Police in Estonia and Kazakhstan Investigate Atomic Wallet Hack

The team behind Atomic Wallet, the non-custodial mobile crypto wallet that was hacked on June 3, is cooperating with police of Estonia, the country where the company is registered, CEO Konstantin Gladych told CoinDesk. He also confirmed the team received a request from police in Kazakhstan, as the Russian-language news outlet Forklog reported on Tuesday.

“We forwarded the request to the Estonian police and Chainalysis, to whom we provided all the information needed for investigation,” Gladych said. “We’re also providing data from the victims to [the blockchain analytics companies] Crystal Blockchain and Elliptic. Exchanges and OTCs use them to stop suspicious transactions,” he added.

Atomic Wallet users lost over $100 million worth of crypto in bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB and polygon (MATIC) in the first weekend of June, blockchain intelligence firm Elliptic said in a blog post with updated estimate on Tuesday. According to the firm, over 5,500 wallets had been compromised in the hack. Elliptic earlier said that North Korean hacker group Lazarus might have been responsible for the theft.

Atomic’s wallet in the Google Play has had over 1 million downloads, according to the app store’s data.

It’s unclear what made the breach possible, as Atomic hasn’t shared details of technical investigation yet. Atomic is a non-custodial mobile wallet that allows users to keep the private keys for their crypto on their own devices, without trusting a custodian. The wallet might have flaws in its technical design that allowed hackers to access users’ crypto, CEO of a blockchain security firm Hacken Dyma Budorin told CoinDesk earlier this month.

The wallet might have been sending copies of users’ private keys to the company’s server, Budorin said. Another possibility is that Atomic generated recovery (seed) phrases for its wallets that were not random enough, so the hackers could “brute-force” the wallets. There is also a chance the hackers derived private keys from Atomic users’ transaction data or breached the wallet manufacturer’s infrastructure, Budorin said.

Gladych did not comment on the possible cause of the hack.

Last year, the security firm Least Authority warned about security flaws in Atomic’s code in a now deleted blog post (archived copy available here). The firm said it found issues in Atomic’s use of cryptography, a lack of robust project documentation and incorrect use of Electron, a framework for building desktop applications. Atomic also did not adhere to the best practices for wallet design, Least Authority wrote.

UPDATE 6/13/23: The dek has been updated, as Gladych's estimate of the hack size is lower than Elliptic's.