Users report losing Bitcoin in clever hack of Electrum wallets

Hacker has stolen over $750,000 worth of Bitcoin over the past seven days.

A hacker (or hacker group) has made over 200 Bitcoin (circa $750,000 at today's exchange) using a clever attack on the infrastructure of the Electrum Bitcoin wallet.

The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.

The attack began last week on Friday, December 21, and appears to have been temporarily stopped earlier today after GitHub admins took down the hacker's GitHub repository.

Also: Hacker steals 10 years worth of data from San Diego school district

Admins of the Electrum wallet expect a new attack to soon get underway, with either a new GitHub repo or a link to another download location altogether.

This is because the vulnerability at the heart of this attack has remained unpatched, albeit Electrum wallet admins taking steps to mitigate its usability for the attacker.

How the attack works:

  • Attacker added tens of malicious servers to the Electrum wallet network.
  • Users of legitimate Electrum wallets initiate a Bitcoin transaction.
  • If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
  • User clicks the link and downloads the malicious update.
  • When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
  • The malicious Electrum wallet uses the 2FA code to steal the user's funds and transfer them to the attacker's Bitcoin addresses.

The problem here is that Electrum servers are allowed to trigger popups with custom text inside users' wallets.

Initial attacks were more effective and seemed to have tricked more users because than latter attacks. This is because the Electrum wallet rendered these server messages as rich-formatted texts, making the popups look more authentic and providing a ready and clickable link to users.

electrum-error-message.png

Image: SoberNight

After receiving news of attacks, the Electrum team responded by silently updating the Electrum wallet app, so these messages don't render as rich HTML text anymore.

electrum-error-message-no-html.png

Image: SoberNight

"We did not publicly disclose this [attack] until now, as around the time of the 3.3.2 release, the attacker stopped," said SomberNight, a developer part of the Electrum wallet team. "However they now started the attack again."

Not all users who received these new errors didn't find the mysterious popup with mangled text fishy. Some users were more inconvenienced than alerted. These users manually copy-pasted the text link shown inside the popup into their browser, and then downloaded and installed the tainted Electrum wallet update.

The attack came to a halt a few hours ago when GitHub admins removed the repository containing the malicious wallet version.

As stated before, new attacks are expected to get underway, with possibly a new download link. But the issue here remains the attacker's malicious servers.


Must read


Devs are currently looking into replacing the ability to send customized error messages with error codes, which the Electrum wallet would then decode on the client-side and show a preset message instead.

SomberNight says Electrum devs have currently identified at least 33 malicious Electrum servers that have been added to their network, but the number appears to be around 40-50. It is unclear what devs intend to do in regards to these servers at the time being.

electrum-sybill-servers.png

Image:SoberNight

Related stories: