According to a ZDNet report, more than $22 million worth of Bitcoin was stolen from users of popular Bitcoin wallet Electrum over the last few years using a “simple technique” that involved sending fake application updates.
With time, the attacks employed by these cybercriminals become more sophisticated and harder to spot, and as a result, billions of dollars worth of crypto-assets is lost every year. This has also been the case with the attackers who seemed to have been able to trick thousands of Electrum users.
Researchers have noted that this type of attack first surfaced in 2018, and has been used ever since to swindle millions of dollars from unsuspecting Electrum users. The most recent attack dates to September last month.
As per the report, the attackers managed to send out an “update” notification for the wallet application on the victim’s phones. When the app was updated, all the funds are automatically stolen and transferred to the hacker’s wallet.
It is certain that the hackers have in-depth understanding about how the Electrum wallet works, the registries it uses, and how security is handled. This allowed the hackers to steal the funds undetected.
How the attacks happened
Electrum wallets are all designed to connect to Bitcoin via ElectrumX, a network of Electrum servers the app uses to process transactions and store funds. As a result of Electrum’s open-source approach, the attackers were able to set up their own ElectrumX gateway server with the help of a malicious developer.
This allowed the hackers to set up malicious servers and see users connect to those compromised networks. The attackers then instructed the server to push a notification with instructions for a “Security update”.
The notification came with a link, which redirected victims to domains and GitHub repositories that look legitimate enough to fool the average user. Victims then ended up installing a malicious version of the Electrum wallet.
When the app was launched, a one-time password (OTP), usually used before requesting fund transfers, was displayed to users and upon their entering the correct OTP, all funds were transferred to the hackers’ wallets.
The report states that over 1980 Bitcoin worth approximately $22 million is being held at the wallet controlled by the hacker. One single attack back in August reported losing over 1,400 Bitcoin.
To address this, the Electrum team has enabled a server blacklisting system on Electrum X servers to block malicious additions to their networks. An update has also been released that prevents servers from showing HTML formatted popups to end-users.