This article is more than nine months old

‘Your security posture sucks’: Atomic Wallet slammed after hacker swipes $35m

‘Your security posture sucks’: Atomic Wallet slammed after hacker swipes $35m
Atomic Wallet users have been hacked for over $35 million since June 2.
  • A hacker has stolen over $35 million from Atomic Wallet users.
  • While the cause is still unknown, Atomic has received criticism from security experts over its closed-source code.

Atomic Wallet users are grappling with a major security breach after a hacker drained over $35 million in crypto.

The first theft occurred on June 2. Since, several on-chain analysts have tracked over $35 million stolen through the exploit.

According to pseudonymous crypto sleuth ZachXBT, the hardest-hit victim lost almost $8 million worth of Tether’s dollar-pegged stablecoin, USDT.

Atomic Wallet told DL News that it is still investigating the hack and declined to comment further.

Stay ahead of the game with our weekly newsletters

‘The simple advice is, do not use closed-source wallets’

Although open-source code is the standard in crypto, Atomic Wallet has always kept its code secret, which meant that its security could not be independently audited.

“The simple advice is do not use closed-source wallets,” Mikko Ohhtamaa, an independent Ethereum security researcher and CEO of trading protocol Trading Strategy, told DL News.

Closed-source code is that which is not made available to the general public by its creators. Some crypto projects choose to keep their code private to avoid competitors copying it.

However, because users cannot view the code, they cannot check that it does what it is supposed to do, or if it contains vulnerabilities. Instead, they must trust the developers who wrote it.

Join the community to get our latest stories and updates

“Using open-source wallets is no guarantee of high quality, but at least there is an independent way to know about the general quality of the project,” Ohhtamaa said. “For closed-source wallets there is simply no way to know.”

Atomic Wallet has yet to provide an explanation for the hack. In a June 5 tweet the wallet’s official Twitter account said that less than 1% of its monthly active users had been affected, and that the hacker hadn’t drained one of its user’s wallets in over 40 hours.

NOW READ: Cardano founder Charles Hoskinson tops Zuckerberg and Kardashian in private jet pollution

Atomic is a non-custodial crypto wallet. Unlike crypto exchanges, which store their customers’ crypto on their behalf, wallets like Atomic let users store their cryptocurrency independently of any third party.

The market for crypto wallets is sizable. According to a 2023 Zippa Research report, as of August 2022, there were 84.02 million crypto wallets worldwide.

Atomic Wallet, which was originally launched in 2017 as an exchange called Atomic Swap, has been downloaded over 5 million times according to its website.

NOW READ: Recovering scammed assets should be easier with blockchain data but it’s not

“Wallets don’t pay enough attention to building a strong architecture with security best practices implemented,” Dyma Budorin, CEO and co-founder of Hacken, told DL News. “Consequently, such weak code can’t be open source.”

Budorin also said that only a small percentage of crypto wallets had undergone professional code audits to check for vulnerabilities, and those that had often chose not to publish the results.

“It is an auditor’s responsibility to disclose every report regardless of its findings, to make people aware of potential risks,” he said.

‘The Atomic Wallet system does not sufficiently demonstrate considerations for security’

Taylor Monahan, a crypto security researcher and founder of the open-source crypto wallet MyEtherWallet, also criticised Atomic Wallet for failing to act on security vulnerabilities identified in an audit over a year prior.

NOW READ: A 162-page bill would give the CFTC big chunks of US crypto markets. Here’s what else is in it

“Your security posture sucks, you refuse to listen to people,” she said in a tweet highlighting a February 2022 post from web3 security firm Least Authority disclosing security vulnerabilities in Atomic Wallet.

Least Authority said it found that the “design and implementation of the Atomic Wallet system does not sufficiently demonstrate considerations for security and places current users of the wallet at significant risk.”

According to Monahan, the security failures highlighted by Least Authority meant that Atomic Wallet likely “inadvertently logged” the password-like private keys which are used to access its user’s crypto wallets.

NOW READ: How hackers turn stolen crypto into cash

Atomic Wallet is not the first closed source wallet to cost its users their crypto. In August, users of the Solana Slope Wallet lost an estimated $4.1 million after a hacker gained access to Slope’s servers.

While such crypto wallets usually don’t store users’ private data on their servers, a bug in Slope’s code caused it to store user’s wallet passwords there. This meant that once the hacker gained entry, they had access to over 9,000 user passwords.

Because the Slope wallet’s code was closed source, users and security experts could not check for the vulnerability ahead of time.