Millions of dollars worth of users’ cryptocurrency have reportedly gone missing among users of the self-custodial, decentralized Atomic Wallet. The project on Saturday acknowledged the compromise and said it was doing everything it could to investigate the apparent vulnerability.
A wave of accounts on Twitter said their wallets’ contents had been drained of funds, sparking widespread concern throughout Crypto Twitter.
“This is seriously scary,” DeFi researcher Ignas said on Twitter. “Atomic wallet, despite being around for years, still gets hacked.”
The project’s cryptocurrency wallet has more than 5 million downloads, according to Atomic Wallet’s website. It was originally launched in 2017 as Atomic Swap by CEO Konstantin Gladych, who is also the CEO of Changelly.com.
As of Sunday, Atomic Wallet said it can’t confirm how the attacks took place, but assured users that it is working with “leading security companies” on an investigation and has reached out to organizations that can help trace the stolen funds like analytics firms and exchanges.
Atomic Wallet did not immediately respond to a request for comment from Decrypt.
Some accounts on Twitter said they were left unscathed by the exploit, having been able to move funds to a different wallet in time. Others lamented that they had lost all the cryptocurrency they had.
Atomic Wallet claims its product is secure partly because the firm does not have access to sensitive information like users’ private keys, which are encrypted and stored on people’s devices. But Least Authority, an auditing firm, raised red flags in February 2021, stating Atomic Wallet is “insufficiently secure in protecting user assets and private data.”
Over $35 million worth of stolen funds had been identified as of Sunday, according to investigative work done by the pseudonymous blockchain sleuth ZachXBT. One victim lost nearly $8 million worth of the stablecoin Tether due to the incident, ZachXBT said.
Atomic Wallet’s ERC-20 token AWC, which trades on decentralized exchanges like Uniswap, was down over 13% to $0.22 over the past 24 hours, as of this writing, according to CoinGecko. The price represents a more than 96% decline from its all-time high of $7.26, set in May 2021.
Additionally, the five biggest losses resulting from the compromised account for nearly half of the stolen funds identified so far, ZachXBT said.
The cryptocurrency industry has experienced an uptick in the number of attacks compared to years past, with an estimated $440 stolen in the first fiscal quarter of 2023 across 73 incidents, according to research from Immunefi. The firm found that hacks accounted for 95% of funds lost, outpacing scams and other forms of malicious activity.
It is possible that some funds lost in the Atomic Wallet exploit can be recovered. With the help of Jito Labs’ pseudonymous CEO Buffalo and an employee at the MEV infrastructure company, ZachXBT said he was able to help rescue $1 million worth of funds.
Buffalo told Decrypt via Twitter message that revealing the team’s methodology for recovering funds could be dangerous and lead to more losses for other victims. But Buffalo is hopeful that the solution could help others.
“I’m glad Zach [messaged] me and we could get together a fast solution,” Buffalo said, saying it’s meaningful to “help to at least help one person, maybe more.” He added that the hack is “very terrible for all the victims involved.”
Stay on top of crypto news, get daily updates in your inbox.