Atomic Wallet wins dismissal of class suit over $100M hack

September 11, 2024 Coin Telegraph

Atomic Wallet Launches $1,000,000 Bug Bounty Program Months After Suffering Multi-Million Dollar Hack

December 21, 2023 The Daily Hodl

Atomic Wallet asks to toss suit over $100M hack saying it has ‘no US ties’

November 20, 2023 Coin Telegraph

Atomic Wallet asks to toss suit over 0M hack saying it has ‘no US ties’

The Estonia-based firm noted that only one plaintiff in the class action lawsuit is actually based in Colorado where the suit was filed.

The company behind Atomic Wallet has asked a United States court to dismiss a class action suit seeking damages from a $100 million hack arguing the claims should’ve been filed in Estonia where it's based.

In a Nov. 16 dismissal motion in a Colorado District Court the Estonian firm argued it has “no U.S. ties” and its end-user license agreement required all litigation against it be filed in its home country of Estonia.

Atomic also argued that only one user in Colorado was allegedly affected — which wasn

The firm also claimed the 5,500 allegedly affected Atomic users agreed to its terms of service which expressly disclaims liability for losses due to theft and limits damages to $50 per user

*Atomic’s motion to dismiss the class action laid against them. Source: PACER*

Atomic said the plaintiff’s negligence claims also lack legal merit because a legal duty was never created in which they were to maintain Atomic Wallet’s security and to protect against hacking.

"This Court has repeatedly rejected similar claims because Colorado recognizes no such duty,” it wrote.

Allegations of fraudulent misrepresentation were also struck down by the Estonian-based wallet provider.

The plaintiffs launched the class action in August, two months after a $100 million exploit on Atomic Wallet took place with up to 5,500 users affected — with both North Korean and Ukrainian groups blamed for the attack.

Magazine: Should crypto projects ever negotiate with hackers? Probably

Lazarus used ‘Kandykorn’ malware in attempt to compromise exchange — Elastic

November 1, 2023 Coin Telegraph

alphapo

Lazarus members posed as engineers and fooled exchange employees into downloading difficult-to-detect malware.

Lazarus Group used a new form of malware in an attempt to compromise a crypto exchange, according to an Oct. 31 report from Elastic Security Labs.

Elastic has named the new malware “Kandykorn” and the loader program that loads it into memory “Sugarload,” as the loader file has a novel “.sld” extension in its name. Elastic did not name the exchange that was targeted.

Crypto exchanges have suffered a rash of private-key hacks in 2023, most of which have been traced to the North Korean cybercrime enterprise Lazarus Group.

*Kandykorn infection process. Source: Elastic Security Labs*

According to Elastic, the attack began when Lazarus members posed as blockchain engineers and targeted engineers from the unnamed crypto exchange. The attackers made contact on Discord, claiming they had designed a profitable arbitrage bot that could profit from discrepancies between the prices of cryptocurrencies on different exchanges.

The attackers convinced the engineers to download this “bot.” The files in the program’s ZIP folder had disguised names like “config.py” and “pricetable.py” that made it appear to be an arbitrage bot.

Once the engineers ran the program, it executed a “Main.py” file that ran some ordinary programs as well as a malicious file called “Watcher.py.” Watcher.py established a connection to a remote Google Drive account and began downloading content from it to another file named testSpeed.py. The malicious program then ran testSpeed.py a single time before deleting it in order to cover its tracks.

During the single-time execution of testSpeed.py, the program downloaded more content and eventually executed a file that Elastic calls “Sugarloader.” This file was obfuscated using a “binary packer,” Elastic stated, allowing it to bypass most malware detection programs. However, they were able to discover it by forcing the program to stop after its initialization functions had been called, then snapshotting the process’ virtual memory.

According to Elastic, it ran VirusTotal malware detection on Sugarloader, and the detector declared that the file was not malicious.

Once Sugarloader was downloaded onto the computer, it connected to a remote server and downloaded Kandykorn directly into the device’s memory. Kandykorn contains numerous functions that can be used by the remote server to perform various malicious activities. For example, the command “0xD3” can be used to list the contents of a directory on the victim’s computer, and “resp_file_down” can be used to transfer any of the victim’s files to the attacker’s computer.

Elastic believes that the attack occurred in April 2023. It claims that the program is probably still being used to perform attacks today, stating:

“This threat is still active and the tools and techniques are being continuously developed.”

Centralized crypto exchanges and apps suffered a rash of attacks in 2023. Alphapo, CoinsPaid, Atomic Wallet, Coinex, Stake and others have been victims of these attacks, most of which seem to have involved the attacker stealing a private key from the victim’s device and using it to transfer customers’ cryptocurrency to the attacker’s address.

The United States Federal Bureau of Investigation has accused the Lazarus Group of being behind the Coinex hack, as well as performing the Stake attack and others.

Atomic Wallet Freezes $2,000,000 on Crypto Exchanges After Hackers Steal $100,000,000 in June

October 20, 2023 The Daily Hodl

Stake hack of $41M was performed by North Korean group: FBI

September 7, 2023 Coin Telegraph

Stake hack of M was performed by North Korean group: FBI

alphapo

After investigating, the FBI concluded that the hack of crypto gambling site Stake was carried out by North Korean hackers Lazarus Group.

The $41 million hack of crypto gambling site Stake was carried out by the North Korean Lazarus Group, the Federal Bureau of Investigation (FBI) stated in an announcement on Sept. 7. This group has stolen more than $200 million of crypto in 2023, the announcement stated.

[JUST IN] FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stakehttps://t.co/Kq1tpjNuC5
— snailnews (@snailnews_) September 7, 2023

Stake is a crypto gambling platform that offers casino games and sports betting. It was the victim of a cyberattack on Sept. 4 that drained over $41 million worth of cryptocurrency from its hot wallets. The Stake team stated that the hacker only obtained a small percentage of funds and that users would not be affected.

According to the FBI statement on Sept. 7, the agency has carried out an investigation and has concluded that the attack was performed by the Lazarus Group, a notorious cybercrime organization believed to be associated with the Democratic People’s Republic of Korea (DPRK). DPRK is also known as “North Korea.”

The FBI listed the addresses where the stolen funds are now held, which exist on the Bitcoin, Ethereum, BNB Smart Chain and Polygon networks. It recommended that all crypto protocols and businesses review the addresses used in the hack and avoid transacting with them, stating:

“Private sector entities are encouraged to review the previously released Cyber Security Advisory on TraderTraitor and examine the blockchain data associated with the above-referenced virtual currency addresses and be vigilant in guarding against transactions directly with, or derived from, those addresses.”

The agency also blamed Lazarus for the Alphapo, CoinsPaid and Atomic Wallet hacks, stating that losses from all of these hacks add up to over $200 million the group has stolen in 2023. Alphapo is a payment processor that suffered over $65 million in suspicious withdrawals on July 23. CoinsPaid, another payments firm, lost over $37 million through social engineering sometime in late July. And Atomic Wallet users lost a whopping $100 million in June through an unknown exploit.

Atomic Wallet Faces Backlash After ‘Updating Security Infrastructure’ Without Revealing Cause of $100,000,000 Hack

June 28, 2023 The Daily Hodl

Atomic Wallet gives major update on hack but questions remain unanswered

June 22, 2023 Coin Telegraph

Atomic Wallet

The statement is the first major update from the wallet provider since the exploit in early June, but users are still in the dark about the actual cause.

Atomic Wallet users have been left wanting more answers, despite the decentralized wallet provider finally releasing a full "event statement" about the June exploit — which some estimate has run up to $100 million in losses.

In a June 20, blog post — the first major update from the firm since the June 3 exploit — Atomic Wallet claimed there have been no new confirmed cases after initial reports of the hack.

It has reiterated that “less than 0.1%” of app users were affected. Atomic Wallet has made the claim at least once before in a now-deleted June 5 tweet. The figure is still rebuffed by many online.

June 3rd event Statement. To summarise, less than 0.1% of Atomic app users have been affected. Since then, no new cases have been reported.

None of the possible issues are confirmed as potentially causing massive breaches, at least in the latest app versions. Builds are verified… pic.twitter.com/YTcOFpo3M3
— Atomic - Crypto Wallet (@AtomicWallet) June 21, 2023

Atomic Wallet didn’t point to what exactly led to the exploit, only laying out the four most “probable” causes, including a virus on user devices, an infrastructure breach, a man-in-the-middle attack or malware code injection.

However, none of these scenarios “are confirmed as potentially causing massive breaches," said Atomic Wallet, while adding its “security infrastructure has been updated.”

Additionally, Atomic Wallet said an app update to boost security is being worked on, which is verified “by external auditors.”

However, questions have been swirling around certain aspects of the June 20 statement.

Former smart contract audit head at cybersecurity firm Hacken, Yevhenii Bezuhlyi, asked who the mentioned “external auditors” are and where users can find their statements.

Ouriel Ohayon, the CEO of rival wallet provider ZenGo asked why Atomic Wallet needed to update its security infrastructure and what happened for it to undertake such a measure.

“Our security infrastructure has been updated.”

why did you need to update it? what happened?
— Ouriel @ZenGo (@OurielOhayon) June 21, 2023

Others highlighted the wide array of probabilities posed by the firm as evidence it was no closer to understanding how the exploit took place.

Atomic Wallet said it can see the laundering and mixing of user funds, most of which remain traceable. It's engaged the help of blockchain analytics firms Chainalysis and Crystal Blockchain. It said that the investigation is still ongoing.

Chainalysis told Cointelegraph it can't comment on its work or findings relating to Atomic Wallet.

Cointelegraph contacted Atomic Wallet for clarity on aspects of its statement. Crystal Blockchain was also contacted for comment on its findings related to Atomic Wallet.

Magazine: Tornado Cash 2.0 — The race to build safe and legal coin mixers

Atomic Wallet hackers turn to OFAC-sanctioned Garantex: Elliptic

June 13, 2023 Coin Telegraph

Atomic Wallet

Stolen loot crypto from Atomic wallets has started passing through sanctioned Russian-based exchange Garantex, according to Elliptic.

Illicit funds gained from the $35 million Atomic Wallet hack are on the move again, with sanctioned Russian-based crypto exchange Garantex reportedly becoming the latest to come in contact with the hacked crypto.

On June 13, blockchain security and compliance firm Elliptic updated the situation regarding the stolen Atomic Wallet funds. It alleges that the North Korean hacking collective, the Lazarus Group — which is believes is behind the attack — has used sanctioned Russian-based crypto exchange Garantex to launder the loot.

In a Twitter post, the firm said there had been a significant and successful cross-community effort between Elliptic and many exchange partners to freeze the stolen crypto. However, Lazarus has now found other means to trade their assets for Bitcoin (BTC).

After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023

The U.S. Office of Foreign Assets Control (OFAC) sanctioned Garantex and the Russian Hydra dark web marketplace in April 2022.

Garantex was founded in late 2019 and originally registered in Estonia before moving the majority of its operations to Moscow, the Treasury Department noted at the time.

“Analysis of known Garantex transactions shows that over $100 million in transactions are associated with illicit actors and darknet markets,” it added.

Earlier this month, Cointelegraph reported that the ill-gotten gains were being channeled through the Sinbad.io mixer, a service frequently used by the Lazarus Group.

Elliptic added that the funds withdrawn from Garantex by the hackers continue to be obfuscated through the Sinbad.io mixer.

The Treasury Department also sanctioned Blender.io (the former iteration of Sinbad.io) in May 2022, warning that the service was being used by North Korea to “support its malicious cyber activities and money-laundering of stolen virtual currency.”

On June 3, a number of Atomic Wallet user accounts were compromised, resulting in losses of up to $35 million in digital assets.

Five days later, Atomic stated that it had engaged blockchain security and analyst company Chainalysis as the leading incident investigator. Cointelegraph reached out to Chainalysis for an update on the investigation but a spokesperson said they couldn’t comment on the Atomic Wallet case.

The notorious North Korean hacking collective has been linked to several major crypto exploits in the past year, including the Harmony Bridge hack and the Ronin Bridge hack.

Magazine: Huawei NFTs, Toyota’s hackathon, North Korea vs. Blockchain: Asia Express

Atomic Wallet Investigating Exploit As Wave of Crypto Users Report Stolen Funds

June 4, 2023 The Daily Hodl

Atomic Wallet

Share this video