Hacker Attack Report: Electrum Early Wallet Vulnerability Leads to $25 Million in Bitcoin Theft

Key points:

• An earlier version of the Electrum wallet was reportedly responsible for the theft of $25 million in Bitcoin.

• A new investigative report details how attackers push malware updates.

• Electrum has been updated to help resolve the issue, but older versions are vulnerable to the attack.

Image source: Pixabay

In August and September, a number of thefts surfaced, indicating that users of the Electrum Bitcoin software wallet had been hacked through vulnerabilities in older versions of the wallet.

A new investigation details the process behind this exploit and the damage it has caused to users so far.

According to an investigation by ZDNet, hackers stole more than $25 million worth of Bitcoin through the vulnerability, of which 1,980 Bitcoins ($22.9 million) were stored in wallets associated with the attackers. According to reports in December 2018, 202 BTC ($2.3 million) had been stolen in an earlier attack.

The largest hack occurred in late August, when a Bitcoin holder claimed on GitHub that he had lost 1,400 BTC in a vulnerability attack. The next day, another user claimed to have lost 36.5 BTC due to using Electrum.

Attackers have reportedly been using the same vulnerability to steal user funds since 2018. According to the investigation, when using older versions of Electrum, users may be prompted to update the application, but this security update comes from external attackers rather than Electrum developers.

Electrum’s ElectrumX server is used to communicate with the Bitcoin blockchain, but the wallet app’s open ecosystem means bad actors can spin up their own gateway servers and wait for users to connect. From there, an attacker could set up a startup prompt that tells the user that the app must be updated in order to send transactions, but would point the user to malware instead of a legitimate update.

Once the malware update was carried out, the compromised Electrum wallets asked users for a one-time password - if the password was provided, their funds would be stolen and sent to the attacker's address. Newer versions of Electrum have implemented fixes to address this vulnerability, including blocking certain servers from popping up prompts and blacklisting servers, but these latest reports prove that older versions of the wallet are more vulnerable to attackers.

Electrum developer Thomas Voegtlin told Decrypt in August that the team had been aware of the phishing attack for some time and had been warning users through its website. Voegtlin said:

“The warning had been displayed on our website for 18 months. The user was deceived because he was using old software that was vulnerable to phishing attacks.”

Voegtlin also commented on GitHub last month and advised any affected users to report the attack to the police. "Police investigations are ongoing in Germany and the UK. We (Electrum developers) reported the phishing attack to the police a year ago," he said, adding: "I can't make any comments on the progress of the investigation, but it would help if the victim reported it to the police independently."