On June 3, 2023, one of the most devastating wallet-level attacks of the year unfolded as users of Atomic Wallet, a widely used non-custodial cryptocurrency wallet, reported massive unauthorized outflows from their accounts. By the time the dust settled, an estimated $100 million in digital assets had been siphoned from over 4,100 individual wallet addresses across multiple blockchains, including Ethereum, Tron, Bitcoin, XRP, Dogecoin, Stellar, and Litecoin. Blockchain analytics firm Elliptic quickly linked the attack to North Korea’s Lazarus Group, a conclusion later confirmed by the United States Federal Bureau of Investigation.
The Exploit Mechanics
The attack vector remains consistent with what security researchers describe as a supply chain compromise or highly targeted phishing campaign. Rather than exploiting a vulnerability in the blockchain protocols themselves, the attackers appear to have compromised the Atomic Wallet software distribution mechanism or injected malicious code that allowed them to access users’ private keys and seed phrases. Once the attackers obtained these credentials, they systematically drained victims’ wallets across seven different blockchain networks simultaneously, demonstrating a level of coordination and infrastructure preparation that is hallmarks of state-sponsored cyber operations.
Upon gaining access to victim wallets, the Lazarus operators moved swiftly to consolidate stolen assets. ERC-20 and TRC-20 tokens were immediately swapped for native assets—Ether and Tron—through decentralized exchanges, reducing the complexity of subsequent laundering steps. The stolen funds were then routed through a sophisticated multi-stage laundering pipeline that included automated software programs, cryptocurrency mixers such as Tornado Cash, and cross-chain bridges designed to obscure the transaction trail.
Affected Systems
The breadth of the attack was staggering. Atomic Wallet supported dozens of blockchain networks and thousands of tokens, making it a one-stop solution for users who preferred not to manage multiple wallet applications. The compromised assets spanned across Ethereum and its entire ERC-20 token ecosystem, the Tron network and TRC-20 tokens, Bitcoin, XRP Ledger, Dogecoin, Stellar, and Litecoin. With Bitcoin trading at approximately $27,075 and Ethereum at $1,892 at the time of the attack, the $100 million figure represented a substantial accumulation of high-value digital assets concentrated in the wallets of what Atomic Wallet described as its most active users.
On-chain analysis revealed that the attackers specifically targeted wallets with higher balances first, draining high-value accounts rapidly before the broader community became aware of the breach. This triage approach—going after the largest caches first and rushing funds to centralized exchanges for off-ramping—is a well-documented Lazarus tactic that maximizes the amount of funds successfully converted to fiat before blockchain monitoring tools flag the stolen addresses.
The Mitigation Strategy
Following the attack, Atomic Wallet urged all users to immediately stop using the application and transfer any remaining funds to new wallets generated on trusted, uncompromised platforms. The company collaborated with blockchain analytics firms including Elliptic and Chainalysis to trace the stolen funds and identify the laundering pathways. Major centralized exchanges were provided with lists of flagged wallet addresses to freeze any incoming deposits that could be traced back to the hack.
Law enforcement agencies across multiple jurisdictions coordinated their response, with the FBI issuing an official attribution statement linking the attack to Lazarus Group. The Office of Foreign Assets Control (OFAC) intensified its monitoring of addresses associated with North Korean cyber operations. However, the effectiveness of these measures was limited by the speed and sophistication of the laundering operation, which utilized cross-chain bridges to move funds from Ethereum to Avalanche, where they were swapped for Wrapped Bitcoin and then bridged to the Bitcoin blockchain—a pathway specifically designed to exploit the Bitcoin network’s relatively limited tracing capabilities compared to Ethereum.
Lessons Learned
The Atomic Wallet hack serves as a stark reminder that non-custodial wallet security extends far beyond the strength of a user’s seed phrase. The supply chain attack vector—where the software itself is compromised before it reaches the end user—represents one of the most difficult threats to defend against, as users have no way to independently verify the integrity of compiled binary distributions. The incident underscores the critical importance of hardware wallets for storing significant amounts of cryptocurrency, as devices like Ledger and Trezor keep private keys in isolated secure elements that are immune to software-level compromise.
For the broader ecosystem, the attack highlights the evolving sophistication of state-sponsored threat actors. Lazarus Group’s ability to simultaneously exploit users across seven different blockchain networks and then launder funds through a complex, multi-chain pipeline demonstrates a level of operational capability that far exceeds that of typical cybercriminal groups. The $100 million stolen from Atomic Wallet brought North Korea’s total crypto theft in 2023 alone to over $200 million, accounting for more than 20 percent of all cryptocurrency stolen that year.
User Action Required
Anyone who has ever used Atomic Wallet should take immediate steps to secure their assets. Generate fresh wallet addresses on a different, reputable wallet application—preferably a hardware wallet for any holdings exceeding a few hundred dollars. Never reuse seed phrases across multiple wallet platforms. Enable all available security features including two-factor authentication on exchange accounts and consider using multi-signature wallet solutions for large holdings. Monitor your wallet addresses using blockchain explorers and set up alerts for any unauthorized transactions. The Atomic Wallet breach is not an isolated incident—it is part of an ongoing campaign by state-sponsored actors, and vigilance remains the single most effective defense.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making decisions about cryptocurrency security.
4100 wallets drained and atomic still hasnt given a straight answer about how the supply chain got compromised. thats the wildest part to me
exactly. we are investigating for 3 years now. meanwhile lazarus is sitting on 100m and nobody can do anything about it
3 years of investigating and zero user compensation. at least ledger and trezor publish post-mortems
The amount of DeFi exploits is still way too high
Social engineering attacks are becoming more sophisticated
moved everything to hardware wallet after this. never trusting a desktop wallet with significant funds again
the fact that it hit 7 different chains shows how badly seed phrase security matters. one leak and everything goes
cross-chain seed reuse is the silent killer. one seed phrase securing assets across 7 chains means one compromise drains everything
Social engineering attacks are becoming more sophisticated
4100 individual wallets drained across seven chains. the operational complexity of moving that much stolen funds is a reminder that Lazarus is state-sponsored infrastructure, not some lone hacker
and they will launder it through mixers and cross-chain bridges like they always do. by the time anyone traces it the funds are already in fiat