Two Electrum software wallet users have recently reported the loss of large sums of Bitcoin (BTC). One victim described the disappearance of 1,400 BTC, totaling $14,595,000 at press time, while another claimed 36.5 BTC, worth $380,512, as stolen. The events appear connected to a long-standing phishing scam affecting Electrum users since 2018.
“Users need to be careful when dealing with their own keys, particularly when they are holding the keys to a wallet with a large amount of cryptocurrency as it makes them attractive to hackers,” Jason Lau, the chief operating officer of crypto exchange OKCoin, in response to the 1,400-BTC hack, adding:
“In this incident, it appears that a phishing attack led to the user installing an update that gave the hacker access to the private keys and the funds. Phishing scams are very common across all types of financial applications, and they continue to evolve in levels of sophistication.”
A search through the past
Initial news of a phishing scam impacting the Electrum wallet first hit headlines on Dec. 27, 2018, with nearly $1 million reported stolen. “The hacker setup a whole bunch of malicious servers,” said a Reddit user publicizing the hack.
Essentially, the hacker led users to a malicious webpage via the servers, prompting them to input private data, which, in turn, submitted control of their assets to the nefarious party behind the scheme. The scam also involved a fake wallet update that downloaded malware onto the victims’ devices, a separate Reddit post detailed.
December 2018, the wallet address associated with the scam held 243 BTC. Viewing the address today reveals that 637.44 BTC visited and exited the now-empty wallet. In the months after the Electrum phishing effort went public, wallet difficulties have continued, including a separate denial-of-service attack that looked very similar to the mentioned 2018 phishing con, also leading victims astray with phony software updates.
Decoding the $14.6-million Bitcoin heist
In recent weeks, two additional Electrum wallet users have reported their Bitcoin holdings as stolen. One of the wallet users reportedly suffered a 1,400 BTC loss. “I had 1,400 BTC in a wallet that I had not accessed since 2017,” the victim said in an Aug. 30, 2020, post on GitHub, adding:
“I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds. I installed the update which immediately triggered the transfer of my entire balance to a scammers address.”
Blockchain tracking staff showed a likely link between the 1,400 BTC thief, or thieves, and a Binance exchange account, according to a specific transaction ID. The transaction ID, however, involved more than 75 different wallet addresses, a Binance representative told.
The representative also stated difficulties and gray areas associated with tracking and pegging transactions to foul play due to the nature of crypto and the many parties transacting on a daily basis. “It should not be assumed that flows into a malicious cluster are from an individual/group associated with the campaign, especially if it is a cluster used for receiving funds directly from victims,” the representative added.
Referring to initial reporting on the stolen 1,400 BTC, the representative said: “The account that is the centerpiece for this article was reviewed and no suspicious indicators were found.” Previous reported also tracked some of the stolen BTC to Russia, although potential VPN usage voided any definitive conclusion.
“Binance address is upstream of scammer, probably just another victim,” Electrum’s Twitter account posted on Sept. 1. The tweet also posited the attack as correlated to the 2018 phishing con, adding: “No need to involve Russian Hackers.”
“The peer-to-peer discovery system adopted by Electrum is a design choice to keep the system decentralized, but in this case, it played a part in enabling the hacker to broadcast a fake ‘update your software’ message,” Lau said of the 1,400-BTC hack, adding: “Users should always double-check the authenticity of any wallet client software and take extra vigilance in verifying the source of all updates.”
Revealing another 36.5-BTC theft
Shortly after the 1,400-BTC robbery went public, another GitHubber responded to the discussion thread with a similar case they suffered two months prior, as a malicious actor reportedly looted 36.5 BTC from the wallet. Known as Cryptbtcaly on GitHub, the victim tracked the stolen funds to five separate addresses after the heist. “Some of the stolen Bitcoin went to Binance, but they ignore my appeals and do not return,” Cryptbtcaly said on GitHub.
One controversial point in the recent Electrum hacks was that victims were storing large amounts of funds on a software wallet. A guide from online educational source BitDegree noted software wallets carry the risk of malware and keylogging attacks: “They aren’t as secure as hardware wallets, but they are more convenient to use. This makes them perfect for day to day spending but not ideal for storing large sums of money for a long period of time.”
General industry best practices often steer users toward hardware wallets, such as those provided by Ledger or Trezor. Both companies recently also faced various challenges, although hardware wallets still seemingly appear as the preferred method of crypto storage, all things considered.