Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the Attack Principles and Money Laundering Patterns in Atomic Wallet

On June 3rd, the cryptocurrency wallet Atomic Wallet was targeted in an attack, resulting in a significant amount of user assets being stolen. Some users suffered losses exceeding millions of dollars, causing widespread impact. SharkTeam conducted an analysis of the attack principles employed in this incident, as well as the hackers' money laundering patterns.

1. Analysis of the Attack Principles:

SharkTeam conducted a closed black-box testing on Atomic Wallet, focusing on the app and server API. The testing process is outlined as follows:

(1) The tested versions were Android's Atomic Wallet 1.13.20 and 1.15.1. We matched the packaging and publishing certificate information of the Android application and found them to be consistent with the official certificates. This ruled out the possibility of "repackaging + phishing websites" attacks aimed at stealing private keys.

(2) We analyzed the local cache files of the app and determined that sensitive data related to account information was obfuscated and encrypted.

(3) We conducted packet capturing during the app's runtime, but no attack behavior involving key upload or leakage was detected. Additionally, the data had undergone reasonable encryption measures.

(4) The Android client lacked dynamic protection and reinforcement measures, making it susceptible to injection attacks. Users could be targeted and their private keys compromised if they installed malicious apps controlled by hackers. These malicious apps could be installed through social engineering techniques or as pre-installed applications in certain malicious Android systems.

(5) By using a traffic monitoring tool to examine network connections and observing the HTTP, DNS, ICMP, SSH, and other traffic patterns after a period of operation, no obvious instances were found of the app sending sensitive data to third parties. Analysis of the interactions between the app and the backend API revealed that all API interfaces required authentication, and no unauthorized or hidden interfaces were discovered.

Based on the testing and analysis, we identified the following as the most likely attack vectors for this incident:

(1) It is possible that a malicious SDK was inadvertently introduced during the development process of Atomic Wallet, creating a backdoor through a "software supply chain attack" by which hackers gained unauthorized access.

(2) Leakage of information related to the data encryption algorithm, leading to the discovery of encryption methods and vulnerabilities, and subsequent brute-forcing of private keys.

(3) The lack of dynamic protection in the Android app client allowed for the implantation of malicious software into users' Android devices, enabling injection attacks to steal user passwords or private keys.

2. Analysis of Money Laundering Patterns:

As a result of the hacker attack on Atomic Wallet, users suffered losses of at least $35 million, with the top five victims accounting for $17 million. One particular user had $7.95 million stolen. Furthermore, according to ChainAegis, SharkTeam's on-chain security analysis platform, the total losses incurred by victims have exceeded $50 million. We conducted a fund flow analysis on the addresses of two victims from the top five in terms of losses. After eliminating the technical interference factors set up by the hackers (including a large number of false token transfers and transactions divided among multiple addresses), we identified the following money transfer patterns employed by the hackers:

Image: Atomic Wallet Victim 1 Fund Transfer View

Victim 1 address 0xb02d...c6072 transferred 304.36 ETH to the hacker's address 0x3916...6340. The funds were then divided eight times through the intermediate address 0x0159...7b70 before being aggregated to address 0x69ca...5324. Subsequently, the aggregated funds were transferred to address 0x514c...58f67, where they currently remain. The address holds a balance of 692.74 ETH (worth $1.27 million) in ETH.

Image: Atomic Wallet Victim 2 Fund Transfer View

Victim 2 address 0x0b45...d662 transferred 1.266 million USDT to the hacker's address 0xf0f7...79b3. The hacker divided it into three transactions, with two transfers going to Uniswap, totaling 1.266 million USDT. The remaining amount was transferred to address 0x49ce...80fb, with a transfer amount of 672.71 ETH. Victim 2 also transferred 22,000 USDT to the hacker's address 0x0d5a...08c2. The hacker utilized intermediate addresses like 0xec13...02d6 for multiple rounds of fund division, eventually consolidating the funds to address 0x3c2e...94a8.

This money laundering pattern closely aligns with the techniques observed in previous attacks by North Korean hackers in the Ronin Network and Harmony incidents. The pattern involves three steps:

(1) Consolidation and conversion of stolen funds: After the attack, the stolen tokens are consolidated and swapped for ETH using decentralized exchanges (DEX) or similar methods. This is a common practice to avoid freezing of funds.

(2) Aggregation of stolen funds: The consolidated ETH is collected in several one-time-use wallet addresses. In the Ronin incident, the hackers used nine such addresses, while in the Harmony incident, they used 14. In the case of the Atomic Wallet incident, nearly 30 addresses were used.

(3) Transfer of stolen funds: The collected funds are laundered using Tornado.Cash, effectively completing the entire money transfer process.

In addition to following the same money laundering pattern, there are significant similarities in the laundering details:

(1) The attackers demonstrate patience, conducting the laundering operations for up to a week. They initiate the subsequent laundering actions a few days after the initial attack. Currently, a portion of the stolen funds in the Atomic Wallet incident has been divided, but the process of mixing them through Tornado.Cash has not yet begun. It is likely that the mixing will commence in a few days.

(2) Automated transactions are utilized throughout the money laundering process. Most of the fund aggregation actions involve multiple transactions with small time intervals, following a consistent pattern.

Figure: View of Ronin Network breathfirst money laundering mode
Figure: View of Harmony breathfirst money laundering mode

Based on the on-chain analysis, we conclude the following:

(1) The money laundering techniques employed in the Atomic Wallet incident exhibit consistency with the laundering methods observed in the Ronin Network and Harmony incidents. These methods involve dividing funds among multiple accounts and conducting small-scale asset trans fers. Therefore, it is possible that The attackers are affiliated with North Korean hacker organizations.

(2) However, in the function transfer proces of the atomic incident, a significant number of false token transactions we identify. Technique to increase the diffical of analysis. fund division, with 23 of them being associated with false token transfers. This interference technique was not observed in the previous two incidents, indicating an upgrade in the hackers' money laundering tactics.

(3) Currently, the stolen funds from the Atomic Wallet incident remain in the divided addresses. If this is indeed an attack by North Korean hackers, the laundering process is not yet complete, and it is possible that the funds will be transferred to Tornado.Cash for mixing, similar to the Harmony incident.

(4) During the analysis of fund flows, addresses 0x3c2eebc and 0x3b4e6e7e were observed to interact with hot wallet addresses labeled as "Binance 18" and "Binance 14," respectively. However, due to the small transfer amounts, it is not ruled out that these interactions may not have undergone Know Your Customer (KYC) verification on the Binance platform.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

SharkTeam
Comments

All Comments

Recommended for you

  • US Spot Ethereum ETF Sees Net Outflow of $4.93 Million

    On June 13, according to monitoring by Trader T, the US spot Ethereum ETF experienced a net outflow of $4.93 million yesterday.

  • US Spot Bitcoin ETF Sees Net Inflow of $85.82 Million Yesterday

    On June 13, according to monitoring by Trader T, the US spot Bitcoin ETF recorded a net inflow of $85.82 million yesterday.

  • U.S. Bans Foreign Access to Fable 5 and Mythos 5; Anthropic Issues Detailed Rebuttal

    On June 13, Anthropic issued a statement announcing that the U.S. government, citing national security powers, has released an export control directive requiring the suspension of all access to the AI models Fable 5 and Mythos 5 by foreign entities, regardless of whether the individuals are within the U.S., including Anthropic employees who are foreign nationals. The practical effect of this order is that we must immediately disable access to Fable 5 and Mythos 5 for all customers to ensure compliance. Access to all other Anthropic models will not be affected. We received the government's directive at 5:21 PM (Eastern Time) today. The letter did not specify the details of its national security concerns. Our understanding is that the government believes it has become aware of a method to bypass or 'jailbreak' Fable 5. So far, the government has only provided us with verbal evidence suggesting the existence of a potential narrow, non-general jailbreak, essentially by requiring the model to read specific code libraries and fix any software defects. We are complying with the government's legitimate directive and are in the process of removing all users' access to Fable 5 and Mythos 5. However, we disagree with the conclusion that 'a narrow potential jailbreak vulnerability should be the reason to recall commercial models deployed to hundreds of millions of users.' (Jinshi)

  • Iranian Foreign Minister: Iran-U.S. Memorandum of Understanding May Be Signed in Days

    On June 13, Iranian media reported that Iranian Foreign Minister Amir-Abdollahian stated that once the final stage of negotiations between Iran and the U.S. is completed, the memorandum of understanding will be signed and announced immediately. The first phase will be signed electronically from a distance, "which may happen in the coming days." (Xinhua News Agency)

  • U.S. Officials: U.S. and Iran Close to Agreement, Signing Expected in Coming Days

    On June 13, Reuters reported that a senior U.S. official stated on Friday local time that the U.S. and Iran have not yet truly reached the finish line, but are very close to finalizing an agreement to resolve their conflicts. Washington expects to sign the agreement in the coming days. 'The negotiating team has put us in a very favorable position, but we still need to see, we haven't really reached the finish line, but we are very close,' the U.S. official said. The official noted that the agreed terms achieve a core goal of Trump. The memorandum of understanding includes the reopening of the Strait of Hormuz and the lifting of U.S. blockades on Iranian ports. Iran's highly enriched uranium will also be destroyed on-site and subsequently removed from the country. 'Iran will not gain anything from signing the memorandum or from the negotiations themselves,' the official said. 'They will receive economic rewards for fulfilling the obligations set forth in the agreement. Therefore, if they commit to handing over nuclear materials, they will gain something. If they dismantle their nuclear program or facilities, they will receive additional benefits.'

  • Iran's Foreign Ministry: Iran is Reviewing Draft Memorandum of Understanding

    On June 13, local time on the 12th, Iranian Foreign Ministry spokesperson Baghaei stated that Iran and the United States have reached an understanding on most issues, and Iran is currently in the final stages of compiling the text of the memorandum of understanding. Therefore, the previous statement by Iranian Foreign Minister Amir-Abdollahian that 'the two sides are very close to reaching an understanding' is accurate and noteworthy. Meetings of relevant decision-making bodies are ongoing, and this is a process that is being continuously advanced. To achieve a final and decisive outcome, consensus must be formed among decision-making bodies and relevant departments. Baghaei also mentioned that various speculations regarding the content of the agreement text have not been confirmed. Although specific details of the diplomatic process cannot be publicly discussed at this time, this does not mean that the public does not have the right to be informed. (CCTV News)

  • SpaceX Opens at $150 on First Day of Trading, IPO Price Set at $135

    On June 12, SpaceX opened at $150 on its first day of trading, with an IPO price set at $135.

  • Iranian Foreign Minister Claims Iran and US 'Have Never Been Closer' to Memorandum of Understanding

    On June 12, Iranian Foreign Minister Amir-Abdollahian stated on social media that Iran and the US 'have never been closer' to reaching a memorandum of understanding. He urged the media to refrain from speculating on its contents before finalization. The Iranian side will disclose all details in due course. (CCTV News)

  • BTC Surpasses $64,000

    Market data shows that BTC has surpassed $64,000, currently priced at $64,107.99, with a 24-hour increase of 2.18%. The market is experiencing significant volatility, so please ensure proper risk management.

  • ARM Soars Nearly 10%, Bank of America Predicts Server CPU Market to Quadruple by 2030

    On June 12, ARM surged nearly 10%, reaching $376.18. According to a recent forecast by Vivek Arya, an analyst at Bank of America Global Research, the total addressable market (TAM) for server CPUs is expected to skyrocket from $35 billion in 2025 to over $170 billion by 2030. This significantly exceeds the bank's previous prediction of a $125 billion market size for server CPUs by 2030. Arya stated in the report, 'We believe the rise of agent-based AI is a powerful demand accelerator that not only expands the market opportunities for CPUs but also benefits Intel, AMD, and challengers based on Arm architecture.'

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company