SharkTeam: Analysis of Atomic Wallet Attack Mechanism and Money Laundering Patterns
鸵鸟区块链
Original sourceOn June 3rd, crypto wallet Atomic Wallet was attacked, with massive user asset theft and some users losing over millions of dollars, causing widespread impact. SharkTeam analyzes the attack mechanism and hacker money laundering patterns of this incident.
## I. Attack Mechanism Analysis
SharkTeam conducted closed black-box testing on Atomic Wallet's app and server APIs. The testing process overview is as follows:
(1) The tested versions were Android Atomic Wallet 1.13.20 and 1.15.1. We matched the Android application packaging and release certificate information, which was consistent with the official certificate, ruling out "repackaging + phishing website" attacks to steal private keys.
(2) We analyzed the app's local cache files and found that sensitive data related to account information was obfuscated and encrypted.
(3) We captured packets during app runtime but did not discover key upload leakage attacks, and the data had undergone reasonable encryption processing.
(4) The Android client lacked dynamic protection and hardening measures, making the execution process vulnerable to injection attacks. Users could be attacked by installing malicious apps controlled by hackers, causing private key leakage. Malicious apps could be installed through social engineering or as built-in applications in some malicious Android systems.
(5) Using traffic monitoring tools to examine network connections, after observing http, dns, icmp, ssh and other traffic patterns for some time, we found no obvious signs of the app sending sensitive data to other third parties. Analysis of app and server backend API interface interactions showed all API interfaces required permission verification, with no unauthorized or hidden API interfaces discovered.
Through testing and analysis, we believe the most likely attack vectors for this incident are:
(1) Atomic Wallet may have mistakenly introduced malicious SDKs during development, allowing hackers to leave backdoors through "software supply chain attacks."
(2) Data encryption algorithm-related information was leaked, leading to the discovery of encryption methods and weaknesses, resulting in private key cracking.
(3) The Android app client lacked dynamic protection, and malicious software was implanted in users' Android devices, conducting injection attacks to steal user passwords or private keys.
## II. Money Laundering Pattern Analysis
Atomic Wallet users lost at least $35 million due to hacker attacks, with the top five losses reaching $17 million, including one user who lost $7.95 million. Additionally, according to data from SharkTeam's on-chain security analysis platform ChainAegis, victims' total losses have exceeded $50 million. We analyzed the fund flows of 2 victim addresses among the top 5 losses, and after removing technical interference factors set by hackers (numerous fake token transfer transactions + multi-address distribution), we obtained the hacker's fund transfer pattern:
**Figure: Atomic Wallet Victim 1 Fund Transfer View**
Victim 1 address 0xb02d...c6072 transferred 304.36 ETH to hacker address 0x3916...6340, which was distributed 8 times through intermediate address 0x0159...7b70, then consolidated to address 0x69ca...5324. Subsequently, the consolidated funds were transferred to address 0x514c...58f67, where the funds currently remain, with an ETH balance of 692.74 ETH (worth $1.27 million).
**Figure: Atomic Wallet Victim 2 Fund Transfer View**
Victim 2 address 0x0b45...d662 transferred 1.266 million USDT to hacker address 0xf0f7...79b3. The hacker split this into three transactions, with two transferred to Uniswap totaling 1.266 million USDT, and another transferring 672.71 ETH to address 0x49ce...80fb. Victim 2 transferred 22,000 USDT to hacker address 0x0d5a...08c2, which the hacker distributed multiple times through intermediate addresses like 0xec13...02d6, directly or indirectly consolidating funds to address 0x3c2e...94a8.
This money laundering pattern is highly consistent with those used by North Korean hackers in previous Ronin Network and Harmony attack events, all including three steps:
(1) **Stolen fund organization and exchange**: After launching attacks, organize original stolen tokens and swap various tokens into ETH through DEX and other methods. This is a common way to avoid fund freezing.
(2) **Stolen fund consolidation**: Consolidate organized ETH into several disposable wallet addresses. In the Ronin incident, hackers used 9 such addresses, Harmony used 14, and this Atomic Wallet incident used nearly 30 addresses.
(3) **Stolen fund withdrawal**: Use consolidation addresses to launder money through Tornado.Cash. This completes the entire fund transfer process.
Besides having the same money laundering pattern, there's also high consistency in laundering details:
(1) Attackers are very patient, all using up to a week for money laundering operations, all starting subsequent laundering actions several days after the incident. Currently, some stolen funds from the Atomic Wallet incident have undergone distribution processing, but haven't started mixing through Tornado.Cash yet, and analysis suggests mixing will likely begin in a few days.
(2) All laundering processes used automated trading, with most fund consolidation actions involving many transactions, small time intervals, and unified patterns.
**Figure: Ronin Network Breadth-First Money Laundering Pattern View**
**Figure: Harmony Breadth-First Money Laundering Pattern View**
Through on-chain analysis, we believe:
(1) Atomic laundering techniques are consistent with Ronin Network and Harmony laundering techniques, all using multi-account distribution and small-amount asset transfer methods. Therefore, attackers may originate from North Korean hacker organizations.
(2) However, during the Atomic incident fund transfer process, numerous fake token transactions appeared, with hackers hoping to increase analysis difficulty through this method. In the fourth-level transaction network, 27 addresses were used for distribution transfers, with 23 accounts being fake token transfers. The previous two incidents didn't have this interference technique, indicating hacker laundering technology is also upgrading.
(3) Currently, Atomic stolen funds remain in distribution addresses. If this was a North Korean hacker attack, laundering operations are not yet complete, and subsequent transfers to Tornado Cash for mixing may occur similar to the Harmony incident.
(4) In fund flow analysis, addresses 0x3c2eebc and 0x3b4e6e7e respectively interacted with hot wallet addresses tagged as Binance 18 and Binance 14, but due to small transfer amounts, the possibility of not having completed KYC verification on Binance cannot be ruled out.
## About Us
SharkTeam's vision is to comprehensively protect the security of the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, proficient in blockchain and smart contract underlying theory, providing services including smart contract auditing, on-chain analysis, and emergency response. We have established long-term partnerships with key participants in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, Polygon, OKC, Huobi Global, imToken, and ChainIDE.
Website: https://www.sharkteam.org
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg