Hackers gained almost $1M from phishing attack on Electrum wallet

After a phishing attack on Electrum wallet, hackers made almost a million dollars in Bitcoin in less than a week

Hacker took advantage of the vulnerability in Electrum Wallet and made 250BTC in a week.

Since December 21st, a hacker or the group of several hackers made over a 250 Bitcoin which, at the time of writing, is equal to $937 000.^[1] The clever attack was launched against the Electrum bitcoin wallet. If you are wondering how did hackers manage to steal such a big amount of money, the answer is hiding in making Electrum apps to show a warning message on users' devices urging to download the malicious update.

This update was supposed to improve the application but the unauthorized GitHub link that was displayed on the notification message was not an active hyperlink. To launch the alleged update, users were asked to copy and paste the link to their browser. GitHub admins have already been warned about this repository that seems to belong to hackers.^[2]

According to the main post on Reddit^[3] filed with users' complains and comments from numerous researchers, the attack should be renewed soon with a new repository on GitHub or even a new download location. The admins of Electrum wallet have already taken steps to disable attackers from gaining the accessibility to their app, but the vulnerability remains unpatched.

The attack was started by using a fake version of the wallet

The main problem in this hacker attack is that Electrum wallet servers allowed to trigger the pop-ups with the misleading announcement inside the users' wallets. This way, the text looks authentic and legitimate. The attacker made tons of malicious server addresses to the main Electrum server, and users of the application initiated Bitcoin transactions themselves.

When the malicious server was reached during the transaction, the error message was displayed. The notification encouraged people to download the wallet application update from the provided link to prevent potential dangers. The malicious link is a GitHub repository that cannot be opened by clicking on it so that the user is encouraged to copy and paste the address to their browser.

If the user clicked on the malicious link, it led him/her to the fake Electrum wallet. The fake app is also set to ask for the authentication code. Although 2FA^[4] codes are only requested before sending funds, an impressive number of people have fallen for the scam. After using the two-factor authentication code, hacker received a chance to steal funds from customers and transfer them to the predetermined Bitcoin address.

Users who haven't updated the app should be safe

At the moment, there is no information if this is attack will happen again. However, every customer of the Electrum wallet should avoid using the service before further investigation. If you install the fake update, your wallet becomes empty immediately, so if you haven't done that yet, stay away from such suggestions.

As stated in the company's Twitter account^[5], only those who have connected to the malicious server have been affected. Unfortunately, the scale of this so-called hack is not defined because it is unknown how many attacks are awaiting its customers in the future. As the Electrum officials report, the phishing attack against wallet users is still ongoing.

The company is updating the application because the main issue is the rich HTML text that was easily displayed as a message to every user. When needed changes are made and the real update is released, customers should use their apps without malware risks. However, as SomberNight, one of the developers for the Electrum wallet, has said, there is still a risk of continuous attacks on the platform:

We did not publicly disclose this [attack] until now, as around the time of the 3.3.2 release, the attacker stopped. However they now started the attack again.