This article is more than nine months old

Atomic Wallet faces $100m lawsuit following North Korean hack

Atomic Wallet faces $100m lawsuit following North Korean hack
Blockchain analytics firm Elliptic has attributed the $100 million Atomic Wallet heist to North Korea’s Lazarus Group.
  • Atomic Wallet users lost $100 million in a North Korea-linked hack last month.
  • A class action complaint accuses Atomic Wallet and its owner, Konstantin Gladych, of “negligent and unlawful” conduct.
  • The lawsuit alleges that the company “knew of existing security vulnerabilities” in Atomic Wallet since at least as early as 2022.

A class action complaint has been lodged against crypto wallet provider Atomic Wallet and its owner, Konstantin Gladych, following a $100 million hack by North Korea-linked Lazarus Group last month.

The plaintiffs, representing themselves and other Atomic Wallet users, claim that the platform’s conduct, which they describe as “negligent and unlawful,” led to the compromise of numerous user wallets.

“In many cases, users have lost entire portfolios,” the lawsuit says.

Launched in 2017, Atomic Wallet has been downloaded over 5 million times according to its website. The wallet suffered a massive hack on June 3, leading to what initial reports suggested was a loss of $35 million in various cryptocurrencies.

NOW READ: ‘Your security posture sucks’: Atomic Wallet slammed after hacker swipes $35m

But further investigation by blockchain security firm Elliptic on June 14 put the figure at $100 million. It also found that the Lazarus Group — North Korea-linked hackers — was behind it. The same group also stole $100 million from the Harmony blockchain’s Horizon Bridge last year.

Crypto — which North Korea calls its “treasure sword” — has become a significant source of revenue for the hermit kingdom.

NOW READ: North Korea accelerates nuclear missile programme with ‘treasure sword’ — $1.7bn from crypto heists

Join the community to get our latest stories and updates

“All the money [the North Korean hackers] cash out goes to fund their missile programme,” Erin Plante, vice-president of investigations at Chainalysis, told DL News in April.

Atomic Wallet knew of its ‘security vulnerabilities’

The lawsuit alleges that the company “knew of existing security vulnerabilities” in Atomic Wallet as early as 2022 “but failed to take necessary security measures or precautions to protect user data and funds.”

In early 2022, crypto research and security group Least Authority, hired by Atomic Wallet, alerted the company to a critical vulnerability.

NOW READ: ‘Lots of inaccuracies’: Ledger pushes back on security fears over its crypto wallet update

“We strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities,” Least Authority said in a deleted blogpost in February 2022, now accessible via an archived copy.

Least Authority said it found that the “design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.”

Taylor Monahan, a crypto security researcher and founder of the open-source crypto wallet MyEtherWallet, also criticised Atomic Wallet at the time, pointing to Least Authority’s 2022 audit. “Your security posture sucks, you refuse to listen to people,” she said.

Monahan’s analysis puts the figure at “minimum $115 million.”

“This $115m number is only confirmed thefts on a limited number of chains. It’s the minimum amount stolen,” she said on July 11.

The lawsuit, filed in the US District Court of Colorado, asserts that Atomic Wallet and Gladych did not adequately secure the funds in Atomic Wallet wallets. The plaintiffs argue that the defendants did not implement sufficient measures to prevent a hacking attack that could, and did, result in a substantial theft.

The complaint further states that the defendants did not ensure the confidentiality of critical passwords or security details, which could have been exposed to malicious entities. The plaintiffs maintain that this failure was the direct and actual cause of their financial losses.

A closed-source crypto wallet

The lawsuit comes at a time when the crypto industry faces intensified scrutiny from regulators and lawmakers in the US.

Crypto wallets like Atomic Wallet represent a part of the industry that’s supposed to be free from corporate problems since wallets require self-custody, and so the responsibility lies with the holders only.

NOW READ: Euler hacker returns $176m of stolen funds amid ‘ongoing’ negotiations

But there’s one distinctive feature about Atomic Wallet.

Although open-source code is the standard in crypto, Atomic Wallet has always kept its code secret, which meant that its security could not be independently audited.

“Wallets don’t pay enough attention to building a strong architecture with security best practices implemented,” Dyma Budorin, CEO and co-founder of Hacken, told DL News at the time of the hack.

“Consequently, such weak code can’t be open source,” he said.

Update, July 11: The story has been updated with security researcher Taylor Monahan’s analysis that suggests the losses from the hack are at least $115 million, instead of $100 million as reported in the court filing.

Related Topics