Investigators from blockchain analytics firm Elliptic found that some of the stolen funds from this month’s hack of Atomic Wallet have been moved to Garantex, a crypto exchange sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).
At the time of imposing the sanctions, the Treasury estimated that Garantex had processed $100 million in transactions associated with illicit actors and darknet markets, including nearly $6 million from Russian ransomware-as-a-service (RaaS) gang Conti and $2.6 million from Hydra.
After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC… pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023
The Elliptic investigators found that the hackers traded their assets for Bitcoin on the sanctioned crypto exchange, after which they laundered the withdrawn Bitcoin through the coin mixer Sinbad.
Earlier this month, a number of users took to Reddit to complain that they had lost the entirety of their crypto assets held on the non-custodial wallet Atomic. The firm addressed the reports in a tweet shortly after, saying they estimated less than 1% of monthly active users were impacted by the attack.
At the moment less than 1% of our monthly active users have been affected/reported. Last drained transaction was confirmed over 40h ago.
Security investigation is ongoing. We report victim addresses to major exchanges & blockchain analytics to trace and block the stolen funds.
— Atomic – Crypto Wallet (@AtomicWallet) June 5, 2023
Blockchain sleuth ZachXBT estimated that more than $35 million was stolen in the exploit, with multiple users losing six figures across multiple chains. Investigators from Elliptic later attributed the hack to Lazarus, the North Korean state-sponsored cybercrime group responsible for several blockchain exploits that collectively amounted to billions of dollars.
A June 11 report from the Wall Street Journal found that a portion of the $3 billion in crypto stolen by the North Korean hacking unit was used to fund the country’s nuclear programs.