A popular provider of cryptocurrency wallets has revealed that some of its customers have been compromised, in a campaign that has already cost them an estimated tens of millions of dollars.
Atomic Wallet, which offers a decentralized wallet that supports over 500 coins and tokens, says its mission is to “provide a convenient way of managing cryptocurrencies.”
However, it tweeted on Saturday that reports had started coming in of customer wallets being compromised.
“At the moment less than 1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago,” it claimed in a tweet on Monday morning.
“Security investigation is ongoing. We report victim addresses to major exchanges and blockchain analytics to trace and block the stolen funds.”
Read more on cryptocurrency thefts: Cyber-Criminals Exploit Hardware Wallet to Steal Almost $30,000.
One blockchain investigator going by the Twitter handle “@zackxbt” claimed as of Sunday that at least $35m had been stolen, with the biggest victim losing nearly $8m and the five biggest losses amounting to nearly half of the total ($17m).
More than 100 customer wallets have been listed as impacted by the attacks, and any additional users that have been compromised are urged to share their addresses and transaction hashes to help determine the scope and scale of the incident.
“The application that Atomic Wallet built was not built in a secure manner,” claimed another researcher, “@tayvano_,” on Twitter.
“Either someone pushed a malicious version of the application that stole users’ keys. Or they were inadvertently logging users’ keys to their servers and those servers were accessed by a malicious actor.”
They claimed the earliest detected raid on user wallets thus far dates back to Friday June 2.
Adding further jeopardy to those affected is the appearance of opportunistic scammers online.
Some are taking to Twitter, impersonating Atomic Wallet in fake accounts posting links that promise to return funds to compromised users. One of the scam accounts is even ‘authenticated’ by a Twitter gold checkmark, which should indicate a legitimate business.