Blockchain security and compliance firm Elliptic has provided an update on the $100 million stolen from Atomic Wallet, implicating the Lazarus Group, a North Korean hacking collective, as the likely perpetrators behind the attack. The group allegedly used the Russian-based crypto exchange Garantex, which is under U.S. sanctions, to launder the stolen assets. Lazarus evidently managed to find alternative ways to convert its assets into Bitcoin.
Background: On June 3, a security breach compromised several user accounts on Atomic Wallet, resulting in losses of up to $35 million in digital assets. Atomic Wallet engaged Chainalysis, a blockchain security and analysis firm, to investigate the incident. However, Chainalysis declined to comment on the Atomic Wallet case when approached by Cointelegraph for an update.
Garantex, founded in 2019, used to operate with an Estonian crypto license. The Estonian FIU revoked Garantex‘s license in March 2022 for massive money laundering violations. Allegedly, around €5 billion per year was laundered. The crypto exchange shifted most of its operations to Moscow and was sanctioned by the U.S. Office of Foreign Assets Control in April 2022. The Treasury Department revealed that over $100 million in transactions associated with illicit actors and darknet markets were identified in Garantex’s records.
Recent reports indicated that the stolen funds were routed through the Sinbad.io mixer, a commonly utilized service by the Lazarus Group. Elliptic confirmed that the hackers are still obfuscating the funds withdrawn from Garantex using the Sinbad.io mixer. In May 2022, the U.S. Treasury Department also imposed sanctions on Blender.io, the previous version of Sinbad.io, warning that North Korea was employing the service to support cyber activities and launder stolen virtual currencies.
The Lazarus Group has gained notoriety for its involvement in various major cryptocurrency exploits over the past year, including the Harmony Bridge and the Ronin Bridge hack. The group’s activities have demonstrated their proficiency in carrying out cyberattacks and targeting the cryptocurrency industry.
