Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the Attack Principles and Money Laundering Patterns in Atomic Wallet

On June 3rd, the cryptocurrency wallet Atomic Wallet was targeted in an attack, resulting in a significant amount of user assets being stolen. Some users suffered losses exceeding millions of dollars, causing widespread impact. SharkTeam conducted an analysis of the attack principles employed in this incident, as well as the hackers' money laundering patterns.

1. Analysis of the Attack Principles:

SharkTeam conducted a closed black-box testing on Atomic Wallet, focusing on the app and server API. The testing process is outlined as follows:

(1) The tested versions were Android's Atomic Wallet 1.13.20 and 1.15.1. We matched the packaging and publishing certificate information of the Android application and found them to be consistent with the official certificates. This ruled out the possibility of "repackaging + phishing websites" attacks aimed at stealing private keys.

(2) We analyzed the local cache files of the app and determined that sensitive data related to account information was obfuscated and encrypted.

(3) We conducted packet capturing during the app's runtime, but no attack behavior involving key upload or leakage was detected. Additionally, the data had undergone reasonable encryption measures.

(4) The Android client lacked dynamic protection and reinforcement measures, making it susceptible to injection attacks. Users could be targeted and their private keys compromised if they installed malicious apps controlled by hackers. These malicious apps could be installed through social engineering techniques or as pre-installed applications in certain malicious Android systems.

(5) By using a traffic monitoring tool to examine network connections and observing the HTTP, DNS, ICMP, SSH, and other traffic patterns after a period of operation, no obvious instances were found of the app sending sensitive data to third parties. Analysis of the interactions between the app and the backend API revealed that all API interfaces required authentication, and no unauthorized or hidden interfaces were discovered.

Based on the testing and analysis, we identified the following as the most likely attack vectors for this incident:

(1) It is possible that a malicious SDK was inadvertently introduced during the development process of Atomic Wallet, creating a backdoor through a "software supply chain attack" by which hackers gained unauthorized access.

(2) Leakage of information related to the data encryption algorithm, leading to the discovery of encryption methods and vulnerabilities, and subsequent brute-forcing of private keys.

(3) The lack of dynamic protection in the Android app client allowed for the implantation of malicious software into users' Android devices, enabling injection attacks to steal user passwords or private keys.

2. Analysis of Money Laundering Patterns:

As a result of the hacker attack on Atomic Wallet, users suffered losses of at least $35 million, with the top five victims accounting for $17 million. One particular user had $7.95 million stolen. Furthermore, according to ChainAegis, SharkTeam's on-chain security analysis platform, the total losses incurred by victims have exceeded $50 million. We conducted a fund flow analysis on the addresses of two victims from the top five in terms of losses. After eliminating the technical interference factors set up by the hackers (including a large number of false token transfers and transactions divided among multiple addresses), we identified the following money transfer patterns employed by the hackers:

Image: Atomic Wallet Victim 1 Fund Transfer View

Victim 1 address 0xb02d...c6072 transferred 304.36 ETH to the hacker's address 0x3916...6340. The funds were then divided eight times through the intermediate address 0x0159...7b70 before being aggregated to address 0x69ca...5324. Subsequently, the aggregated funds were transferred to address 0x514c...58f67, where they currently remain. The address holds a balance of 692.74 ETH (worth $1.27 million) in ETH.

Image: Atomic Wallet Victim 2 Fund Transfer View

Victim 2 address 0x0b45...d662 transferred 1.266 million USDT to the hacker's address 0xf0f7...79b3. The hacker divided it into three transactions, with two transfers going to Uniswap, totaling 1.266 million USDT. The remaining amount was transferred to address 0x49ce...80fb, with a transfer amount of 672.71 ETH. Victim 2 also transferred 22,000 USDT to the hacker's address 0x0d5a...08c2. The hacker utilized intermediate addresses like 0xec13...02d6 for multiple rounds of fund division, eventually consolidating the funds to address 0x3c2e...94a8.

This money laundering pattern closely aligns with the techniques observed in previous attacks by North Korean hackers in the Ronin Network and Harmony incidents. The pattern involves three steps:

(1) Consolidation and conversion of stolen funds: After the attack, the stolen tokens are consolidated and swapped for ETH using decentralized exchanges (DEX) or similar methods. This is a common practice to avoid freezing of funds.

(2) Aggregation of stolen funds: The consolidated ETH is collected in several one-time-use wallet addresses. In the Ronin incident, the hackers used nine such addresses, while in the Harmony incident, they used 14. In the case of the Atomic Wallet incident, nearly 30 addresses were used.

(3) Transfer of stolen funds: The collected funds are laundered using Tornado.Cash, effectively completing the entire money transfer process.

In addition to following the same money laundering pattern, there are significant similarities in the laundering details:

(1) The attackers demonstrate patience, conducting the laundering operations for up to a week. They initiate the subsequent laundering actions a few days after the initial attack. Currently, a portion of the stolen funds in the Atomic Wallet incident has been divided, but the process of mixing them through Tornado.Cash has not yet begun. It is likely that the mixing will commence in a few days.

(2) Automated transactions are utilized throughout the money laundering process. Most of the fund aggregation actions involve multiple transactions with small time intervals, following a consistent pattern.

Figure: View of Ronin Network breathfirst money laundering mode
Figure: View of Harmony breathfirst money laundering mode

Based on the on-chain analysis, we conclude the following:

(1) The money laundering techniques employed in the Atomic Wallet incident exhibit consistency with the laundering methods observed in the Ronin Network and Harmony incidents. These methods involve dividing funds among multiple accounts and conducting small-scale asset trans fers. Therefore, it is possible that The attackers are affiliated with North Korean hacker organizations.

(2) However, in the function transfer proces of the atomic incident, a significant number of false token transactions we identify. Technique to increase the diffical of analysis. fund division, with 23 of them being associated with false token transfers. This interference technique was not observed in the previous two incidents, indicating an upgrade in the hackers' money laundering tactics.

(3) Currently, the stolen funds from the Atomic Wallet incident remain in the divided addresses. If this is indeed an attack by North Korean hackers, the laundering process is not yet complete, and it is possible that the funds will be transferred to Tornado.Cash for mixing, similar to the Harmony incident.

(4) During the analysis of fund flows, addresses 0x3c2eebc and 0x3b4e6e7e were observed to interact with hot wallet addresses labeled as "Binance 18" and "Binance 14," respectively. However, due to the small transfer amounts, it is not ruled out that these interactions may not have undergone Know Your Customer (KYC) verification on the Binance platform.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

SharkTeam
Comments

All Comments

Recommended for you

  • RWA platform Re completes new round of financing of US$7 million, led by Electric Capital

    Re, a tokenized reinsurance RWA platform, has completed a new round of funding of $7 million, led by Electric Capital. It is reported that the project had completed a seed round of funding of $14 million at the end of 2022. Re's goal is to support $200 million in premiums by the end of this year.

  • Crypto prediction market Polymarket has raised $70 million in two rounds of funding

    Peter Thiel's venture capital firm, Founders Fund, is investing in the cryptocurrency prediction market Polymarket. A spokesperson for Polymarket stated that the company has raised $70 million in two rounds of financing, with the latest round led by Founders Fund. The company's supporters also include Ethereum co-founder Vitalik Buterin, and it has been attracting users to predict the outcomes of various events, with bets on the 2024 US presidential election becoming the most popular contract on its platform.

  • ChainML raises $6.2m in seed extension funding for community-governed AI platform, Theoriq

    ChainML, a Silicon Valley-based AI and ML development and research lab, has raised $6.2m in seed extension funding for its AI platform called Theoriq. The funding round was led by Hack VC and included participation from several other venture capital firms. The company plans to use the funds to expand its development efforts and continue building community-governed AI systems based on principles of social evolution and blockchain technology. CEO Ron Bodkin expressed excitement about the potential for unlocking new potentials for AI integration within the decentralized space.

  • Zeta Markets Raises $5 Million in Token Funding Round

    Solana DEX Zeta Markets raised $5 million in a new round of funding led by Electric Capital. Other investors in this round of funding include Digital Asset Capital management company, Selini Capital, and Airtree Ventures. Angel investors include Solana's Anatoly Yakovenko, Helius' Mert Mumtaz, Tensor's Richard Wu, Pyth's Genia Mikhalchenko, Wintermute's JMR Luna, and Bonk's Nom also participated in this round of funding.

  • Tornado Cash Developer Alexey Pertsev Sentenced to 64 Months in Prison

    On Tuesday, a Dutch judge ruled that Tornado Cash developer Alexey Pertsev was guilty of money laundering. The court sentenced Pertsev to 64 months in prison. In August 2022, Tornado Cash was blacklisted by the US government, and this is the first time the developer has been sentenced to prison in the Netherlands. At the time, the US Treasury Department claimed that Tornado Cash was a key tool for the North Korean hacker group Lazarus. The Lazarus group is linked to the $625 million hack of Axie Infinity's Ronin Network and other major cryptocurrency thefts.

  • Dutch court finds Tornado Cash founder Alexey Pertsev guilty of money laundering

    A Dutch court composed of three judges has ruled that Tornado Cash developer Alexey Pertsev committed the crime of laundering $1.2 billion in illegal assets on a cryptocurrency mixing platform. It is expected that the panel will also sentence 31-year-old Russian resident Alexey Pertsev on Tuesday, and Pertsev's lawyer will have 14 days to appeal the judge's ruling. Experts say that this ruling will reshape the privacy protection process in the decentralized finance field and have a "chilling effect" on the development of open-source software that provides financial privacy protection tools for users.

  • Cross-border money laundering group laundered HK$88 million, 8 people arrested

    The Hong Kong Police Commercial Crime Bureau locked onto a cross-border money laundering group in November 2023. The investigation found that the group recruited mainlanders to open puppet bank accounts in Hong Kong from September 2023 to March 2024. They used various types of fraud, such as telephone scams, nude chat scams, investment scams, and job scams to defraud victims. The victims were instructed by the fraudsters to deposit the stolen money into the puppet accounts controlled by the criminal group. The group would then withdraw the stolen money from the puppet accounts in cash and buy cryptocurrencies on the over-the-counter (OTC) market. They would also open accounts on overseas cryptocurrency platforms with false identities and deposit the cryptocurrencies purchased with the stolen money before transferring them to multiple cryptocurrency wallets to launder the criminal proceeds. The police also pointed out that the group used 72 local puppet bank accounts to launder more than HKD 88 million in criminal proceeds, of which HKD 6.7 million was related to 48 fraud cases. As of yesterday, the police arrested 7 men and 1 woman aged between 26 and 51 for conspiring to launder black money. They claimed to be a lifeguard, photographer, telephone programmer, salesperson, and unemployed. Six of them were core members, and two were puppet account holders.

  • Sharp Alpha Advisors Raises $25M for Second Fund Targeting Early Stage Software Companies in Sports, Gaming, and Entertainment Industries

    New York-based venture capital firm Sharp Alpha Advisors has secured $25 million for its second fund, which will primarily invest in early stage software companies in the sports, gaming, and entertainment sectors. The fund aims to invest between $1 million and $2 million in 15 startups that fall under the category of "competitive entertainment," such as technology firms catering to sports betting, fantasy sports, streaming platforms, and video games. Sharp Alpha has already invested in London-based technology startup C15 Studio, which operates and distributes streaming channels for Formula 1 and One Championship, and plans to make further investments over the next three to five years. Additionally, the firm has a sidecar vehicle for limited partners to invest more money in individual companies within the fund.

  • Russian authorities plan to impose heavy fines on cryptocurrency miners operating in residential apartments

    Russian authorities have proposed imposing huge fines on cryptocurrency miners suspected of operating in residential properties. The authorities may also consider revising the Code of Administrative Offenses to hold those who abuse electricity accountable.

  • TheoriqAI Completes $6.2 Million Super-Seed Round of Financing, Led by Hack VC

    On May 14th, TheoriqAI, a modular AI agent infrastructure, announced on X platform that it has completed a $6.2 million Super-Seed round of financing. Hack VC led the investment, with participation from Foresight Ventures, HTX Ventures, Figment Capital, HASH CIB, Inception Capital, Antalpha Ventures, NewTribe Capital, Stateless Ventures, Bitscale Capital, Construct Ventures, Hypersphere, IOSG Ventures, LongHash Ventures, HashKey Capital, SNZ Holding, Chainlink.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company