- Atomic Wallet users lost $100 million in a North Korea-linked hack last month.
- A class action complaint accuses Atomic Wallet and its owner, Konstantin Gladych, of “negligent and unlawful” conduct.
- The lawsuit alleges that the company “knew of existing security vulnerabilities” in Atomic Wallet since at least as early as 2022.
A class action complaint has been lodged against crypto wallet provider Atomic Wallet and its owner, Konstantin Gladych, following a $100 million hack by North Korea-linked Lazarus Group last month.
The plaintiffs, representing themselves and other Atomic Wallet users, claim that the platform’s conduct, which they describe as “negligent and unlawful,” led to the compromise of numerous user wallets.
“In many cases, users have lost entire portfolios,” the lawsuit says.
Launched in 2017, Atomic Wallet has been downloaded over 5 million times according to its website. The wallet suffered a massive hack on June 3, leading to what initial reports suggested was a loss of $35 million in various cryptocurrencies.
But further investigation by blockchain security firm Elliptic on June 14 put the figure at $100 million. It also found that the Lazarus Group — North Korea-linked hackers — was behind it. The same group also stole $100 million from the Harmony blockchain’s Horizon Bridge last year.
After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8— Elliptic Investigations (@Elliptic_Inv) June 12, 2023
Crypto — which North Korea calls its “treasure sword” — has become a significant source of revenue for the hermit kingdom.
“All the money [the North Korean hackers] cash out goes to fund their missile programme,” Erin Plante, vice-president of investigations at Chainalysis, told DL News in April.
Atomic Wallet knew of its ‘security vulnerabilities’
The lawsuit alleges that the company “knew of existing security vulnerabilities” in Atomic Wallet as early as 2022 “but failed to take necessary security measures or precautions to protect user data and funds.”
In early 2022, crypto research and security group Least Authority, hired by Atomic Wallet, alerted the company to a critical vulnerability.
“We strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities,” Least Authority said in a deleted blogpost in February 2022, now accessible via an archived copy.
Least Authority said it found that the “design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.”
Taylor Monahan, a crypto security researcher and founder of the open-source crypto wallet MyEtherWallet, also criticised Atomic Wallet at the time, pointing to Least Authority’s 2022 audit. “Your security posture sucks, you refuse to listen to people,” she said.
Monahan’s analysis puts the figure at “minimum $115 million.”
“This $115m number is only confirmed thefts on a limited number of chains. It’s the minimum amount stolen,” she said on July 11.
The lawsuit, filed in the US District Court of Colorado, asserts that Atomic Wallet and Gladych did not adequately secure the funds in Atomic Wallet wallets. The plaintiffs argue that the defendants did not implement sufficient measures to prevent a hacking attack that could, and did, result in a substantial theft.
The complaint further states that the defendants did not ensure the confidentiality of critical passwords or security details, which could have been exposed to malicious entities. The plaintiffs maintain that this failure was the direct and actual cause of their financial losses.
A closed-source crypto wallet
The lawsuit comes at a time when the crypto industry faces intensified scrutiny from regulators and lawmakers in the US.
Crypto wallets like Atomic Wallet represent a part of the industry that’s supposed to be free from corporate problems since wallets require self-custody, and so the responsibility lies with the holders only.
But there’s one distinctive feature about Atomic Wallet.
Although open-source code is the standard in crypto, Atomic Wallet has always kept its code secret, which meant that its security could not be independently audited.
“Wallets don’t pay enough attention to building a strong architecture with security best practices implemented,” Dyma Budorin, CEO and co-founder of Hacken, told DL News at the time of the hack.
“Consequently, such weak code can’t be open source,” he said.
Update, July 11: The story has been updated with security researcher Taylor Monahan’s analysis that suggests the losses from the hack are at least $115 million, instead of $100 million as reported in the court filing.