Web3 is Going Just Great

The attacker was successfully able to transfer around 13.8 million STX (~$2 million) on the Stack BTC layer-2 chain. However, their attempts to steal assets notionally worth around $4.3 million from the project's BNB Chain implementation failed when they upgraded the project contract to a malicious version, but failed to prevent other people from calling the withdraw function. The attacker's first transactions to withdraw the funds themself failed, and an apparent whitehat hacker was able to step in and complete the withdrawal ahead of the exploiter. They later negotiated a deal for the funds' return, after offering a 10% "bounty".

The exploiter had also tried, and failed, to steal assets notionally worth around $5 million on the Ethereum blockchain, but failed to do so. ALEX Lab later announced they were able to recover or secure around $4.5 million of those assets. ALEX also later announced that they believed the attackers were part of the North Korean Lazarus Group.

Stake acknowledged the attack on their Twitter account, writing that "We are investigating and will get the wallets up as soon as they're completely re-secured."

Stake is an Australia-based cryptocurrency casino and sports betting platform that has enjoyed endorsements from various celebrities, and which shelled out $100 million in 2022 for an endorsement deal with Drake.

On September 6, the FBI announced that they believed the Lazarus Group was behind the theft. Lazarus is a group of North Korean state-sponsored hackers allegedly responsible for crypto hacks totaling hundreds of millions of dollars.

Following the thefts, Atomic Wallet tweeted that they were aware of the reports of wallet compromises, and that they were attempting to learn more about the attacks, but had not yet confirmed any method of attack. They've since taken down the wallet software download page, likely out of concern that the software itself has been compromised.

Crypto sleuth zachxbt compiled a list of reported compromised Atomic Wallets, finding that multiple individuals lost multiple millions in the attack. The largest known individual theft so far involved almost $8 million in USDT (Tether); other individuals lost $2.8 million in USDT and 1,897 ETH (~$3.5 million).

Users of Atomic Wallet have been advised to transfer their assets to other wallets.

On June 6, both zachxbt and blockchain research group Elliptic speculated that the laundering strategy by the thieves resembled that of the North Korea-linked Lazarus Group, which has been responsible for other major crypto thefts.

Tornado Cash is the most prominent cryptocurrency tumbler (or "mixer") and has been used in a multitude of instances to launder proceeds from cryptocurrency hacks and scams. In a press release, the Treasury Department named the North Korea-sponsored Lazarus Group's $625 million hack of Axie Infinity in March, the $100 million theft from Horizon Bridge in June, and the $190 million hack of the Nomad bridge in August as contributing to the decision.

Although Tornado Cash had claimed to be complying with sanctions in the wake of the Axie hack, the Treasury Department wrote in their press release that, "Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks".

Tornado Cash is also widely used to maintain privacy in a world where transactions are publicly visible, and it remains to be seen how the cryptocurrency ecosystem will react to this major development. Tornado Cash is also relatively decentralized in its operations, meaning it may be difficult for the sanctions list to be kept up to date and for the sanctions to be enforced.

The fallout from the sanction was swift: in the days following the action, Tornado's source code repository was removed from Github and the accounts of some of its developers were suspended; the project's Gitcoin funding page was taken down; and the project's own website, governance pages, and Discord server went offline.

The U.S. began sanctioning various wallet addresses belonging to the hackers in mid-April, though have faced obstacles given that it is trivial for the hackers to create new wallets. The use of cryptocurrency tumblers (also called "mixers") has also stymied the government's attempts to limit the DPRK's access to the ill-gotten funds. Blender is not the primary tumbler that Lazarus has been using — that would be Tornado Cash, which they have used to tumble more than $213 million from the hack. Tornado has taken perfunctory steps to comply with sanctions, but nothing that would meaningfully impact Lazarus' ability to use the service.