Crypto-hunting hackers have stolen more than $22 million from the users of Electrum, a popular Bitcoin wallet, in the past two years using a “simple technique” involving fake updates, as per a ZDNet report Monday.
Researchers stated the hack technique was initially observed back in December 2018 and was since used in several attacks over the next few years to swindle millions of dollars from unsuspecting Electrum users. The last of such attacks was as recent as September last month.
How an “update” proved expensive
Relevant posts on Bitcoin forums showed hackers managed to send out “update” notifications for the Electrum app on victim phones. When the latter did update their apps, the funds were immediately stolen and siphoned off to wallets allegedly controlled by the hackers.
The hackers seemed to have a clear idea of how the Electrum wallet operated, the registries it used, and how security was handled. It was with this knowledge that they were able to go undetected and steal from victims.
Here’s how they allegedly did it: All Electrum wallets are designed to connect to the Bitcoin through ElectrumX, a network of Electrum servers the wallet app uses to process transactions and store coins.
However, Electrum’s open-source approach meant a malicious developer could set up their own ElectrumX gateway server. This allowed them to set up malicious servers and see users connect to those compromised networks, allowing the crime to occur.
The above allowed the attackers to instruct the server to display a (malicious) popup on the user’s screen with instructions for a “Security update,” as the image below shows:
The URL is not even to Electrum’s official website, but to lookalike domains or GitHub repositories as shown above. This meant users ended up installing a bad version of the Electrum wallet. One this was done and users opened their apps, a one-time password (OTP) — which usually is used before requesting fund transfers — was displayed to users and upon their entering the correct OPT, all funds were transferred to the hackers’ wallets
Stolen Bitcoin leads to a safeguard
As per the report, the hacker wallets hold over 1980 Bitcoin, valued at over $22 million at current prices. However, a large amount of that can be traced back to a single incident in August, when a user reported losing over 1,400 Bitcoin to an Electrum wallet attack.
Meanwhile, the Electrum team has tried to mitigate such occurrences in the future. A server blacklisting system is now live on Electrum X servers to block malicious additions to their networks alongside the use of an update that prevents servers from showing HTML formatted popups to end-users.
(Anti-FUD Note: The Electrum protocol or wallet security has itself not been compromised in any manner and remains completely safe at press time. The hack was made possible using a very specific malicious method that involved Electrum, and is broadly similar to how spoofed sites steal victim funds).