Atomic Wallet Hack — June 3, 2023
Overview
In early June 2023, Atomic Wallet, a multi-chain non-custodial wallet, suffered a mass-compromise event resulting in losses exceeding $100 million in user funds. At least 5,500 user accounts were drained across multiple chains (BTC, ETH, USDT, XRP, ADA, DOGE, LTC, BSC, etc.).
Attribution
• Blockchain analytics firm Elliptic attributed the heist to North Korea's Lazarus Group, based on:
• Laundering patterns matching prior Lazarus operations
• Reuse of obfuscation infrastructure / mixers tied to past DPRK-linked thefts (Sinbad mixer, etc.)
• Behavioral fingerprints in wallet hops and consolidation
• The FBI later corroborated Lazarus attribution as part of broader DPRK cyber-theft tracking.
Technical Root Cause / Attack Vector
The exact root cause was never officially confirmed by Atomic Wallet. The most-discussed candidate vectors include:
1. Compromised key generation / weak entropy — early versions of Atomic Wallet were alleged to have weak randomness in seed-phrase generation, allowing an attacker who could enumerate the keyspace to derive private keys.
2. Trojanized wallet update or supply-chain compromise — possibility that a malicious update or installer was distributed to a subset of users.
3. Infostealer malware / phishing — DPRK actors are known to use targeted infostealer malware that exfiltrates wallet files; some forensic reports suggested this as a contributing vector for individual victims.
4. Server-side / transaction-API compromise at Atomic's infrastructure that exposed user-side secrets.
A class-action complaint alleges Atomic Wallet "knew of existing security vulnerabilities" since at least 2022 and failed to remediate them.
Financial Impact
Total estimated loss: $100M+ (initial estimates ~$35M were revised upward by Elliptic to >$100M)
Number of victims: 5,500+ wallet addresses
Asset mix: BTC, ETH, USDT, XRP, ADA, BNB, DOGE, LTC, TRX and others — i.e. funds were drained across all chains the wallet supported, consistent with private-key compromise rather than a single-chain smart-contract exploit.
Laundering Path
• Stolen funds were funneled through the Sinbad mixer (a Bitcoin mixer previously sanctioned by OFAC and identified by Elliptic as a Lazarus laundering tool).
• After Sinbad was sanctioned/disrupted, the attackers began routing funds through the Russia-based Garantex exchange (itself OFAC-sanctioned in April 2022).
• Cross-chain swaps and bridge hopping were used to fragment the trail.
Response & Remediation
• Atomic Wallet posted statements acknowledging the incident on Twitter/X but did not publish a detailed technical root-cause post-mortem.
• Elliptic worked with exchanges and investigators to trace and freeze stolen assets, succeeding in freezing over $1 million in attacker-controlled funds at various exchanges.
• A class-action lawsuit was filed against Atomic Wallet and its owner Konstantin Gladych, alleging "negligent and unlawful" conduct.
• Most user funds were not recovered; affected users have not been made whole by Atomic Wallet.
Notable Sources Located (not directly fetchable in this run)