Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 141Private Key Compromise

Atomic Wallet Mass Compromise

A Lazarus operation targeted Atomic Wallet's software, not individual seeds, draining $100M+ from roughly 5,500 users and bypassing self-custody guarantees.

Date
Victim
Atomic Wallet
Chain(s)
BitcoinEthereumTronBNB Chain
Status
Funds Stolen
Attribution
Lazarus Group (DPRK)

On June 3, 2023, users of the Estonian self-custodial wallet Atomic Wallet began reporting that their balances had been drained without their consent. Within days, blockchain analytics firm Elliptic confirmed losses exceeded $100 million across more than 5,500 user wallets. It was the largest mass-compromise of a self-custodial wallet to date.

What happened

Atomic Wallet is a non-custodial multi-chain wallet. Each user's seed phrase is generated and stored locally on their device, never sent to Atomic's servers — at least in principle.

The exact technical vector was never publicly disclosed by Atomic Wallet itself, but the on-chain pattern was unambiguous: simultaneous outflows from thousands of independent user wallets, on multiple chains, all routed through the same set of attacker-controlled addresses. The pattern is consistent with one of two possibilities:

  1. A compromised software-update mechanism that pushed a malicious build to user devices, exfiltrating seed phrases.
  2. A vulnerability in Atomic's key-generation, key-storage, or backup-encryption code that let an attacker derive seeds en masse.

Either way, the trust model of "self-custodial" wallets was broken at the application layer — every key derivation depended on Atomic's code being safe and unmodified.

Elliptic and other firms attributed the operation to Lazarus Group based on laundering patterns and the use of cross-chain bridges followed by mixer deposits matching prior North Korean operations.

Aftermath

  • Atomic Wallet acknowledged the incident but initially claimed "less than 0.1% of users" were affected — a figure that did not survive contact with the on-chain data.
  • A class-action lawsuit was filed against Atomic Wallet and its proprietor in 2023; affected users argued the company had misrepresented its security posture.
  • The stolen funds were laundered through Sinbad, Tornado Cash and various cross-chain routes.
  • No public recoveries.

Why it matters

Atomic Wallet broke the assumption that self-custodial automatically means safe from mass compromise. If thousands of users run the same wallet software, that software is a centralised target — and a compromise of the software supply chain (build pipeline, update server, signing key) can equal a compromise of every user it serves. The lesson recurs in the Bybit supply-chain attack two years later, at much higher scale.

Sources & on-chain evidence

  1. [01]elliptic.cohttps://www.elliptic.co/blog/analysis/north-korea-linked-atomic-wallet-heist-tops-100-million
  2. [02]decrypt.cohttps://decrypt.co/144444/north-korean-hackers-pocket-over-100-m-in-atomic-wallet-heist
  3. [03]classaction.orghttps://www.classaction.org/news/class-action-filed-over-2023-atomic-wallet-data-breach-in-which-100m-in-crypto-assets-was-stolen

Related filings