Skip links

Crypto catastrophe strikes some Atomic Wallet users, over $35M thought stolen

As much as $35 million worth of cryptocurrency may have been stolen in a large-scale attack on Atomic Wallet users, with one investigator claiming losses could potentially exceed $50 million.

The Atomic Wallet app’s makers first reported June 3 that some folks were complaining some crypto had been taken from their wallets and deposited in strangers’ accounts, with others saying their wallets had been emptied completely.

The biz tweeted Monday that less than one percent of their monthly active users had reported they were affected, though that number could grow with more reports coming in.

“Security investigation is ongoing. We report victim addresses to major exchanges and [use] blockchain analytics to trace and block the stolen funds,” the company wrote, adding that the “last drained transaction was confirmed over 40h ago.”

A Twitter user with the handle ZachXBT, who describes themselves as an “on-chain sleuth,” suggested over the weekend that the losses traced have added up to more than $35 million, with the largest victim having $7.95 million swiped. The five largest losses seen by ZachXBT added up to $17 million, almost half of the known total.

“Think it could surpass $50 million. Keep finding more and more victims sadly,” was the message.

Atomic Wallet is an app designed to manage crytocurrencies. It runs on Windows, macOS, and Linux (Ubuntu, Debian, and Fedora) for desktop, and Android and iOS for mobile. It allows users to transfer and stake more than 1,000 different crypto coins, including Bitcoin, Ethereum, USD Coin, and Solana, and claims to have more than 5 million users.

The developer, headquartered in Tallinn, Estonia, says Atomic Wallet is a noncustodial app, meaning that users own the 12-word backup phrase and private keys to their coins, rather than the app maker, and that security is within the users’ control.

“Your funds are not located in the wallet itself, [they] are safely stored on the blockchain,” Atomic Wallet says on its website. “Atomic Wallet connects directly to the blockchain nodes and shows the information about your balances, transaction history and everything you see in the wallet. It also allows you to perform transactions on the blockchain.”

It’s all about the backup phrase

Central to the security is backup phrase, the company says.

“Your backup is like a key to your wallet, whoever owns it owns the funds. Take your passwords seriously. Make a unique and strong password for Atomic Wallet and store it in a trusted password manager.”

Atomic Wallet also reminds users to keep their systems secure and up to date, adding that because information like the security keys and backup phrase are stored locally on the device, “if your device is compromised, the wallet can be compromised too.”

Crypto security researcher Tay tweeted that the first report of stolen funds came in late on June 2. Since then reports of the stolen assets began rolling in, with some users reporting that their entire crypto portfolios were hijacked. One of those said on Reddit they noticed over the weekend that most of the assets in their Atomic Wallet were gone.

“Nothing on my system was compromised, I never run any suspicious software, and I have been having Malwarebytes installed for years,” they wrote. “I’ve lost literally all my money and went broke in a split second, as I kept all my money in crypto.”

Another said their wallet had also been cleaned out and Bitcoin assets transferred out of their wallet 20 minutes before they checked. Yet another claimed their assets were stolen and sent to other wallets despite following Atomic Wallet’s advice regarding security.

“My wallet phrase is stored on an encrypted USB drive that is stored securely in my apartment, and I didn’t tell a single soul of its existence, and it was never touched by anyone but me,” they wrote. “Also, I haven’t used it a single time because I never had to reinstall the app.”

The same user added that “we shouldn’t have trusted these multicurrency wallets at all. Our grave mistake. Especially with closed source code.”

Scrambling to find out what happened

Atomic Wallet is collecting information from victims to try to get a better gauge on how the cyber-theft happened. In a Google Docs form, the company is asking users for such information as the operating system on their devices, the online app store they used to buy the Atomic Wallet app, the amount of lost funds coins and when the coins were withdrawn, where they stored the backup phrase, and when the last time was that they used their wallet before they saw that the coins were stolen.

It’s unclear how the miscreants were able to steal the funds from users’ wallets and Atomic Wallet said it is working with third-party security vendors to investigate. If there really is a low number of users affected, it may be some kind of credential stuffing, phishing, or brute-force attack, or a malware infection on the victims’ devices.

As if the stolen funds weren’t enough of a problem, users also have to deal with the scams that typically crop up in the wake of such heists. ZachXBT tweeted that phishing scammers are already spamming fake Atomic Wallet refund efforts on Twitter in hopes of roping in some victims whose money was stolen.

The Register asked Atomic Wallet to comment and will update the story if the company responds. ®