- Blockchain intelligence firm Elliptic has said that North Korean hacking group Lazarus was likely behind the recent attack on Atomic Wallet
- Elliptic noted several similarities between this hack and previous Lazarus breaches
- Some $35 million worth of cryptocurrencies were stolen from Atomic Wallets users recently
Blockchain intelligence firm Elliptic revealed yesterday that North Korean hacking group Lazarus was likely behind the recent attack on Atomic Wallet, which saw approximately $35 million worth of various cryptocurrencies stolen. Elliptic’s investigation revealed that the stolen crypto had been transferred to a mixer called Sindbad.io, which is believed to be a successor to the previously sanctioned mixer Blender.io and has been frequently used for money laundering in other Lazarus-connected hacks. Elliptic also noted that the usage patterns observed in this incident closely resemble those seen in previous Lazarus operations, with connections also found between the wallets containing the stolen funds and some of the hacks previously attributed to the group.
Elliptic Says Hack Mirrors Previous Lazarus Breaches
Concerns over the security of Atomic Wallet began over the weekend when users reported that their wallets were being emptied, although this was initially played down, with the company stating that the incidents affected less than 1% of their monthly active users. The incident was picked up by noted crypto sleuth ZachXBT who dedicated days to tracking down the truth behind the claims, helping Atomic Wallet to work out what had happened and even recover funds for some users.
Elliptic said that it had traced the stolen funds through its software, noting that exchanges and other crypto-handling businesses could use the same software to detect any deposits originating from the stolen funds, before firmly stating its belief of the source of the hack, saying that it could be sure “with a high level of confidence” that North Korea’s Lazarus Group was behind the breach.
Elliptic attributed this to “multiple factors”, including:
- The process of laundering the stolen cryptoassets mirrors the exact steps previously utilized by the Lazarus Group to launder proceeds from past hacks.
- Specific services, such as the Sinbad mixer, are being employed to launder the stolen assets, just as they have been used in the past to launder proceeds from Lazarus Group’s previous hacks.
- There is a potential overlap between the stolen cryptoassets and wallets that contain proceeds from Lazarus Group’s prior hacking activities, indicating a co-mingling of funds.
Lazarus has been connected to many crypto hacks in recent years on behalf of the North Korean government, with this hack representing its first major breach since the $100 million exploit of Harmony’s Horizon Bridge in June 2022.