Atomic
Wallet
Investigation
1. Match Systems is currently supporting several cases related to the hacking of Atomic wallet (the largest of them for 8 million USD).
Criminal cases have already been opened for some of them, including in Kazakhstan and Estonia (case number 23221000007).
Criminal cases are known at least in 5 different jurisdictions. It is also known about the first invitation for interrogation of Atomic wallet executives by the police in Kazakhstan.
2. To launder stolen funds, services that do not have KYC and AML procedures for transactions were actively used:
Since the Atomic wallet hack, we have seen a significant increase in the volume of funds that have passed through these services.
For example, Sinbad mixer volumes (data from Chainalysis) more than tripled in June:
Criminal cases have already been opened for some of them, including in Kazakhstan and Estonia (case number 23221000007).
Criminal cases are known at least in 5 different jurisdictions. It is also known about the first invitation for interrogation of Atomic wallet executives by the police in Kazakhstan.
2. To launder stolen funds, services that do not have KYC and AML procedures for transactions were actively used:
- swap services and cross-chain platforms, both well-known (Uniswap, 1inch and others) and relatively new (SimpleSwap, SunSwap, SwftSwap and others);
- bridges and blockchains (Avalanche-C, Klaytn, Orbit), transactions through which are currently untraceable in top blockchain analyzers and require native blockchain explorers for analytics;
- Sinbad.io mixer.
Since the Atomic wallet hack, we have seen a significant increase in the volume of funds that have passed through these services.
For example, Sinbad mixer volumes (data from Chainalysis) more than tripled in June:
And the number of transactions on the SwftSwap service's operational address grew by one order of magnitude in June:
Attackers in their money laundering schemes use complex swap procedures and various "wrapped" tokens, which are available for analytics only using specialized tools (e.g., Phalcon):
In total, only according to known data, cryptocurrency funds stolen from the Atomic wallets of the victims were laundered through the above services (in various combinations) with a total value of more than 100 million USD (the real figures may be much higher).
These services are currently not in active contact and refrain from any comments. In addition, some swap services (in particular, SimpleSwap) operate using the liquidity of top exchanges (primarily Binance and Huobi) and are not marked as separate entities in blockchain analyzers, which also makes it difficult to track the movement of stolen funds. In fact, using such swap services, the stolen funds pass through the exchange's "hot wallet" and are fully laundered when they leave the exchange.
It should be noted that anonymous swap services are now more and more often used by fraudsters in practice (not only in cases related to the Atomic wallet hack), as they allow to launder "dirty" funds without using AML and KYC. And the regulation of this segment of the crypto-market is still at an embryonic level.
3. The current situation with hacking could have been caused by the insufficient level of security in the construction of wallet architecture. From open sources it became known that copies of the private keys of Atomic wallet users' wallets could be transferred to the Atomic wallet company's server. Also, the Atomic Wallet company's server may have hosted wallet recovery phrases that were not sufficiently random, which could also have led to the theft.
These services are currently not in active contact and refrain from any comments. In addition, some swap services (in particular, SimpleSwap) operate using the liquidity of top exchanges (primarily Binance and Huobi) and are not marked as separate entities in blockchain analyzers, which also makes it difficult to track the movement of stolen funds. In fact, using such swap services, the stolen funds pass through the exchange's "hot wallet" and are fully laundered when they leave the exchange.
It should be noted that anonymous swap services are now more and more often used by fraudsters in practice (not only in cases related to the Atomic wallet hack), as they allow to launder "dirty" funds without using AML and KYC. And the regulation of this segment of the crypto-market is still at an embryonic level.
3. The current situation with hacking could have been caused by the insufficient level of security in the construction of wallet architecture. From open sources it became known that copies of the private keys of Atomic wallet users' wallets could be transferred to the Atomic wallet company's server. Also, the Atomic Wallet company's server may have hosted wallet recovery phrases that were not sufficiently random, which could also have led to the theft.
Thus, Atomic Wallet employees and executives could have had access to users' private keys and wallet recovery phrases. Atomic wallet's administration is not contacting or properly assisting in the process of investigating the hack, including law enforcement. Atomic wallet representatives refer to the interaction with Chainalysis, which is an official partner in the investigation of the incident.