Attackers behind earlier this month’s $35 million exploit of crypto wallet Atomic Wallet are moving stolen funds via OFAC-sanctioned exchange Garantex, blockchain security firm Elliptic said Tuesday.
Elliptic investigators believe Atomic Wallet was hacked by the infamous North Korean hacking group Lazarus, as previously reported.
Last year, the Office of Foreign Assets Control (OFAC) of the U.S. Treasury sanctioned Garentex, stating the exchange had lax anti-money laundering measures and that it allowed “illicit players” to freely move money using the service. However, Garantex continues to operate.
Elliptic security researchers said in a tweet on Tuesday that several crypto exchanges have already frozen addresses related to the Atomic Wallet hack, but some funds have found their way to Garantex.
After a significant and successful cross-community effort between @elliptic, many of our exchange partners and friends to freeze stolen @AtomicWallet funds, Lazarus have now turned to OFAC-sanctioned Exchange, Garantex, to trade their assets for BTC... pic.twitter.com/5Lk9DeGjr8
— Elliptic Investigations (@Elliptic_Inv) June 12, 2023
These funds were previously exchanged via the on-chain trading tool 1inch, transferred to Garantex, and then traded for bitcoin (BTC). The bitcoin was then laundered through Sinbad, a bitcoin mixer service allegedly used by North Korean hacking groups.
Nearly $35 million worth of various tokens were stolen from Atomic Wallet, a centralized storage and wallet service, on June 3. These tokens include bitcoin (BTC), ether (ETH), tether (USDT), dogecoin (DOGE), litecoin (LTC), BNB coin (BNB) and Polygon's MATIC.
Atomic Wallet said at the time that the impacted users represented “less than 1% of its monthly active users.” Investigations were ongoing as of June 8.