A hacker, or a group of them, has been targeting popular Electrum wallets for Bitcoin since December 21st, and has possibly stolen 243.59 BTC (USD 912,000.) The attack resulted in Electrum wallet apps showing a message on users’ computers, urging them to download a malicious wallet update from an unauthorized GitHub (a software development platform) repository.
There is an ongoing phishing attack against Electrum users. Our official website is https://t.co/aHiZIZH54e Do not download Electrum from any other source. More on the attack here: https://t.co/x5mPVspKfO
— Electrum (@ElectrumWallet) December 27, 2018
The attack has stopped today, at least temporarily, after GitHub admins took down the hacker’s GitHub repository. However, admins of the Electrum wallet expect a new attack to soon get underway, with either a new GitHub repo or a link to another download location altogether, according to Zdnet.
This attack was made possible by a vulnerability in the wallet itself, which lets Electrum servers trigger popups with custom text inside users’ wallets. This means that the attackers were able to tell users to download their malicious software, which in turn prompted them to enter a two-factor authentication code (2FA), used to later steal the funds:
One the victims of the theft took to Reddit to write about their ordeal:
"I have used electrum a lot, here is how this went down tonight. I log onto my electrum where I have about 1.4xx btc that I was trying to send. When i attempt to send I get a strange message that says "in order to send please update to the latest version here: https://github.com/electrum-project/electrum" now this link was weird for two reasons, first off it is not the official link from the electrum site and second it didn’t allow me to click it like normal links do/would. I had to copy/paste it into my browser window. I did that and proceeded to download the application here, when I logged on it immediately asked me for my 2 factor code which I thought was a little strange as well as Electrum usually only asks for that when you attempt to send. I kept trying to send and kept getting an error code "max fee exceeded no more than 50 sat/B" I then restored my wallet on a separate pc and found that my balance had been transferred out in full to this address: https://www.blockchain.com/btc/address/14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5."
However, from this address, more than 200 BTC have been sent to an address that holds 243.59 BTC as of the time of writing.
After receiving news of attacks, the Electrum team responded by "silently updating" the Electrum wallet app, so these messages – like the one urging the download of the malicious code – don’t render as rich HTML text anymore, according to SomberNight, a developer at the Electrum wallet team. The developer wrote on GitHub that Electrum developers have currently identified at least 33 malicious Electrum servers that have been added to their network, but the number appears to be around 40-50.
Protecting yourself from such attacks can be difficult, but in this particular case, a single red flag can be distinguished: the app asked for a 2FA code at wallet startup, whereas 2FA is usually only needed before a transaction. This is similar to a service asking you for your credit card details when you’re doing anything but paying – they have no reason to need that data at the time. Stay vigilant!