Atomic Wallet hack losses more than double

North Korea

Published: 14 Jun. 2023, 17:18 Updated: 14 Jun. 2023, 17:54

Atomic Wallet hack losses more than double

Blockchain analysis company Elliptic said Tuesday that the North Korea-linked Lazarus hacking group appeared to be using a sanctioned Russian crypto exchange to trade funds stolen through the Atomic Wallet heist for bitcoin. [SCREEN CAPTURE]

North Korean hackers made off with more than $100 million from users of a decentralized cryptocurrency wallet system, which is more than double the initially estimated losses, according to a blockchain analysis company on Tuesday.

Funds stolen through the attack on Atomic Wallet, which was first reported on June 3, are being laundered through the Russian-based crypto exchange Garantex, according to an analysis conducted by Elliptic.

The heist, which Elliptic linked to Lazarus, a North Korean hacking group controlled by Pyongyang’s Reconnaissance General Bureau, compromised approximately 5,500 individual crypto wallets, with some users reporting complete losses of their crypto portfolios, the analysis further said.

Atomic Wallet confirmed that at least $35 million worth of cryptocurrency assets were stolen.

Atomic Wallet, often described as a noncustodial decentralized wallet, is used by approximately 5 million users, some of whom took to Twitter to vent their rage at the service’s sparse communication and lack of clear follow-up measures following the hack.

Elliptic issued a report on June 6 that pointed to Lazarus as the likely culprit behind the Atomic Wallet heist based on tell-tale signs.

“The laundering of the stolen crypto assets follows a series of steps that exactly match those employed to launder the proceeds of past hacks perpetrated by Lazarus Group,” the report said, adding that “the stolen assets are being laundered using specific services, including the Sinbad mixer, which have also been used to launder the proceeds of past hacks perpetrated by the Lazarus Group.”

Cryptocurrency mixers are software tools that pool and scramble cryptocurrencies from many different addresses to obfuscate and conceal transactions.

Elliptic said that it had frozen around $1 million of the stolen funds through collaboration with international investigators and exchanges, but that “in response to the freezing of these funds, the thieves have begun to change their behavior” and “turned to the Russia-based Garantex exchange to launder the stolen assets.”

Elliptic also said that the Lazarus hackers were trading the stolen assets for bitcoin through Garantex.

Garantex was founded and registered in Estonia in late 2019 before moving most of its operations to Moscow, according to the Treasury Department.

The U.S. Office of Foreign Assets Control sanctioned Garantex and the Russian Hydra dark web marketplace in April 2022, citing analysis showing that over $100 million in transactions are associated with illicit actors and darknet markets.

Lazarus is estimated to have stolen $1.7 billion in multiple cyber attacks last year, according to a report by blockchain analysis company Chainalysis in February.

The company also estimates that North Korea-linked hackers have stolen over $3 billion over the past five years.

The growth in Pyongyang’s haul from cyber crime has corresponded with a sharp rise in missile tests by the regime, which launched over 90 cruise and ballistic missiles last year and conducted its first successful test of a solid-fuel intercontinental ballistic missile in April.

About half of North Korea’s missile program has been funded by cyberattacks and cryptocurrency theft, according to Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technology, in May.

BY MICHAEL LEE [lee.junhyuk@joongang.co.kr]