In a recent incident, the popular universal wallet, Atomic Wallet, appears to have been hacked, resulting in significant losses for many users. The total amount lost currently stands at over $35 million, and the exact cause of the hack remains unknown.
Unfortunately, the occurrence of hacks has become all too common in the cryptocurrency world. Exchanges, online wallets, and even smart contracts have fallen victim to such attacks repeatedly.
In the past, users were often advised to keep their keys secure and not entrust their coins to exchanges in order to avoid the consequences of hacks. However, this wisdom proved inadequate last weekend when Atomic Wallet experienced a systematic hack, marking a previously unprecedented event.
Reports of coin losses within the Atomic Wallet started surfacing on Friday, June 2nd, with the wallet’s team confirming the incidents a day later. On Monday night, it was revealed that less than one percent of the wallet’s monthly active users were affected. The case is currently under investigation, and the affected addresses have been reported to stock exchanges and analysts.
The exact number of active users per month for Atomic Wallet is unknown. The website claims that five million people “trust” the software, which likely refers to the number of downloads. Analysts looking into the hack estimate losses exceeding $35 million across various cryptocurrencies, including Bitcoin, Ether, Tron, BSC, Cardano, Ripple, Polkadot, Cosmos, Algo, Avax, Lumen, Litecoin, and stablecoins like USDT. Some users have reported losses worth millions of dollars.
While speculation regarding the cause of the hack abounds, no reliable information is currently available. One rumor suggests that a malicious update was automatically installed when the wallet was opened. In response to concerns about tampering, the Atomic Wallet team has suspended downloads. To gather more details about the incident, they have requested those affected to complete a Google document containing 20 questions.
This incident is not without its history. Security analyst Least Authority had previously issued a warning about Atomic Wallet on February 10, 2022. After conducting an audit of the wallet in spring 2021, Least Authority identified significant deficiencies, including poorly implemented cryptographic protocols, lax standards and documentation, and outdated third-party packages. Despite the warning, these issues were not addressed within a 10-month period, ultimately leading to the current situation.
Given this unfortunate turn of events, it becomes evident that not only exchanges and smart contracts are vulnerable to hacks, but wallets as well. Whether you entrust your coins to a third party or keep them yourself, there are inherent risks involved.
However, Atomic Wallet stands out as a special case for two reasons. Firstly, it supports over 300 coins and tokens, allowing users to buy, exchange, and stake them, often referred to as a “Thermomix among wallets” due to its multifunctionality. Unfortunately, such complexity increases the likelihood of vulnerabilities.
Secondly, the Atomic Wallet’s code is not fully open source. While some parts, such as libraries and software packages, are open source, much of the implementation remains closed. This lack of transparency can lead to undetected errors persisting for extended periods.
To mitigate risk, it is advisable not to entrust significant amounts of money to a universal wallet, especially when the code is not fully open source. Numerous reliable alternatives exist for long-term use.
If you are an Atomic Wallet user, it is important not to panic. Avoid downloading any updates and refrain from opening the Atomic Wallet. Instead, import the seed into another trusted wallet and transfer the coins to a different address. It is recommended to create this address using a third-party wallet to safeguard against a compromised seed.
Under no circumstances should you believe individuals claiming to be able to recover lost coins
