Simple Trick Lets Cybercriminals Steal $22 Million from Electrum Wallets
The first reports of issues with Electrum cryptocurrency wallets began appearing back in December 2018, when criminals attacked the project’s infrastructure and stole about one million dollars in cryptocurrency. At the time, Electrum developers described the incident as a phishing attack, and they were essentially correct—though it wasn’t a typical phishing scheme.
The attack was extremely simple: scammers found a way to display what looked like official messages to users of legitimate wallets, telling them they needed to immediately download and install an Electrum update from a GitHub repository. Of course, the repository mentioned in the messages was controlled by the attackers themselves and distributed malware designed to steal cryptocurrency.
How Electrum Works
Electrum wallets process transactions by connecting to the Bitcoin blockchain through a network of Electrum servers, known as ElectrumX. Typically, wallet applications control who can run such servers, but the Electrum ecosystem works differently: anyone can set up an ElectrumX gateway server.
This unique feature of the project is exactly what criminals exploit. They deploy malicious nodes and send users fake messages urging them to urgently update their wallet. The download link in these messages usually leads not to the official Electrum website (electrum.org), but to a similar-looking domain or directly to a GitHub repository.
If the victim doesn’t pay attention to the URL, they end up installing a malicious version of Electrum on their device. The next time the user tries to use their wallet, the malware asks for a one-time password. These passwords are only supposed to be requested to confirm a transfer, not when launching the wallet, but users often fall for the scam and enter the requested code—giving the malware official permission to transfer all their funds to the attacker’s account.
Escalating Attacks and Developer Response
Unfortunately, by mid-2019, the situation had only gotten worse, even though developers released patches and tried to fight these attacks. They used a previously undisclosed DoS vulnerability in older Electrum clients to force them to stop connecting to attacker nodes and update. Developers also implemented a blacklist system for servers on ElectrumX and banned servers from showing HTML pop-up windows to end users. Sadly, these measures didn’t help much. As of April 2019, scammers had managed to steal about $4.6 million, and the Electrum infrastructure was under attack from a botnet that at its peak included over 152,000 hosts.
Now, according to a report from ZDNet, hackers have continued to use this attack method over the years, with some incidents occurring as recently as September 2020. Electrum users are still receiving fake pop-up messages urging them to update, and after doing so, their funds are immediately stolen by criminals.
Victim Complaints and Stolen Funds
According to journalists, wallets controlled by scammers using these attacks currently hold about 1,980 BTC, or roughly $22,000,000. If you add the 202 BTC stolen back in December 2018, the total amount stolen exceeds $24,600,000.
Notably, most of these funds appear to have been stolen in a single incident: in August 2020, a user reported the theft of 1,400 bitcoins (about $15,800,000) after updating their Electrum wallet.