Crypto Catastrophe Strikes Some Atomic Wallet Users, Over $35 Million Thought Stolen (theregister.com) 28
The Atomic Wallet app has suffered a large-scale attack resulting in the potential theft of up to $35 million worth of cryptocurrency, with losses possibly exceeding $50 million. The Register reports: The Atomic Wallet app's makers first reported June 3 that some folks were complaining some crypto had been taken from their wallets and deposited in strangers' accounts, with others saying their wallets had been emptied completely. The biz tweeted Monday that less than one percent of their monthly active users had reported they were affected, though that number could grow with more reports coming in.
"Security investigation is ongoing. We report victim addresses to major exchanges and [use] blockchain analytics to trace and block the stolen funds," the company wrote, adding that the "last drained transaction was confirmed over 40h ago." A Twitter user with the handle ZachXBT, who describes themselves as an "on-chain sleuth," suggested over the weekend that the losses traced have added up to more than $35 million, with the largest victim having $7.95 million swiped. The five largest losses seen by ZachXBT added up to $17 million, almost half of the known total. "Think it could surpass $50 million. Keep finding more and more victims sadly," was the message.
Crypto security researcher Tay tweeted that the first report of stolen funds came in late on June 2. Since then reports of the stolen assets began rolling in, with some users reporting that their entire crypto portfolios were hijacked. [...] Atomic Wallet is collecting information from victims to try to get a better gauge on how the cyber-theft happened. In a Google Docs form, the company is asking users for such information as the operating system on their devices, the online app store they used to buy the Atomic Wallet app, the amount of lost funds coins and when the coins were withdrawn, where they stored the backup phrase, and when the last time was that they used their wallet before they saw that the coins were stolen.
It's unclear how the miscreants were able to steal the funds from users' wallets and Atomic Wallet said it is working with third-party security vendors to investigate. If there really is a low number of users affected, it may be some kind of credential stuffing, phishing, or brute-force attack, or a malware infection on the victims' devices. As if the stolen funds weren't enough of a problem, users also have to deal with the scams that typically crop up in the wake of such heists. ZachXBT tweeted that phishing scammers are already spamming fake Atomic Wallet refund efforts on Twitter in hopes of roping in some victims whose money was stolen.
"Security investigation is ongoing. We report victim addresses to major exchanges and [use] blockchain analytics to trace and block the stolen funds," the company wrote, adding that the "last drained transaction was confirmed over 40h ago." A Twitter user with the handle ZachXBT, who describes themselves as an "on-chain sleuth," suggested over the weekend that the losses traced have added up to more than $35 million, with the largest victim having $7.95 million swiped. The five largest losses seen by ZachXBT added up to $17 million, almost half of the known total. "Think it could surpass $50 million. Keep finding more and more victims sadly," was the message.
Crypto security researcher Tay tweeted that the first report of stolen funds came in late on June 2. Since then reports of the stolen assets began rolling in, with some users reporting that their entire crypto portfolios were hijacked. [...] Atomic Wallet is collecting information from victims to try to get a better gauge on how the cyber-theft happened. In a Google Docs form, the company is asking users for such information as the operating system on their devices, the online app store they used to buy the Atomic Wallet app, the amount of lost funds coins and when the coins were withdrawn, where they stored the backup phrase, and when the last time was that they used their wallet before they saw that the coins were stolen.
It's unclear how the miscreants were able to steal the funds from users' wallets and Atomic Wallet said it is working with third-party security vendors to investigate. If there really is a low number of users affected, it may be some kind of credential stuffing, phishing, or brute-force attack, or a malware infection on the victims' devices. As if the stolen funds weren't enough of a problem, users also have to deal with the scams that typically crop up in the wake of such heists. ZachXBT tweeted that phishing scammers are already spamming fake Atomic Wallet refund efforts on Twitter in hopes of roping in some victims whose money was stolen.
Backdoor? Data collection ? Bad key gen ? (Score:3)
Either the device has a Backdoor, or does data collection with some unintended consequences, or it simply has a bad or predictable key generation
What else could be the weakness ?
Re: (Score:2)
Does your wallet software allow malicious actors to wipe out your wallet? I've never had any problems with mew or the old mist wallet.
Re: (Score:2)
Re: (Score:2)
Re: Backdoor? Data collection ? Bad key gen ? (Score:2)
Bad or predictable key generation is likely, but...
There was some issues- maybe related to this- discussed over a year ago:
https://web3isgoinggreat.com/?... [web3isgoinggreat.com]
At this point my guess is, somehow a big enough problem was revealed or hinted at, and instead of being fixed in that year, someone wrote an exploit.
There are so many problems discussed, and it is closed source, and it has been so long, that my guess would be one or two rogue employees decided to race their colleague's in secret, trying to exploit it bef
Scammers gotta scam (Score:1)
no one is surprised.
Marketing op (Score:4, Funny)
the company wrote, adding that the "last drained transaction was confirmed over 40h ago."
They could use that in their ads. No customers lost their deposits for 40 hours! (that we know of). Just need a good jingle to go with it.
$35M? Peanuts! That is business as usual. (Score:3, Informative)
I mean, come on. Some ransom payments laundered via crapcoins are larger.
But I think we should continue to call it "crypto catastrophe", because it is an ongoing catastrophe.
Re:$35M? Peanuts! That is business as usual. (Score:4, Insightful)
How do you even calculate the value of those coins? They are volatile at the best of times.
With real money you can sue and get it back, and it's worth pretty much what it was when they lost it. By the time the court has heard your case, your shitcoin might be worth $0.0000001. That might even be a defence tactic - just delay the case as long as possible, hoping that you can settle at the last minute for $8 because that's all that coin is worth by then.
Re: (Score:2)
Hahahaha, very true!
There is no catastrophe (Score:4, Insightful)
At this point, only crooks and greedy get-rich-quick people invest in cryptocurrencies. Ordinary Joes with a semblance of financial good sense have pulled out a long time ago by now. So those getting scammed or burned on the cryptocurrency market are crooks or greedy people, and I have no sympathy for them: they played a dangerous game, they knew it was dangerous, they lost. Tough cookie.
Re: (Score:2)
Further, they don't get to complain to FBI or police and waste our law enforcement resources. They railed against "fiat" currencies. They railed against "government" "taxes", "central banks" "monetary policies". OK? you made your bed, now sleep in it.
Of course we will come after tax dodgers, criminals laundering their ransomeware loot. Get mixed up with them, we will confiscate any cash in any wallet that participated in the money laundering.
Re: (Score:1)
Ordinary Joes with a semblance of financial good sense have pulled out a long time ago by now.
Anyone with a "semblance of financial good sense" never got into cryptocurrencies in the first place.
Yet nothing of value was lost (Score:2)
Maybe those folks should ask the FDIC to make them whole.
Oh wait... lololololol.
There are up sides of regulation too (Score:3)
One of the major premises of cryptocurrency, is avoiding regulation by governments. When you operate outside of government regulation, yes, there is some freedom in that. And there is also more opportunity for crime, with potentially no legal recourse.
Tell me again about how secure crypto is... (Score:4, Interesting)
Yes, it wasn't stolen via a crypto hack, but an error in how money is stored in a wallet. But it's all part of the crypto ecosystem.
I'm sure money is occasionally stolen by bank hacks and thefts, but the depositor is almost always made whole by the bank. It's part of what you get by having a regulated "utility". Yes, your money is traceable and you pay something for the convenience.
Re: (Score:2)
Re: (Score:2)
lmfao (Score:1)
Re: (Score:2)
???
A cryptocurrency wallet is defined by its public key pair, which is immutable. A different key means a different wallet. Those 12 words are used to derive the private key for that wallet -- you can switch to a different set of words whenever you want, but that will give you a new wallet.
What's your concern with this approach? Depending on the number of words in the word list, a 12-word passphrase will normally have 120 to 140 bits of entropy. Atomic Wallet apparently uses BIP39's 2048-word list, gene
Re: (Score:3)
Some random number generators are not very random when the system in question has low entropy (low up-t
Re: (Score:2)
Re: (Score:2)
In general, the BIP-39 phrase is the seed value from what the wallet's keys are generated from. It isn't a passphrase per se, but what allows one to regenerate their private keys. 12 words is okay, but most hardware wallets have gone to 24 word BIP-39 passphrases, each having 2048 words for each blank, so something like "angry" and "angrier" are not used.
This is the problem with software crypto apps, especially ones like Atomic which interface with buy/selling endpoints. It means that they do a lot of st
Oh, no! (Score:2)
Comment removed (Score:3)