Electrum Mass Phishing Attacks

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Electrum

Electrum was a highly popular wallet software for bitcoin. Since Electrum operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.

Users of the Electrum wallet came under an elaborate phishing attack. Malicious operators set up a large number of Electrum nodes across a diverse range of IP addresses. When users would connect to these nodes and attempt to send a transaction, they would receive back an error message that informed them of the need to upgrade their Electrum wallet to "v3.4.1", which had an "important security update" that "provides a fix for a transaction deserialization vulnerability". The update was available from the open source "electrum-project" Github repository, which beared a striking resemblance to the official Electrum Github repository.

The message was grammatically correct and the link went to a legitimate Github repository on the Github website. Users who failed to carefully check the exact URL of the Github repository or carefully review the repository ownership would have been convinced they were installing a legitimate update to their Electrum wallet. It appears that the update made the private key of any wallets available to the attackers, who could then spend freely from their new-found coins.

Overall, approxmately $800,000 USD worth of bitcoin was successfully taken from wallet users. There is no evidence that any of these funds were ever recovered.

This is a global/international case not involving a specific country.

About Electrum

"Securing Bitcoin payments since 2011, Electrum is one of the most popular Bitcoin wallets. Electrum is fast, secure and easy to use. It suits the needs of a wide spectrum of users." "Electrum verifies that your transactions are in the Bitcoin blockchain. Because Bitcoin is not about trust, It is about freedom and independence." "Sign transactions from a computer that is always offline. Broadcast them from a machine that does not have your keys" "Be safe from malware. Use two-factor authentication by Electrum and Trustedcoin."

"Electrum is free software. Released under the MIT License. Anyone can run an Electrum server. No single entity controls the network." "Electrum has various user interfaces. It can be used on mobile, desktop or with the command line interface." "Electrum supports hardware wallets: Ledger, Trezor, Keepkey" "Split the permission to spend your bitcoins between several wallets."

"Electrum is a light client, which means it must connect to the blockchain through a server, which by default is chosen from a list of public Electrum servers. Anyone can operate such a public server and some users will be randomly connected to it."

"You can specify a specific server to connect to, but by default, it connects to a random peer. There are no "authorized servers". By design, they cannot interfere with bitcoin transactions made by clients except: 1) lie about account balances and 2) not relay a valid transaction to the rest of the network. The problem here is it's messaging capability that communicates directly with it's connected clients. There is no authenticity of any messages created by any statum servers - only what the manager of that server wants to say."

"Electrum, a wallet service like Blockchain.com, has been plagued with several phishing attacks. The issues have dated back to 2018, with accounts confirming that hackers had stolen almost $1 million in cryptocurrencies from users."

"The hacker setup a whole bunch of malicious servers. If someone's Electrum Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL."

The attack was picked up by Reddit user u/normal_rc, who posted that "the hacker setup a whole bunch of malicious servers."

"If someone's Electrum wallet connected to one of those servers, and tried to send a BTC (bitcoin) transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL," u/normal_rc wrote.

"There is an ongoing phishing attack against Electrum users. Our official website is https://electrum.org Do not download Electrum from any other source."

"At the time of reports, the wallet address linked with the scam reportedly held 243 BTC. Since then, over 500 BTC tokens have moved in and out of it. The wallet is also empty."

"Technically speaking, even though the term 'hacked' is broad, what happened was an attacker utilized the server response/messaging capability to phish users (it was more convincing because rich text was allowed to display in the electrum client). The message provided a link to "upgrade electrum", but was actually installing a malicious clone."

"I fell for this.. i was in a hurry and half paying attention(i know) but i didn't even think about getting phished at first since it was a pop up in the real electrum. i should have know better though." "When you download the fake client they must get your seed/password somehow. I wiped electrum files then restore the wallet from seed and put a very small amount in there an let it sit. They just emptied the wallet again about 30 [minutes] ago."

"Perhaps. But the fact that the official client sent me to a phishing website is absurd. The client itself told me to go to electrumpal and update. I sent a not insubstantial amount of money to some rando without my knowledge."

"It has just happened to me, and while I understand that any software can have security holes, the Electrum website barely mentions this problem. They could have used the broadcasting message to let all users know about this problem and urge them to update. It might have saved me $270. If the next security issue is also going to be swept under the rug like this, I rather migrate to another client."

"There is no "broadcast message" functionality. The exploit is that when the user broadcasts a transaction to the connected server, the server can send back an error message. And we actually did use this functionality to warn users; but this only works if you happen to connect to an honest server."

Gregory Maxwell said "In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here."

"The attack on wallet users began on Friday last week, December 21, and appears to have been halted after GitHub admins acted, according to Electrum developers."

"The client (since 3.3.3) only displays error messages from a hardcoded-in-client set. The server still sends arbitrary messages (see referenced links as to why) and then the client matches them with a long list of regexes, to one of the hardcoded error messages (or "unknown error")." "3.3.4 also catches errors for other lower risk methods."

"The bitcoin market appears to have been spooked by reports last night the Electrum cryptocurrency wallet has had almost 250 bitcoin, worth almost $1 million, stolen—however, movements on the cryptocurrency market are famously hard to explain. What caused today's sudden rebound was not immediately clear."

"Even after the news broke, Electrum continued to suffer several security issues. There was a distributed denial of service (DDoS) attack that had significant similarities to the 2018 phishing scam as it also misled victims using fake software updates."

"And years later people are still being [a]ffected by this bug to the tune of millions of dollars. This is insane, and you should be liable for the damages here. Rendering arbitrary html on an error update page for a financial tool is not ok. I'll be send this to my local authorities."

"ADVICE: Ignore any "update" notifications in Electrum. I'm not 100% certain, but if you never downloaded the "update", your wallet & funds should be ok."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Electrum Mass Phishing Attacks
Date	Event	Description
December 27th, 2018 12:22:28 AM	First Event	This is an expanded description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

It is unknown how much was recovered.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.

Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.