Bitcoin is gone as well we were just so surprised about the XRP we didn't realize. We keep hugging each other we thought this was supposed to be cold storage.
I love how the reply email tells us not to share our keys "we don't" and to contact exchanges so they can block addresses like this was somehow our fault.
FUCK YOU Atomic Wallet
Why do people choose to not use reputable, open-source software when it comes to their life savings? I mean, you seriously don't think it's a good idea to spend an hour or two extra, to ensure you won't just let a stranger ruin your life?
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.
Just another in the long list of reasons to never use closed source wallets.
On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?For those of you like me that did not remember if you left any funds in there (I had an entire $2 of tron so no big deal) just put your phone in airplane mode or disconnect your internet from you PC and check. And then if needed get your private keys. Don't start with getting the keys and importing do a time / effort analysis.
Copay was open source.
But as I have said countless times. Open source and build verified still does not prevent bad coding. Or as you mentioned a supply chain attack.
It just allows more people to see the bad code and report it and get it fixed.
And also as I have said countless times. Open source don't mean shit if people don't verify the source vs compiled that you are downloading. And lets not forget the HOW SECURE IS THE PROCESS OF UPLOADING THE APP TO THE VARIOUS APP STORES.
Everything else could be perfect, but if you don't secure that system then you are not secure.
-Dave
On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance?Yeah, I was confused between Atomic and Trust wallet. Their homepage which show review from "CZ Binance" on Trustpilot[1] also add confusion since i remember CZ Binance also promote Trust wallet on Twitter some time ago[2].
I have been searching around this forum, but I could not find any previous discussions about this specific topic. However, I did come across a few articles from 2018 that shed some light on the partnership between CZ Binance and Konstantin G., who is the CEO and founder of AtomicWallet and the former CEO and co-founder of Changelly.
https://www.unlock-bc.com/news/2018-05-03/changelly-partnered-with-binance-konstantin-met-with-cz-in-malta/
I don't see how their software can be compromised unless they were lying about how are the private keys generated and them being non custodial.
Atomic wallet is closed source. Anything could be hiding in the code, not just from them being actively malicious but also from a rogue employee sneaking something in, a malicious third party sneaking something in, someone compromising their app store account to upload a malicious app, or even just plain incompetence.I am also reminded of the Copay wallet hack several years ago. Copay had a dependency on a specific JavaScript library which was no longer maintained. A malicious third party obtained control of this library, merged a malicious update, and it was pulled in to Copay updates without anyone realizing.
Just another in the long list of reasons to never use closed source wallets.
On top of that, Atomic wallet is owned is owned by Binance which historically has few questionable behavior.
Are you confusing them with Trust wallet? I didn't think Atomic was also owned by Binance? 
The only advantage of that wallet is the ability to integrate the wallet with automatic/instant exchange, in other words, easy to exchnage between cryptocurrencies, but I see it as a lazy user, I hope that they have not lost a lot.
Are all users lost their money? Or is there a certain reason to lose their money, I use the phone and I did not find time to track the story.
Are all users lost their money? Or is there a certain reason to lose their money, I use the phone and I did not find time to track the story.
Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.
Atomic wallet is a non-custodial wallet and gives you the private keys. The problem with Atomic wallet is that it's close source and there is no way to know how the keys have been generated and whether the user is the only who has access to the keys or not.
Sad day for Atomic Wallet users, It's (another) stark reminder. Not your keys, not your coins.
So many users lost thier altcoins. Even so its not fun losing a huge quantity of those tokens like XRP or ADA. This is the kind of hacks that users will question whether the Wallet developer is liable. Because if they store those tokens on exchange like Binance, users who lost tokens could have refunded.
The wallet is not opensource by the way.
After reading some comments on both the Reddit official thread[1] and their Twitter thread[2], I feel sorry for the people that lost their funds. According to this[3] user from Twitter, he estimates that a minimum of $20m has been stolen (so far at least). Match Systems appears to have some lead[4] regarding what might have caused this hack:
[1]https://safereddit.com/r/atomicwallet/comments/13z9wdw/we_are_investigating/
[2]https://nitter.it/AtomicWallet/status/1664946301815910400
[3]https://nitter.it/zachxbt/status/1665151915355676674
[4]https://nitter.it/MatchSystems/status/1665116869450145792
Quote
The breach was instigated by a recent update to the Atomic Wallet's official website. It appears the attackers gained access to user private keys and passwords by modifying the source code of the application on the server.
If true, then I'm not sure if they will be able to stop the hacker from keep sucking away their users funds. It's just a matter of time until all wallets are drained (whoever was able to exploit this surely has a way to automate this process).[1]https://safereddit.com/r/atomicwallet/comments/13z9wdw/we_are_investigating/
[2]https://nitter.it/AtomicWallet/status/1664946301815910400
[3]https://nitter.it/zachxbt/status/1665151915355676674
[4]https://nitter.it/MatchSystems/status/1665116869450145792
It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
It's safe to use a trustworthy open-source non-custodial wallet (preferably on an airgapped device) and that has been said many times in many threads on this forum. It's not that any non-custodial wallet is recommended. Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
You don't make your wallet more secure, just with importing your seed phrase into a secure wallet like electrum. You should create a new wallet and send all the fund to that. 
It's sad news, we thought that using a non-custodial wallet is safe, in fact, there's no really safe over the internet.
Just wanted to know now how much worth was being stolen by hackers, I saw comments on Twitter, other wallets are fine and some are drained out I start thinking now of what version of the wallet and what software they use.
I think should also be visible in the Beginners and Help section to warn newbies out there and start importing their wallets to those who are not yet affected. Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
Just wanted to know now how much worth was being stolen by hackers, I saw comments on Twitter, other wallets are fine and some are drained out I start thinking now of what version of the wallet and what software they use.
I think should also be visible in the Beginners and Help section to warn newbies out there and start importing their wallets to those who are not yet affected. Transferring their fund by importing the 12 words into other wallets like Electrum might be a good step or any wallets that support importing BIP39 seed phrases.
Jump to: