Consumer Electronics Daily was a Warren News publication.
Few ‘Safeguards’ Deployed

More Than $100M in Crypto Assets Stolen in Atomic Wallet Hack, Says Class Action

June 23, 2023 by Paul Gluckman|Top News

Countless” user accounts of Atomic Wallet, the cryptocurrency exchange platform, were hacked June 3, resulting in the loss of more than $100 million in global crypto assets, alleged a negligence class action Wednesday (docket 1:23-cv-01582) in U.S. District Court for Colorado in Denver. The company and founder-CEO Konstantin Gladych knew of existing “security vulnerabilities” since at least as early as 2022, “but failed to take necessary security measures or precautions to protect user data and funds,” it said.

Plaintiffs Robert Meany and Graham Dickinson collectively lost more than $75,000 due to Atomic Wallet’s failure to implement reasonable security “safeguards,” including those recommended by its own security consultant, “and other measures that a reasonable company in the same industry should have implemented under the circumstances,” alleged their complaint. The company also failed to deploy in-house training on “best practices” to prevent the introduction of security vulnerabilities, it said.

For cryptocurrency to “reasonably function in a sophisticated marketplace,” users must be able to “transact between currencies,” including lending and borrowing assets, and they must be able “to earn some rate of return on stored assets,” said the complaint. The wallets in which these assets are stored “must have an architecture and design, along with safety measures, which reasonably protect the stored assets from being compromised or hacked,” it said.

Atomic Wallet misrepresents itself as a secure platform, alleged the complaint. Its website says user private keys and “backup phrases” are stored locally on user devices and strongly encrypted, and the wallet and all operations within it are password-protected, it said. Atomic Wallet claims not to store any private data, and that wallets “are safe so long as users do not compromise their own devices,” it said. Despite warning users they should take their passwords seriously, Atomic Wallet “failed to take its own advice,” it said.

Least Authority, the consultancy that Atomic Wallet hired about a year before the hack to assess the platform’s security vulnerabilities, found users were at risk, said the complaint. It said the platform suffered from “a lack of adherence to wallet system best practices and standards, a lack of robust project documentation, and an incorrect use of Electron, a framework for building desktop apps,” it said. It recommended Atomic Wallet immediately notify users of the existing security vulnerabilities, but the platform failed to undertake the recommended “due diligence,” resulting in the June 3 hack, it said.

Atomic Wallet “downplayed the hack” on its blog and official Twitter account, saying fewer than 1% of its monthly active users were exposed, said the complaint. Elliptic Connect, a blockchain analysis company, traced the stolen funds and linked them to the “notorious” Lazarus Group, a state-sponsored entity operating out of North Korea, and believed to be responsible for stealing more than $2 billion in crypto assets through “various schemes,” it said. Elliptic said the stolen funds were linked to a “coin mixing” service called Sinbad, it said. Coin mixers “enable anonymity in cryptocurrency transactions by randomly mixing crypto transfers to obscure the origin and destination of the funds,” it said.

Atomic Wallet has since taken down its download server, likely out of concern that its software “was breached and to prevent the spread of further compromises,” said the complaint. It’s now collecting information from victims, asking what operating system they were using, where they downloaded the software, and what they were doing before their crypto assets were stolen, it said. “Based on the mass losses due to a single event hack,” Atomic Wallet and CEO Gladych “failed in providing sufficient security to prevent the hack,” it said.

Plaintiffs Meany of Connecticut and Dickinson of Colorado seek to represent a global class of Atomic Wallet users whose assets were stolen in the June 3 hack, said their class action. Their complaint seeks actual, direct and compensatory damages, plus “punitive damages as appropriate” and restitution and disgorgement of revenues “if warranted.” Atomic Wallet and its CEO didn’t respond Thursday to requests for comment.