Analysis of the theft of 1,400 bitcoins from Github users

One day, when you were transferring money through Alipay, a pop-up window appeared telling you that the transfer failed because the version was too low.

If the pop-up window not only informs you that the transaction failed but also provides an Alipay update link, most people will probably click on the link to update.

If this link is a phishing link and directly obtains your transfer permission, it means that the money in your account will also be ruthlessly transferred.

This time, a user encountered a similar situation.

On August 31, Beijing time, CertiK Skynet detected that the tokens of the 1,400 bitcoins stolen from Github user "1400BitcoinStolen" have begun to be transferred to multiple different addresses.

The victim described the loss of 1,400 bitcoins in the electrum Github issue and posted his bitcoin wallet address.

In the blockchain browser (reference link 3), it can be seen that on August 30, a total of 1,404 BTC (worth $16.7 million) were withdrawn from his wallet and deposited into the hacker's wallet.

Event restoration and analysis

The user used the Electrum Bitcoin wallet, which was last used in 2017. Electrum has since released security updates, but the user has not installed them.

When a user uses Electrum to conduct a transaction, the wallet will broadcast a transaction to the server. If there is a problem with the transaction, the server will return an error message and display it to the user in the form of a pop-up window.

Electrum wallets prior to version 3.3.2 will not verify the error information returned by the server, and will even render the returned information as HTML (reference link 4).

It is worth mentioning that anyone can build an Electrum node server. If a user connects to the attacker's server and initiates a transaction, the server can return any designed error message. For example, it returns an error message asking the user to update the Electrum wallet, as shown in the figure below.

However, the link in the picture points to malware written by the attacker himself. Once the user downloads and installs the software and imports his wallet into it, all the bitcoins in the wallet will be transferred away by the attacker.

This is essentially a phishing attack, but because the phishing information sent by the attacker is displayed through the Electrum official wallet, many people will believe it.

In this incident, the victim's wallet was connected to a server controlled by the attacker, causing him to receive phishing messages from the server, and then the attacker transferred all his bitcoins away.

This problem with the Electrum wallet was widely discussed as early as the end of 2018 (reference link 4).

Electrum officially fixed this issue in wallet version 3.3.4 in 2019. Subsequent versions of the Electrum wallet will no longer directly display the content returned by the server to the user, nor will they render it in HTML.

In addition, since the old version of the wallet still has this problem, all normal servers will launch a denial of service (DoS) attack on wallets before version 3.3 to force users to update (reference link 5).

CertiK Security Team Recommendations

When using a wallet to conduct transactions, users must ensure that the wallet is the latest version, as old versions of wallets may have vulnerabilities that can be exploited by hackers.

When downloading wallet updates, users should verify whether the download URL is consistent with the official one, and verify the wallet signature after the download is complete.

For the wallet development team, it is necessary to find a professional team to do a good job of testing to prevent loopholes in the project from causing losses to users. (CertiK Chinese)