A simple technique has helped cybercrime gangs steal more than $22 million in user funds from users of the Electrum wallet app; a ZDNet investigation has discovered.
This particular technique was first seen in December 2018. Since then, the attack pattern has been reused in multiple campaigns over the past two years.
ZDNet has tracked down multiple Bitcoin accounts where criminals have gathered stolen funds from attacks they carried out over the course of 2019 and 2020, with some attacks taking place as recently as last month, in September 2020.
Reports from victims submitted to Bitcoin abuse portals reveal the same story.
Users of the Electrum Bitcoin wallet app received an unexpected update request via a popup message, they updated their wallet, and funds were immediately stolen and sent to an attacker’s Bitcoin account.
Looking at how cybercriminals are stealing funds, this technique works because of the inner workings of the Electrum wallet app and its backend infrastructure.
To process any transactions, Electrum wallets are designed to connect to the Bitcoin blockchain through a network of Electrum servers — known as ElectrumX.
Image: Peter Kacherginsky
However, while some wallet applications control who can manage these servers, things are different in Electrum’s open ecosystem, where everyone can set up an ElectrumX gateway server.
Since 2018, cybercrime gangs have been abusing this loophole to spin up malicious servers and wait for users to randomly connect to their systems.
When this happens, the attackers instruct the server to show a popup on the user’s screen, instructing the user to access an URL and download and install an Electrum wallet app update.
Image: SoberNight
Image: Peter Kacherginsky
Usually, this update download link is not for the official Electrum website, located at electrum.org, but to lookalike domains or GitHub repositories.
If users don’t pay attention to the URL, they eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP).
Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code —and most do, thinking they are using the official wallet— they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.
Since December 2018, users have reported around ten Bitcoin accounts being used in what’s currently known as the “fake Electrum update scam.”
These wallets currently hold 1980 bitcoin, which is roughly just over $22 million in current currency. Taking into account the 202 bitcoin stolen in our original December 2018 report, this brings the total to more than $24.6 million stolen with one simple technique.
However, it must be said that a large chunk of these funds appear to have been stolen in one single incident in August, when a user reported losing 1,400 bitcoin (~$15.8 million) after updating an Electrum wallet.
Since this technique was first seen in late 2018, the Electrum team has taken several steps to mitigate this attack.
They first implemented a server blacklisting system on Electrum X servers to block malicious additions to their networks, and they also added an update preventing servers from showing HTML formatted popups to end users.
Nevertheless, a malicious server usually slips through the cracks here and there, and the attack still works very well for Bitcoin users still using older versions of the Electrum wallet app to manage funds.