This article is more than 1 year old

North Korea's Lazarus Group linked to Atomic Wallet heist

Users' cryptocurrency wallets look unlikely to be refilled

The North Korean criminal gang Lazarus Group has been blamed for last weekend's attack on Atomic Wallet that drained at least $35 million in cryptocurrency from private accounts.

Similarities between the Atomic Wallet attack and previous digital heists gave blockchain analysis firm Elliptic a "high level of confidence" in naming the notorious group, the outfit said in a report.

"We have identified a large number of victim wallets, allowing the stolen funds to be traced in our software," the Elliptic sleuths wrote. "Exchanges and other crypto businesses using Elliptic's tools can identify any deposits originating from the hack. Our Investigations Team is also following the transaction trail."

Atomic Wallet is an app for managing cryptocurrency on Windows, macOS, and some Linux distributions, as well as Android and iOS devices. Last weekend an unknown number of Estonia-headquartered Atomic Wallet's five million users found that some or all of the crypto in their wallets had been removed. Some said they lost their entire savings.

Atomic Wallet has said little about the attack's details but self-described on-chain sleuth ZachXBT suggested that losses could add up to more than $35 million. The app maker has also publicly offered the attackers 10 percent of the funds in exchange for 90 percent of the crypto-cash being returned./p>

Connecting Lazarus Group to Atomic Wallet

Elliptic researchers said that by tracking some of the stolen crypto, they were able to collect information about how it was handled and laundered, with the audit trail pointing in the direction of Lazarus Group.

"The laundering of the stolen cryptoassets follows a series of steps that exactly match those employed to launder the proceeds of past hacks perpetrated by Lazarus Group," the researchers wrote.

The researchers added that the "stolen assets are being laundered using specific services, including the Sinbad mixer, which have also been used to launder the proceeds of past hacks perpetrated by the Lazarus Group." In addition, the stolen assets were mingled in wallets that also hold cryptocurrency stolen in previous attacks by the Lazarus Group.

Elliptic, and others, have previously tied the criminal gang to the theft of $620 million in crypto-assets from a decentralized finance (DeFi) platform used by the video game Axie Infinity and its developer, Sky Mavis. Lazarus is also thought to be responsible for the $100 million heist at Horizon Bridge, a cross-chain service used to transfer assets between Horizon developer Harmony's blockchain and other blockchains.

If the Atomic Wallet attack was launched by the North Koreans – and remember, Elliptic has a "high level of confidence" it was – it will be the first major crypto theft attributed to the group since the Harmony heist. It would also mean the funds are not coming back, since Pyongyang scoffs at attempts to arrest its operatives.

The Sinbad mixer

Elliptic tying the Sinbad mixer to the Atomic Wallet is a telling sign of Lazarus Group's involvement. Such blenders – or crypto tumblers – are key tools used to launder ill-gotten gains from thefts or ransom payments. The services let users deposit digital assets that go into a pool. Users can then withdraw assets of the same value they deposited, with the digi-cash sent to new addresses that are difficult to track or associate with the depositor.

Crypto blenders are legitimate tools that can be used for illegitimate means. Chainalysis, a blockchain company hired by Atomic Wallet to trace the stolen funds and to work with law enforcement and crypto exchanges – found that almost 10 percent of crypto held by miscreants was passed through a mixer in 2022.

In the wake of the US government's sanctions against Blender and Tornado Cash – two of the top mixers known for helping attackers laundering stolen funds – a new mixer named Sinbad emerged, with Elliptic earlier this year suggesting it likely was a reboot of Blender.

Blender, accused by the US of helping Lazarus Group launder hundreds of millions of dollars in stolen digital assets, shut down in April 2022. Sinbad came onto the scene around six months later.

Mixers make tracking stolen crypto difficult, but government agencies and blockchain analysis firms are getting better at navigating the shadowy world of cybercriminals and crypto blenders. In September 2022, US investigators recovered $30 million stolen in the Axie Infinity attack.

Investigating money grabs like Atomic Wallet and clawing back as much of the stolen crypto is important not only to return it to victims but also to keep it out of the hands of North Korea's leaders, who use much of the money stolen by Lazarus Group and others to fund the country's military and nuclear weapons programs. ®

More about


Send us news

Other stories you might like