The crypto assets stolen during the Atomic Wallet hack have found their way to the sanctioned Russia-based cryptocurrency exchange Garantex, with the attackers trading the tokens for Bitcoin (BTC).
According to a tweet from blockchain analytics provider Elliptic, the hackers, believed to be part of the North Korean notorious Lazarus Group, have turned to Garantex as several crypto exchanges are working together to freeze funds related to the hack.
The Office of Foreign Assets Control (OFAC) sanctioned Garantex last year, a couple of months after Russian President Vladimir Putin attacked Ukraine. The U.S. Treasury stated that the platform had lax anti-money laundering measures and accommodated illicit players. However, the exchange continued its operations and played a significant role in facilitating illegal crypto transactions.
The non-custodial decentralized Atomic Wallet was compromised earlier this month, with multiple users reporting that their accounts were drained. While losses for the single largest victim ran into six figures, more than $35 million in crypto assets were siphoned through the attack. The stolen assets include BTC, Ether (ETH), Tether (USDT), Dogecoin (DOGE), Litecoin (LTC), BNB Coin (BNB), and Polygon (MATIC).
A few days after the exploit, the hackers funneled the stolen crypto to Sinbad.io, a crypto mixer used by the Lazarus Group to launder crypto assets. Funds from Garantex are still being moved to Sinbad.io.
Before moving the stolen assets to Garantex, the hackers used the on-chain trading platform 1inch to exchange them for USDT. From Garantex, they were swapped for BTC and moved to Sinbad.io.
The Atomic Wallet team claims that the attack affected less than 1% of its monthly active users. The team said they had engaged the services of blockchain security firm Chainalysis as the lead investigator and joined forces with several exchanges and analytics companies to track and freeze the stolen funds.
It remains unclear if Atomic Wallet has involved law enforcement authorities in the matter. Furthermore, the platform has not yet determined the attack vector or indicated whether compensation plans are underway.
