Hackers steal over $22 million via Electrum wallet

According to an investigation by ZDNet, hackers stole over $22 million (1,980 BTC) via the Electrum wallet from 2019-2020. The attackers did this by sending Electrum wallet users a fake message telling them to update their wallet; however, if they followed through with the fake update, malware was installed on the wallet user’s computer that stole their funds the next time they logged into Electrum.

“They [the wallet user] eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP),” says the ZDNet report.

“Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code —and most do, thinking they are using the official wallet— they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.”

This isn’t the first time hackers have exploited Electrum…

Attackers first began exploiting Electrum wallet users with this malware method in 2018. A ZDNet investigation discovered that over 200 BTC was stolen from Electrum wallet users in 2018 via the malware method where:

• The attacker added tens of malicious servers to the Electrum wallet network.
• Users of legitimate Electrum wallets initiate a Bitcoin transaction.
• If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
• User clicks the link and downloads the malicious update.
• When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
• The malicious Electrum wallet uses the 2FA code to steal the user’s funds and transfer them to the attacker’s Bitcoin addresses.

Better safe than sorry

Whenever an exploit or security breach occurs, it is never a bad time to give the friendly reminder that when money is at stake, you should always do your own research, double-check to make sure the digital currency wallet or exchange URL is genuine, and to ask any questions to the company’s administrators if you are unsure of a message you see on the site or an unusual request to update your software.