$937 000 USD

DECEMBER 2018

GLOBAL

ELECTRUM

DESCRIPTION OF EVENTS

"Securing Bitcoin payments since 2011, Electrum is one of the most popular Bitcoin wallets. Electrum is fast, secure and easy to use. It suits the needs of a wide spectrum of users." "Electrum verifies that your transactions are in the Bitcoin blockchain. Because Bitcoin is not about trust, It is about freedom and independence." "Sign transactions from a computer that is always offline. Broadcast them from a machine that does not have your keys" "Be safe from malware. Use two-factor authentication by Electrum and Trustedcoin."

 

"Electrum is free software. Released under the MIT License. Anyone can run an Electrum server. No single entity controls the network." "Electrum has various user interfaces. It can be used on mobile, desktop or with the command line interface." "Electrum supports hardware wallets: Ledger, Trezor, Keepkey" "Split the permission to spend your bitcoins between several wallets."

 

"Electrum is a light client, which means it must connect to the blockchain through a server, which by default is chosen from a list of public Electrum servers. Anyone can operate such a public server and some users will be randomly connected to it."

 

"You can specify a specific server to connect to, but by default, it connects to a random peer. There are no "authorized servers". By design, they cannot interfere with bitcoin transactions made by clients except: 1) lie about account balances and 2) not relay a valid transaction to the rest of the network. The problem here is it's messaging capability that communicates directly with it's connected clients. There is no authenticity of any messages created by any statum servers - only what the manager of that server wants to say."

 

"Electrum, a wallet service like Blockchain.com, has been plagued with several phishing attacks. The issues have dated back to 2018, with accounts confirming that hackers had stolen almost $1 million in cryptocurrencies from users."

 

"The hacker setup a whole bunch of malicious servers. If someone's Electrum Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL."

 

The attack was picked up by Reddit user u/normal_rc, who posted that "the hacker setup a whole bunch of malicious servers."

 

"If someone's Electrum wallet connected to one of those servers, and tried to send a BTC (bitcoin) transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL," u/normal_rc wrote.

 

"There is an ongoing phishing attack against Electrum users. Our official website is https://electrum.org Do not download Electrum from any other source."

 

"At the time of reports, the wallet address linked with the scam reportedly held 243 BTC. Since then, over 500 BTC tokens have moved in and out of it. The wallet is also empty."

 

"Technically speaking, even though the term 'hacked' is broad, what happened was an attacker utilized the server response/messaging capability to phish users (it was more convincing because rich text was allowed to display in the electrum client). The message provided a link to "upgrade electrum", but was actually installing a malicious clone."

 

"I fell for this.. i was in a hurry and half paying attention(i know) but i didn't even think about getting phished at first since it was a pop up in the real electrum. i should have know better though." "When you download the fake client they must get your seed/password somehow. I wiped electrum files then restore the wallet from seed and put a very small amount in there an let it sit. They just emptied the wallet again about 30 [minutes] ago."

 

"Perhaps. But the fact that the official client sent me to a phishing website is absurd. The client itself told me to go to electrumpal and update. I sent a not insubstantial amount of money to some rando without my knowledge."

 

"It has just happened to me, and while I understand that any software can have security holes, the Electrum website barely mentions this problem. They could have used the broadcasting message to let all users know about this problem and urge them to update. It might have saved me $270. If the next security issue is also going to be swept under the rug like this, I rather migrate to another client."

 

"There is no "broadcast message" functionality. The exploit is that when the user broadcasts a transaction to the connected server, the server can send back an error message. And we actually did use this functionality to warn users; but this only works if you happen to connect to an honest server."

 

Gregory Maxwell said "In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here."

 

"The attack on wallet users began on Friday last week, December 21, and appears to have been halted after GitHub admins acted, according to Electrum developers."

 

"The client (since 3.3.3) only displays error messages from a hardcoded-in-client set. The server still sends arbitrary messages (see referenced links as to why) and then the client matches them with a long list of regexes, to one of the hardcoded error messages (or "unknown error")." "3.3.4 also catches errors for other lower risk methods."

 

"The bitcoin market appears to have been spooked by reports last night the Electrum cryptocurrency wallet has had almost 250 bitcoin, worth almost $1 million, stolen—however, movements on the cryptocurrency market are famously hard to explain. What caused today's sudden rebound was not immediately clear."

 

"Even after the news broke, Electrum continued to suffer several security issues. There was a distributed denial of service (DDoS) attack that had significant similarities to the 2018 phishing scam as it also misled victims using fake software updates."

 

"And years later people are still being [a]ffected by this bug to the tune of millions of dollars. This is insane, and you should be liable for the damages here. Rendering arbitrary html on an error update page for a financial tool is not ok. I'll be send this to my local authorities."

 

"ADVICE: Ignore any "update" notifications in Electrum. I'm not 100% certain, but if you never downloaded the "update", your wallet & funds should be ok."

Electrum was a highly popular wallet software for bitcoin. Since Electrum operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.

 

Users of the Electrum wallet came under an elaborate phishing attack. Malicious operators set up a large number of Electrum nodes across a diverse range of IP addresses. When users would connect to these nodes and attempt to send a transaction, they would receive back an error message that informed them of the need to upgrade their Electrum wallet to "v3.4.1", which had an "important security update" that "provides a fix for a transaction deserialization vulnerability". The update was available from the open source "electrum-project" Github repository, which beared a striking resemblance to the official Electrum Github repository.

 

The message was grammatically correct and the link went to a legitimate Github repository on the Github website. Users who failed to carefully check the exact URL of the Github repository or carefully review the repository ownership would have been convinced they were installing a legitimate update to their Electrum wallet. It appears that the update made the private key of any wallets available to the attackers, who could then spend freely from their new-found coins.

 

Overall, approxmately $800,000 USD worth of bitcoin was successfully taken from wallet users. There is no evidence that any of these funds were ever recovered.

HOW COULD THIS HAVE BEEN PREVENTED?

Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.

 

Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.

 

Check Our Framework For Safe Secure Exchange Platforms

British Financial Watchdog Sounds Warning on Phony Blockchain.com Website - InsideBitcoins.com (Dec 11)
Electrum Bitcoin Wallet (Jun 7)
Flathub—An app store and build service for Linux (Jul 7)
Electrum Reviews and Pricing 2022 (Jul 7)
Electrum - Free download and software reviews - CNET Download (Jul 7)
Bitcoin User Losses $16.2 Million in BTC After Using an Old Electrum Wallet - TheCoinsPost (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
Address: 14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5 | Blockchain Explorer (Jul 7)
Address: 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj | Blockchain Explorer (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
UPDATE: Bitcoin, Ripple (XRP), And Ethereum Rebound In Fast-Moving Market (Jul 7)
@ElectrumWallet Twitter (Jul 7)
when broadcasting transaction, error message from server is displayed as is · Issue #4968 · spesmilo/electrum · GitHub (Jul 7)
Electrum Wallet Hacked, 200 BTC Stolen over Christmas (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
stolen bitcoin from Electrum · Issue #5452 · spesmilo/electrum · GitHub (Jul 7)
network: catch untrusted exceptions from server in public methods · spesmilo/electrum@38ab7ee · GitHub (Jul 7)
@RichardHeartWin Twitter (Jul 7)
Phishing Attack on Electrum Wallet Nets Hacker Almost $1 Million in Hours: Report (Jul 7)
Hackers Steal 250 BTC from Electrum Bitcoin Wallets | Finance Magnates (Jul 7)
https://user-images.githubusercontent.com/29142493/50359293-8780b500-055c-11e9-8cfd-83b342edeffb.png (Jul 7)
MY ELECTRUM JUST GOT HACKED : Electrum (Jul 7)
Reddit - Dive into anything (Oct 17)
normal_rc comments on Am I being scammed/hacked? Please help me. (Oct 17)
Am I being scammed/hacked? Please help me. : CryptoCurrency (Aug 23)
Electrum Wallet (Bitcoin BTC) still under attack by malicious nodes & fake update messages. $4.6 million stolen so far. : btc (Oct 17)
normal_rc comments on Bitcoin wallet Electrum gets hacked and users lose their magic beans. Moderator of r/Electrum shows up to sperg out about how it's all a conspiracy by evil (((fiat))). (Oct 17)
normal_rc comments on Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... (Oct 17)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.