Jun 14, 2023

Atomic Wallet Hack: What Sprawling Hacks Look Like On-Chain

A thread of interesting things related to the Atomic Wallet hack, Lazarus, and what sprawling hacks look like on-chain. Learn about the theft of thousands of Atomic Wallet users and the on-chain alerts that were put in place.

BLOCKCHAIN CRYPTOCURRENCY

Tay 💖

dont believe their lies

Member of Ethereum

A thread of misc. interesting things related to the Atomic Wallet hack, Lazarus, and especially what sprawling hacks look like on-chain.

(this thread is gunna get into the weeds. i suggest the other thread if you want something shallow and easy-to-digest 😉) https://t.co/eBN8IycaHJ
— Tay 💖 (@tayvano_) June 14, 2023
On Fri June 2nd, thousands of Atomic Wallet users had their wallets drained across basically every chain.

Each theft involved 1-3 new addies. Initially we were only able to link thefts on-chain if they sent gas to multiple addresses.

(green guys are what we put alerts on first) pic.twitter.com/lyQRgKI3wz
— Tay 💖 (@tayvano_) June 14, 2023
The lack of consolidation means the majority of addresses collected so far came direct from users sharing their info w/ folks like @zachxbt or w/ Atomic, @Elliptic, @Slowmist, etc.

We have no idea how complete our lists are currently, or how long the long tail will be.
— Tay 💖 (@tayvano_) June 14, 2023
This distinct lack of consolidation also makes tracking a real bitch. Each address was drained to a new address, whether it was $7m or $7. We *still* have alerts on piles of addies.

On-chain it looks crazy different than, say, the Dec 25 BitKeep hack that consolidated instantly: pic.twitter.com/VUsx5JiDar
— Tay 💖 (@tayvano_) June 14, 2023
The timeline is also notably diff when comparing a hack like BitKeep.

Usually when draining 1k+ addies, hackers write scripts and just blast it out.

This results in most addies being drained in the same minute or two w a trailing tail for the remainder of the hour: pic.twitter.com/oSnrXXlo7N
— Tay 💖 (@tayvano_) June 14, 2023
But for the Atomic Wallet incident, the initial theft transactions ran for like 20 fucking hours.

😳

~Fri Jun 2 @ 9pm UTC - Sat Jun 3 @ 5pm UTC
aka
~Sat Jun 3 @ 6am KST – Sun Jun 4 @ 2am KST pic.twitter.com/XYRCYpAo6k
— Tay 💖 (@tayvano_) June 14, 2023
And, yeah, I know, that graph only goes until 10:00am UTC.

Thats bc they actually started to launder the largest thefts *while* still draining wallets, swapping tokens, and draining more wallets.

Also note how disparate the clusters w/ this hack are vs BitKeep: pic.twitter.com/KZ3RRfrb2j
— Tay 💖 (@tayvano_) June 14, 2023
After that the hackers got in a quick nap (lol) before doing some more clean up and beginning to systematically launder the largest thefts.

Laundering then continued for the next ~19hrs:

~Sun Jun 4 @ 5am UTC – Sun Jun 4 @ 11pm UTC
aka
~Sun Jun 4 @ 2pm KST – Mon Jun 5 @ 8am KST pic.twitter.com/MnLBKWtLmm
— Tay 💖 (@tayvano_) June 14, 2023
Lazarus typically starts their day a bit later (0 UTC) but I suspect the timing for this was chosen carefully to minimize detection by users, the Atomic Wallet team, investigators, and CEXs.

This is also likely why they went longer & harder all weekend.https://t.co/fsu9bYBu8X pic.twitter.com/SslWaVJehv
— Tay 💖 (@tayvano_) June 14, 2023
Specifically, the thefts started late Fri for Europe, where Atomic Wallet is presumably based.

The laundering ended just before Monday morning in Asia, where most of the CEX's they were using are generally based.

The first real sleep / break they got began Mon @ 8am KST. 🤔 pic.twitter.com/nKC1MQpIsv
— Tay 💖 (@tayvano_) June 14, 2023
This isn't the first time we've seen Lazarus do these crazy weekend runs.

On Fri Jan 13 @ 8pm – Sat Jan 14 @ 5am UTC,
Lazarus moved a massive chunk of funds stolen from Harmony Bridge -> Railgun -> thru a crazy network of addies -> CEXs -> 1700+ BTC.https://t.co/EDJqNsER9n pic.twitter.com/6FvQqJFi0U
— Tay 💖 (@tayvano_) June 14, 2023
They quickly followed that session up on
Sat Jan 28 @ 3pm UTC – Sat Jan 28 @ 10pm UTC.

This laundry run was longer, even more sprawling, involved waaaaaay more addresses, and was more automated than the previous run.https://t.co/3ZTAuPGpcJ pic.twitter.com/5wvSc65Uyo
— Tay 💖 (@tayvano_) June 14, 2023
But he was right, ofc. Literally no one launders like Lazarus.

Their trails are just...weird. They do things that no one else does.

Plus they know more about the diff chains and bridges and contracts than anyone, even investigators.

And they evolve fast af. It's absurd tbh. pic.twitter.com/oavtq2D6qk
— Tay 💖 (@tayvano_) June 14, 2023
Like back in Jan they they literally threw $50m from the Harmony hack into an unused protocol in a single night. Completely flooded the thing.

And even though folks were watching, millions still made it out the other side—some to cash, some still being re-laundered to this day. pic.twitter.com/Ds9Tr8y440
— Tay 💖 (@tayvano_) June 14, 2023
After that aforementioned Railgun run, I guess they didn't want to risk using a thing thats maybe decentralized or maybe decentralization-theatre? Esp. if it wasnt making them anon?

So, naturally, they just wrote their own contracts.

e.g. on Jan28...https://t.co/3rkpG5xJ7P pic.twitter.com/FXU8QR6Ekt
— Tay 💖 (@tayvano_) June 14, 2023
And then on Feb2...https://t.co/CYXnGhQg5T pic.twitter.com/KaaxyKQE01
— Tay 💖 (@tayvano_) June 14, 2023
And then about...well........3 hours and 39 minutes ago......😬https://t.co/Ffo5VLWuCE pic.twitter.com/KQgBzoymGk
— Tay 💖 (@tayvano_) June 14, 2023
And thats the thing about Lazarus. They know more, do more. Theyre creative + resourceful + stubborn + dont care if you know its them.

Their goal is to steal crypto so they can buy maybachs & build nukes. They do just about anything to accomplish that.https://t.co/pPWWtSzbWb pic.twitter.com/KBA87ljaoN
— Tay 💖 (@tayvano_) June 14, 2023
They have literally thousands of people working around the clock to infiltrate, escalate, hack, steal, and launder.

The CEXs this latest round were amazing for freezing a lot of stolen funds before they got away—even in middle of the night on a weekend. It was soooo good. 🔥 🙇‍♀️
— Tay 💖 (@tayvano_) June 14, 2023
But all DPRK did was go to sleep early, wake up the next morning, grab another pile, push it into sinbad -> over literally every bridge that exists -> across a few chains -> wait until no one's watching or cares enough to yell.

Eventually, bit by bit, they get it out unnoticed. pic.twitter.com/IGyCPJFYr8
— Tay 💖 (@tayvano_) June 14, 2023
And it sucks too bc the guys actually doing the work dont ever see any of the $.

Nights, weekends, 3am, 3pm, 20hr shifts..clicking, scripting, checking txns...they don't do that tedious, miserable shit for a raise or hoping theyll be boss one day.

There's no being boss one day.
— Tay 💖 (@tayvano_) June 14, 2023
They do it bc they don't have a choice. They were born
in North Korea instead of anywhere else and were trained up from a super young age.

You can hate them, ofc. But everyone's being exploited all the way down the stack. It's fucked. 😩 pic.twitter.com/hughjenk0i
— Tay 💖 (@tayvano_) June 14, 2023
How Lazarus laundered 800 Atomic Wallet victims on June 19th/20th: hop -> hop -> hop -> hop -> bridge eth -> avax -> bridge -> btc -> sinbad

(if you want to follow the money, just catch the sinbad outs. i'm doing this to figure out how much was stolen from how many people.) pic.twitter.com/WdTTxbEj5C
— Tay 💖 (@tayvano_) June 25, 2023