Atomic Wallet — multi-chain user theft

What happened

Beginning on or around 3 June 2023, a wave of unauthorised drainages swept through Atomic Wallet user accounts. Atomic Wallet is a non-custodial multi-chain desktop and mobile application — meaning the company does not hold users’ private keys; they are generated and stored locally on the user’s own device. By the time the wave was publicly visible on-chain and users began reporting losses on social media, approximately 5,500 accounts had been drained. The blockchain analytics firm Elliptic estimated total losses at approximately $100 million. Losses were spread across at least eight blockchain networks: Bitcoin, Ethereum, Tron, BNB Smart Chain, Solana, Polygon, XRP and Litecoin.

Atomic Wallet acknowledged the incident publicly within days and stated that it had engaged blockchain forensics firms and law-enforcement contacts. The company stated that less than 0.1% of its user base had been affected. It did not publish a technical post-mortem confirming the root cause, citing the ongoing investigation.

On 23 January 2024, the US FBI formally attributed the Atomic Wallet theft to North Korea’s Lazarus Group, placing it in a list of DPRK-attributed operations that included Ronin Network ($625M), Harmony Horizon ($100M), CoinsPaid ($37M), Stake.com ($41M), CoinEx ($31M), and DMM Bitcoin ($305M). The joint naming of multiple operations in a single attribution statement was consistent with the FBI’s prior practice for DPRK cryptocurrency operations, where patterns across incidents allow multiple thefts to be attributed in aggregate.

How it worked

The precise technical entry point for the Atomic Wallet breach was never publicly confirmed by the company. However, the characteristics of the theft — simultaneous drainages across eight separate blockchains, affecting thousands of users who had not interacted with each other or with any common transaction — strongly pointed to a compromise that was in or near the Atomic Wallet application itself, rather than individual-user phishing or credential theft.

Three candidate hypotheses circulated among security researchers in the days following the theft. The first was a supply-chain attack: a malicious update to the Atomic Wallet application distributed through official channels, injecting code that silently exfiltrated private keys or seed phrases to attacker infrastructure. The second was a compromise of the wallet’s random-number generation — if the key-derivation process used a weak or compromised entropy source, an attacker who reverse-engineered that weakness could reconstruct private keys for affected wallets without ever touching the user’s device. The third was a server-side compromise of key-backup functionality, if any users had used Atomic Wallet’s optional encrypted-backup feature in a way that exposed key material.

The multi-chain nature of the theft is consistent with all three hypotheses, since each would give the attacker the seed phrase or private keys from which all chain-specific addresses are derived. The on-chain laundering pattern — rapidly dispersing funds through Atomic Wallet’s multi-chain structure, then consolidating via TRON-based cross-chain bridges — was identified by Elliptic and Chainalysis as matching established Lazarus Group laundering tradecraft, including the use of the Sinbad.io cryptocurrency mixer (subsequently sanctioned by the US Treasury in November 2023) to obscure the trail.

Several user-filed lawsuits in Europe and the US sought damages from Atomic Wallet, arguing that the company had a duty to warn users of known security vulnerabilities and to investigate the breach more transparently. Courts in multiple jurisdictions considered arguments about the company’s liability as a software provider for funds lost through the application.

Timeline

• 3 June 2023 — First unauthorised drainages detected; affected users report losses publicly on social media and Reddit.
• 4–5 June 2023 — Elliptic estimates $35M lost; figure rises to $100M over subsequent days as more affected wallets are identified. Atomic Wallet acknowledges the incident.
• June 2023 — Blockchain analysts identify laundering pattern consistent with Lazarus Group; funds routed through TRON-based bridges and Sinbad mixer.
• November 2023 — US Treasury OFAC sanctions the Sinbad.io cryptocurrency mixer used to launder Atomic Wallet proceeds and those from other Lazarus operations.
• 23 January 2024 — FBI formally attributes the Atomic Wallet theft to North Korea’s Lazarus Group in a joint statement covering multiple DPRK crypto operations.
• 2024 — Lawsuits filed by affected users in Estonia and the United States proceed through early case management stages.

What defenders should learn

The Atomic Wallet incident punctured a widely held assumption in the cryptocurrency community: that a non-custodial wallet is categorically safer than a centralised exchange because there is no single honeypot to attack. That logic holds only if the wallet application itself is beyond compromise. In practice, a non-custodial wallet application with millions of installs is exactly a single honeypot — not for stored funds, but for the key-generation and key-storage code that protects those funds. If the application is compromised at the distribution or code level, a non-custodial architecture provides no additional protection compared to an exchange breach; it simply moves the failure point from the exchange’s servers to the user’s device.

The supply-chain attack vector — if that is what occurred — is particularly difficult to defend against from the user’s perspective. A user who downloads a wallet from an official app store or website has no practical mechanism to verify that the distributed binary matches the open-source code repository. Code-signing by known developer keys and reproducible-build verification by independent researchers are the tools that close this gap, but they require wallet developers to invest in the infrastructure and require users to care about the attestation.

The response failure is as important as the technical failure. Atomic Wallet never published a technical post-mortem explaining the entry point, the attacker’s method, or what was changed to prevent recurrence. For the 5,500 affected users, this silence meant they had no way to assess whether their remaining funds in other wallets derived from the same seed phrase were also at risk. For the broader industry, it meant the defensive lessons were not shared. Transparency after a major breach is not solely an obligation to current users; it is a contribution to the security of the entire ecosystem that relies on the same classes of tooling.

The FBI’s attribution, and the growing list of Lazarus Group crypto operations, underlines that DPRK operators are methodically targeting every layer of crypto infrastructure: exchanges, bridges, protocols, custody providers, and now wallet software. The attack surface is not limited to any single category of target. Defenders across every layer need to treat DPRK-grade threat actor capability — patient reconnaissance, supply-chain awareness, and fast multi-chain laundering — as a baseline planning assumption, not an edge case.