A hacker, or a group of them, has lately attacked electrum wallets and stole Bitcoin. About 243.59 Bitcoins (equaling the U.S $912000) have been stolen since December 21st. As a result of these attacks on electrum users’ computers, a message has been shown asking them to download a malicious wallet update, and this malicious program source is located on an anonymous repository of GitHub. Platform GitHub is for developing software.
These attacks were stopped today, at least temporarily, after GitHub admins closed this hacker’s GitHub repository; although, Electrum wallet admins are waiting for new attacks from this hacker. According to ZDNet, this hacker will relaunch phishing attacks again through a new GitHub repository or a malicious link.
These attacks were made possible due to the vulnerability of the wallet itself. This wallet lets electrum wallets show popup messages in the users’ wallet. Therefore, hackers can tell users to download their malicious software. Meanwhile, the people click on the link not knowing that this message has been sent from the hacker. Then, the users are directed to a page asking them a two-factor authentication code and through which the hackers start stealing.
How does this hacker work?
The hacker added tens of malicious servers to the electrum wallet network. If one of these Bitcoin transactions reaches these servers, they respond, and an error message is shown on the page which directs the user to their GitHub page. The user is forced to enter his/her information after clicking, downloading and opening malicious software. The software asks the user to enter his/her 2FA code. These codes are just requested before sending cryptocurrency, and it should not ask you as soon as you open the software. Finally, the hacker can transfer the aimed balance to his/her account using 2FA code.
One of the victims of attacks wrote in Reddit website that:
I had been using electrum very much. I logged in tonight to my account to send 1.4xx Bitcoins for someone. When I tried to send it, I faced the message saying: “please upgrade your account to the latest version through https://github.com/electrum-project/electrum.” This message was strange for me because of two reasons; first, this link is not in formal electrum account, and second, it didn’t let me click on it as a usual link. I had to copy it on the browser to enter. After downloading the software and entering 2FA code, I encountered an error message. Afterward, when I checked my account on another computer I realized that all of my balance had been transferred to the following address:
At the time of writing this text, more than 200 Bitcoins have been sent to an address including 243.59 Bitcoins. After the news of widespread attacks of electrum wallets, this company team silently updated the program of this wallet. Therefore, such messages were not shown to the user in rich HTML form. SomberNight, one of electrum program developers, wrote this in its GitHub and added that some developers have recently noticed 33 malicious servers added to their network; however, it is predicted that the number will be between 40-50.
Protecting your account against these attacks can be difficult, but in this special case you can easily diagnose that hackers intend to attack your account; since it asks you 2FA code at first, while this code is usually requested before doing the transaction. Similar to this event might take place for every credit card; that is, you are directed to an invalid gateway, and it asks you your card number and your passcode. Beware of such suspicious behaviors to avoid being deceived by such hackers. Hacking wallets is not very much common, and most of these attacks are in online transactions; for instance, in 2018 Japan Coincheck lost hundreds of millions of dollars during hackers’ attack.