2 min read

Popular Bitcoin wallet Electrum and Bitcoin Cash wallet Electron Cash are subject to an ongoing phishing attack. The hacker, or hackers, have already got away with over 200 Bitcoin (around $718,000 as of press) and with the attack still ongoing, it is quite possible that they get away with much more. The phishing attack urged wallet users to download and install a malicious software update from an unauthorized GitHub repository, according to ZDNet.

The hack began last Friday i.e on December 21, and the vulnerability at the heart of this attack has remained unpatched. The official Electrum blog at GitHub says that the wallet’s admins privately received a screenshot from a German chat room, in response to the issue where new malware was being distributed that disguises itself as the “real” Electrum.

Source: GitHub

Immediately after investigating the reasons for the error message, they silently made mitigations in 5248613 and 5dc240d; and released Electrum wallet version 3.3.2. The attacker then stopped with the phishing attack, temporarily. Yesterday, one of the electrum developers-SomberNight, announced on GitHub that the attacker has started the malicious activity again.  Electrum wallet admins are taking steps to mitigate its usability for the attacker.

Execution of the ongoing phishing attack

In order to launch such a major attack, the attacker added tens of malicious servers to the Electrum wallet network. When users of legitimate Electrum wallets initiate a Bitcoin transaction, and if the transaction reaches one of the malicious servers, the servers reply with an error message urging users to download a wallet app update from a malicious website (GitHub repo). If the user clicks the given link, the malicious update gets downloaded following which the app asks the user for a two-factor authentication (2FA) code. However, these 2FA codes are only requested before sending funds, and not at wallet startup. This stealthily obtains users’ 2FA code to steal their funds and transfer them to the attacker’s Bitcoin addresses.
The major drawback here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets.

Steps taken by Electrum admins to create user awareness

The developers at Electrum, have updated Electrum the wallet so that whenever an attacker sends a malicious message, the message does not appear like a rich-text-based organized message. Instead, the user receives a non-formatted error that looks more like unreadable code. This alerts the user that the transaction is malicious and not a legitimate one.
Following is the screenshot of how the ongoing attack looks in the new Electrum wallet version:

Source: GitHub

Blockchain reporter says that “The Electrum Development team has identified some 33 malicious Electrum servers, though the total number is suspected to be between 40 and 50.”
You can head over to Reddit for more insights on this news.

Read Next

Malicious code in npm ‘event-stream’ package targets a bitcoin wallet and causes 8 million downloads in two months

There and back again: Decrypting Bitcoin`s 2017 journey from $1000 to $20000

Bitcoin Core escapes a collapse from a Denial-of-Service vulnerability