Russian investors launch action after being stung in $100mn crypto heist

Russian investors launch action after being stung in $100mn crypto heist
Russian investors have been stung in a cryptocurrency heist, and have launched a class action in an attempt to recover their money. / bne IntelliNews
By Jason Corcoran in Dublin August 21, 2023

A group of about 50 Russian and CIS high-net worth clients are launching a class action against the crypto platform Atomic Wallet after their money was caught up in a $100mn heist, bne IntelliNews can reveal.

The class action is being co-ordinated by the German lawyer Max Gutbrod and Boris Feldman, a co-founder of Moscow firm Destra Legal.

Gutbrod, a former partner of over two decades at Baker & McKenzie in Moscow, told bne IntelliNews that they are representing about 50 clients who each lost overall $12mn by investing anything from $150,000-$200,000 or $1-$2mn.

“We are working on recovering the assets for our clients and we will be filing a class action against Atomic Wallet,” said Gutbrod. “They didn’t give our clients any information about the hack or go to the police to report it.”

The North Korean criminal gang Lazarus Group was initially blamed for the attack on Atomic Wallet in June that drained millions in cryptocurrency from private accounts.

However, Feldman maintains it is much more likely that a Ukrainian group had orchestrated the heist.

Destra is working on the case with blockchain analysis experts Match Systems, who are conducting their own investigation on behalf of the investors.

“They have found traces of involvement of Ukrainian hacker groups,” added Feldman.

A spokesman for Atomic Wallet did not immediately respond to a request for comment. 

Atomic Wallet is an app for managing cryptocurrency on Windows, macOS and some Linux distributions, as well as Android and iOS devices. On Google Play, Atomic’s wallet had over 1mn downloads.

In early June, an unknown number of Estonia-headquartered Atomic Wallet's 5mn users found that some or all of the crypto in their wallets had been removed. Some said that they had lost their entire savings.

Atomic Wallet chief executive Konstantin Gladych told CoinDesk that his firm is co-operating with law enforcement agencies in Estonia and Kazakhstan, where they received a request from police.

Clients of the firm lost over $100mn worth of crypto in bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB and polygon (MATIC) over the first weekend of June, according to blockchain intelligence firm Elliptic. Over 5,500 wallets had been compromised in the hack.

The reason for the breach is unclear, as Atomics has not yet disclosed the specifics of its technical investigation. Atomic, a non-custodial mobile wallet, empowers users by allowing them to retain their crypto private keys on their personal devices, eliminating the need for reliance on a custodian.

Dyma Budorin, the chief executive of a blockchain security firm Hacken, told CoinDesk earlier this month that the wallet may have inherent flaws in its design.

Budorin suggested that Atomic’s generation of recovery phrases for its wallet lacked sufficient randomness, potentially enabling hackers to “brute-force” their way into the wallets.

"This hack is very vocal, highlighting the core problems in crypto wallets,” explained Budorin. “The wallets don't pay enough attention to building a strong architecture with security best practices implemented.”

Budorin also mentioned the possibility of hackers deriving keys from the transaction data of Atomic’s users or exploiting vulnerabilities in the wallet manufacturer’s infrastructure.

In a June 20 blogpost, Atomic Wallet finally provided an update to its clients and reiterated its claim that “less than 0.1%” of app users had been affected by the heist – a claim ridiculed by many clients online.

In the post, the firm didn’t say what had caused the breach but laid out four of the most “probable” causes, including a virus on user devices, an infrastructure breach, a man-in-the-middle attack or malware code injection.

The use by Russians of cryptocurrencies has exploded since the war with Ukraine started.

Crypto is being used by many ordinary Russian citizens who are desperate to hang on to their savings inside a financial sector which is being choked by sanctions and the collapse of the ruble.

Russian financiers and ordinary Muscovites familiar to this journalist have been using cryptocurrency exchanges, such as Binance and Yobit, since the invasion began in order to circumvent sanctions and move their money overseas.

While the $1 trillion cryptocurrency market is simply not big enough to provide relief to the embattled Russian state, it has proven an effective mechanism to fund raise for pro-Russian groups and for individuals to store money.

“There has been a significant increase in crypto usage since the war,” added Feldman. “A lot of people left the country and are using cryptocurrencies to transfer and store funds.”


SELECT `n`.`nid` AS `id`, `n`.`title`, 'bne IntelliNews' AS authors, 'bne IntelliNews' AS bylines, `wc`.`field_website_callout_value` AS `summary`, `smc`.`field_social_media_callout_value` AS `social`, `pd`.`published_at` AS `date`, `p`.`field_publication__tid` AS `publication_id`, `fm`.`uri` AS `image`, `fspcaption`.`field_story_photo_caption_value` AS `image_credit`, `fspcredit`.`field_story_photo_credit_value` AS `image_author`, `ws`.`field_website_sections_tid` AS `section_id`, `fdfs`.`field_subject_tid` AS `subject_id`, `db`.`body_value` AS `body`, `fm2`.`uri` AS `pdf`, `et`.`field_enable_tracking_value` AS `tracking`, `ht`.`field_head_tags_value` AS `headTags`, `bt`.`field_body_tags_value` AS `bodyTags` FROM `node` AS `n` LEFT JOIN `field_data_field_website_callout` AS `wc` ON wc.entity_id = n.nid LEFT JOIN `field_data_field_social_media_callout` AS `smc` ON smc.entity_id = n.nid LEFT JOIN `publication_date` AS `pd` ON pd.nid = n.nid LEFT JOIN `field_data_field_publication_` AS `p` ON p.entity_id = n.nid LEFT JOIN `field_data_field_story_picture` AS `sp` ON sp.entity_id = n.nid LEFT JOIN `file_managed` AS `fm` ON fm.fid = sp.field_story_picture_fid LEFT JOIN `field_data_field_story_photo_caption` AS `fspcaption` ON fspcaption.entity_id = n.nid LEFT JOIN `field_data_field_story_photo_credit` AS `fspcredit` ON fspcredit.entity_id = n.nid LEFT JOIN `workflow_node` AS `wn` ON wn.nid = n.nid LEFT JOIN `field_data_field_website_sections` AS `ws` ON ws.entity_id = n.nid LEFT JOIN `field_data_field_subject` AS `fdfs` ON fdfs.entity_id = n.nid LEFT JOIN `field_data_body` AS `db` ON db.entity_id = n.nid LEFT JOIN `field_data_field_file` AS `ff` ON ff.entity_id = n.nid LEFT JOIN `file_managed` AS `fm2` ON fm2.fid = ff.field_file_fid LEFT JOIN `field_data_field_enable_tracking` AS `et` ON et.entity_id = n.nid LEFT JOIN `field_data_field_head_tags` AS `ht` ON ht.entity_id = n.nid LEFT JOIN `field_data_field_body_tags` AS `bt` ON bt.entity_id = n.nid WHERE (n.status = 1) AND (n.type = 'article') AND (n.nid = 288989) AND (wn.sid= 3) AND (p.field_publication__tid = '1020') LIMIT 1