Atomic Wallet hackers launder millions of stolen XRP tokens through centralized exchanges
|- On-chain data has shown millions of XRP stolen in an Atomic Wallet hack leaking to exchanges.
- Binance received at least 280,000 XRP and over 200,000 tokens to KuCoin, WhiteBit, OKX, and Huobi Global. Some moved through MEXC.
- Forensics experts and CEXes are working together to freeze as many assets connected to the exploit as possible.
Atomic Wallet hackers have been spotted laundering huge sums of Ripple (XRP) tokens through centralized exchanges (CEXes). The news follows a report by XRP Forensics. Meanwhile, the remittance token is among the altcoins enjoying the Bitcoin optimism after BTC breached $30,000 on June 21.
Atomic Wallet hackers discovered shipping millions of XRP
Atomic Wallet exploiters have been discovered moving huge loads of illegally acquired XRP tokens through exchanges. According to recent insights by XRP Forensics, Binance, KuCoin, WhiteBit, OKEx, Huobi Global, and MEXC are some of the CEXes that have provided getaway avenues for the looters.
XRP Forensics is a team of dedicated forensics experts serving to prevent and counter financial crime on the XRP Ledger (XRPL). According to the team, the exploiters started moving the funds on Monday, generating new blockchain addresses in a strategy meant to circumvent blocklists established by crypto exchanges.
Cycling through exchanges to find new possible places to get rid of stolen XRP. Been through KuCoin, Huobi, WhiteBIT, SWFT, HitBTC and others, and now have had luck at what we believe is MEXC . Notice the small bites most recently on the chart. They still have ~18M left https://t.co/U5OsUMrAaW pic.twitter.com/0f0gsuzdKx
— XRP Forensics (xrplorer.com) (@xrpforensics) June 21, 2023
Cycling through exchanges to find new possible places to get rid of stolen XRP. Been through KuCoin, Huobi, WhiteBIT, SWFT, HitBTC and others, and now have had luck at what we believe is MEXC . Notice the small bites most recently on the chart. They still have ~18M left https://t.co/U5OsUMrAaW pic.twitter.com/0f0gsuzdKx
— XRP Forensics (xrplorer.com) (@xrpforensics) June 21, 2023
Based on the report, more than 280,000 XRP tokens were sent to Binance Exchange. Furthermore, upwards of 200,000 Ripple tokens were sent to several other exchanges, including KuCoin, WhiteBit, OKX, and Huobi Global, whose founder has recently sued the exchange he founded. The forensics team also suspects that some funds are moving through MEXC.
The XRP Forensics team also committed to recovering the stolen tokens, revealing a collaboration with the concerned platforms. In their words:
We are monitoring and working closely with exchanges to try and seize as much as possible.
True to their words, more revelations have come to light, with Wednesday reports showing the “leaking” of funds through the decentralized bridge, Orbit, where an additional three million XRP tokens were quickly laundered.
3+ million through this bridge. pic.twitter.com/OMR1FNRhfr
— XRP Forensics (xrplorer.com) (@xrpforensics) June 21, 2023
3+ million through this bridge. pic.twitter.com/OMR1FNRhfr
— XRP Forensics (xrplorer.com) (@xrpforensics) June 21, 2023
WhiteBit, one of the exchanges affected by the cyberattack, said in a statement on June 30 that it has blocked 700 addresses which may be linked to malicious transactions and that it was able to freeze part of the stolen funds, without specifying the amount.
Atomic Wallet hackers alleged connection to North Korean Lazarus group
Atomic Wallet hackers have been linked to the infamous North Korean Lazarus group, with blockchain forensics experts at Elliptic tracing up to $35 million to a coin mixer that the Lazarus Group often uses to launder crypto assets. Notably, the stolen funds were being swapped for Bitcoin (BTC) before being laundered through ‘Sinbad.io.’
The Lazarus Group is notorious for leveraging blockchain bridges to move stolen funds. In a recent finding, MistTrack discovered this group of exploiters laundering 503.08 Ethereum (ETH), also stolen via THORChain, a cross-chain liquidity protocol. Like in the Elliptic case, the hackers are still converting their loot to BTC.
For example:
— MistTrack️ (@MistTrack_io) June 20, 2023
According to @MistTrack_io monitoring, the hacker address (0xad3c...1e44) transferred 503.08 $ETH to @THORChain in the last two days and swap for $BTC, then bridged to the BTC address (bc1q...k2xm). pic.twitter.com/Y0N7uptxg7
For example:
— MistTrack️ (@MistTrack_io) June 20, 2023
According to @MistTrack_io monitoring, the hacker address (0xad3c...1e44) transferred 503.08 $ETH to @THORChain in the last two days and swap for $BTC, then bridged to the BTC address (bc1q...k2xm). pic.twitter.com/Y0N7uptxg7
The group also used SwftCoin to bridge Ether to multiple Bitcoin addresses. The Russian crypto exchange Garantex has also been cited among the avenues used to liquidate the Lazarus Group’s assets despite the platform being commissioned by the Office of Foreign Assets Control (OFAC) operating under the US Treasury Department.
After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023
After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.