Private key compromise
https://twitter.com/zachxbt/status/1665080799253733377 https://twitter.com/tayvano_/status/1665069321255788544 https://twitter.com/AtomicWallet/status/1664946301815910400 https://twitter.com/MatchSystems/status/1665116861984305152 https://twitter.com/lndofi/status/1665094377729847303 https://www.coindesk.com/tech/2022/02/10/least-authority-discloses-security-risks-in-atomic-wallet/ https://twitter.com/IM_23pds/status/1668886220435509249 https://twitter.com/0xCuteSocks/status/1668889507754655744
Days in Operation:
100 pts each
Atomic wallet reported some wallets have been compromised. ZachXBT and Tayvano reported an aggregated loss of $35M so far.
The attacker was able to gain access to user private keys and passwords by modifying the source code of the application on the server that the user wallets interact with.
The concerns surrounding Atomic Wallet's vulnerabilities were raised in in Feb 2022. Specifically, vulnerabilities in Atomic Wallet include user fund loss due to cryptography implementation, lack of adherence to design standards, insufficient documentation, and incorrect use of Electron framework. While Atomic has addressed some of the issues, several remain and perhaps this incident may be the result of what were left unaddressed.
Updated on 6/14: May be related to a BGP misconfiguration that redirected the auto-update version to an endpoint controlled by the exploiter with fake update.
Updated 6/26: Patterns indicated that this may be the work of the Lazarus Group - https://twitter.com/PeckShieldAlert/status/1673538357027274753
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.