In a new twist to the $100 million Atomic Wallet security breach saga, the victims appear to have now turned their focus onto the Estonian government.
The group of victims, referring to themselves as "Atomic Wallet Victims," have banded together to initiate coordinated legal actions across multiple jurisdictions against Atomic Wallet, the Estonia-based cryptocurrency firm that suffered a major hack in early June, allegedly carried out by a group linked to North Korea.
"We feel unheard, ignored, and dismissed. There has been no support, nor any assurance or apology from Atomic Wallet", says the group in the statement.
The group challenges Atomic Wallet's "self-proclaimed non-custodial status", arguing that the security breach exposed it as a de facto custodian, revealing its ability to remotely transfer funds without user action or knowledge.
The victims also raise suspicions of "possible insider involvement," linking the complexity and scale of the attack to what would seemingly require intimate knowledge of the system's infrastructure.
Further accusations suggest "a potential connection between the internationally sanctioned Russian-based exchange, Garantex, and Atomic Wallet." While not explicitly detailed in the statement, this assertion is likely influenced by media reports identifying Garantex (formerly also based in Estonia) as one of the destinations of the funds siphoned by the North Korea-linked Lazarus Group.
Garantex, a crypto service provider rumoured to have close ties to the Kremlin, migrated its operations from Estonia to Russia. Last year it was slapped with sanctions by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for aiding Russia in circumventing U.S. and international sanctions.
The interesting development is the victims implicate the Estonian government for "its lax regulations and lack of sufficient financial oversight, including in relation to anti-money laundering enforcement".
"Given the potential insider involvement, the scale of the breach, and the impact on Estonia’s international reputation, we urge the Estonian government to take immediate action".
The group says Atomic Wallet and its CEO, Konstantin Gladych (Konstantin Gladyshev), bear ultimate responsibility for the loss of funds, calling its investigation "suspicious" and "a cover up".
"We reject the findings of any investigation conducted by Atomic Wallet or their investigators due to the glaring conflict of interest."
The victims also appear to be rejecting Atomic Wallet's June 20 "unilaterally decided" plan to “seize and distribute frozen deposits among affected users”, demanding full reimbursement of the stolen funds, inclusive of interest charges.
"This breach has not only inflicted significant financial damage but also caused immense distress every single day; therefore, nothing short of comprehensive reparation including interest charges will suffice."
According to the statement, the group is working to engage "a global law firm to pursue legal actions against Atomic Wallet and Konstantin Gladych across multiple jurisdictions, including the EU, Estonia, Australia, Canada, the U.S., and Kazakhstan".
"These actions will be pursued at Atomic Wallet’s expense".
This development follows a lawsuit lodged last month by another group against Atomic Wallet in the U.S. District Court of Colorado, alleging that the company was cognizant of the security vulnerabilities but failed to implement preventative measures against potential cyber attacks.
Both victim groups seem to be employing "No Win No Fee" strategies for their legal representation. In this arrangement, lawyers or firms take on a class action case without any upfront fees or immediate out-of-pocket expenses. If the case is successful, all costs are deducted from the compensation payout awarded by the court. Additionally, the court may mandate that the losing party cover these legal costs on top of the compensation.
Atomic Wallet was contacted for comment, but did not respond by close of business.