Phishers Steal Nearly $1 Million by Attacking Electrum Wallet Infrastructure

An unusual attack on the Electrum wallet infrastructure began on December 21, 2018, and the issue has not been fully resolved to this day. Users have already lost more than 200 bitcoins, which is just under one million US dollars at the current exchange rate. Electrum developers describe the incident as a phishing attack, and they are essentially correct—though it is not a typical phishing scheme.

An unknown hacker or group of hackers found a way to display what appeared to be official messages to legitimate wallet users, instructing them to immediately download and install an Electrum update from a GitHub repository. Of course, the repository mentioned in these messages was controlled by the attackers and distributed malware designed to steal cryptocurrency.

Although one malicious repository was removed by GitHub administrators, according to media reports and complaints from victims, the attack quickly resumed with a new link to a different repository. The core problem is not the repository itself, but the attackers’ ability to broadcast such phishing messages to users.

How the Attack Works

1. The attacker added dozens of malicious servers to the Electrum network.
2. Users of legitimate wallets initiate a Bitcoin transaction.
3. As soon as the transaction reaches one of the attacker-controlled servers, it responds with an error—a phishing message urging the user to urgently download an “update” from a malicious site (the GitHub repository).
4. The user clicks the link and downloads the malicious update.
5. After installation, a compromised version of the wallet opens, immediately requesting the victim’s two-factor authentication code (which is normally only requested when transferring funds).
6. Once the code is entered, the fake Electrum wallet uses it to steal the user’s funds and transfers them to the attackers’ address.

The main issue is that Electrum servers are allowed to display custom pop-up messages directly inside users’ wallets. The first wave of attacks was especially effective because the attackers’ messages were well-formatted, looked official, and only required the victim to click the provided link.

Current Status and Developer Response

Electrum developers have released update 3.3.2, which prevents attackers from creating such “colorful” fake messages. Now, phishing messages look like this:

Unfortunately, even in this less convincing form, fake error messages are still tricking new, unsuspecting victims. Some users even manually copy the now “unclickable” link, paste it into their browser, and still end up downloading the malicious update.

Developers warn that you should only trust the official website, electrum.org, and never download Electrum from any other sources.