A recent attack on Atomic Wallet that resulted in significant losses is believed to be the work of North Korean state-sponsored hackers, according to crypto researchers.
Per a crypto-tracking compliance platform MistTrack, about 8 hours ago, the hackers deployed two smart contracts and converted ETH to 1,132.28 WETH and also converted 1,132.28 WETH to 1,120.84 ETH on both contracts respectively.
The ETH was then distributed to multiple addresses in six transactions and eventually, the hackers swapped WETH for BTC, the above style of attack is quite similar to the attack on Harmony.
Atomic Wallet, an Estonia-based non-custodial decentralized wallet, supports over 500 coins and tokens and has over five million users worldwide.
The company confirmed on June 3 that it had begun investigating reports of compromised wallets. By June 5, it was estimated that less than 1% of its monthly users, or around 50,000 individuals, had been affected by the hack. On-chain investigator @ZachXBT estimates that the hackers stole approximately $35 million in various cryptocurrencies.
While Atomic did not disclose the number of affected users or the amount stolen at the time, blockchain analysis firm Elliptic stated that it is highly confident that the Lazarus Group, a North Korean-backed group of hackers, is behind the Atomic Wallet breaches. Elliptic’s analysis revealed that the laundering of the stolen crypto assets followed a pattern identical to that used in past hacks attributed to the Lazarus Group.
Elliptic also found that the hackers are laundering the stolen assets through Sinbad, a crypto mixer that allows owners to hide the origin of their crypto funds. Sinbad, believed to be a rebrand of the sanctioned Blender.io mixer, was previously used by the Lazarus Group to launder the proceeds of past hacks.
The method of compromise for Atomic remains unknown, and it is unclear whether affected users will receive compensation. Atomic has stated that it is “committed to helping as many victims of the recent exploit as possible” and has engaged third parties to help “trace stolen funds and liaise with exchanges and authorities.”
In May, U.S. officials announced new sanctions against North Korea related to its army of illicit IT workers that have fraudulently gained employment to finance the regime’s weapons of mass destruction programs. It warned that these “highly skilled” workers secretly worked in various positions and industries, mainly on cryptocurrency projects, to launder illicitly obtained funds back to the North Korean government.
Attackers behind earlier this month’s $35 million exploit of crypto wallet Atomic Wallet are moving stolen funds via OFAC-sanctioned exchange Garantex, blockchain security firm Elliptic noted.
Elliptic investigators believe Atomic Wallet was hacked by the infamous North Korean hacking group Lazarus, as previously reported.
Last year, the Office of Foreign Assets Control (OFAC) of the U.S. Treasury sanctioned Garentex, stating the exchange had lax anti-money laundering measures and that it allowed “illicit players” to freely move money using the service. However, Garantex continues to operate.
Elliptic security researchers said in a tweet at that time that several crypto exchanges have already frozen addresses related to the Atomic Wallet hack, but some funds have found their way to Garantex.
These funds were previously exchanged via the on-chain trading tool 1inch, transferred to Garantex, and then traded for bitcoin (BTC). The bitcoin was then laundered through Sinbad, a bitcoin mixer service allegedly used by North Korean hacking groups.
Nearly $35 million worth of various tokens were stolen from Atomic Wallet, a centralized storage and wallet service, on June 3. These tokens include bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB) and Polygon’s MATIC.