Bitcoin wallet update trick has netted criminals more than $22 million


A simple technique has helped cybercrime gangs steal more than $22 million in user funds from users of the Electrum wallet app; a ZDNet investigation has discovered.

This particular technique was first seen in December 2018. Since then, the attack pattern has been reused in multiple campaigns over the past two years.

ZDNet has tracked down multiple Bitcoin accounts where criminals have gathered stolen funds from attacks they carried out over the course of 2019 and 2020, with some attacks taking place as recently as last month, in September 2020.

Reports from victims submitted to Bitcoin abuse portals reveal the same story.

Users of the Electrum Bitcoin wallet app received an unexpected update request via a popup message, they updated their wallet, and funds were immediately stolen and sent to an attacker’s Bitcoin account.


Looking at how cybercriminals are stealing funds, this technique works because of the inner workings of the Electrum wallet app and its backend infrastructure.

To process any transactions, Electrum wallets are designed to connect to the Bitcoin blockchain through a network of Electrum servers — known as ElectrumX.


Image: Peter Kacherginsky

However, while some wallet applications control who can manage these servers, things are different in Electrum’s open ecosystem, where everyone can set up an ElectrumX gateway server.

Since 2018, cybercrime gangs have been abusing this loophole to spin up malicious servers and wait for users to randomly connect to their systems.

When this happens, the attackers instruct the server to show a popup on the user’s screen, instructing the user to access an URL and download and install an Electrum wallet app update.


Image: SoberNight

Image: Peter Kacherginsky

Usually, this update download link is not for the official Electrum website, located at, but to lookalike domains or GitHub repositories.

If users don’t pay attention to the URL, they eventually end up installing a malicious version of the Electrum wallet, which the next time the user tries to use will ask for a one-time passcode (OTP).

Normally, these codes are only requested before sending funds, and not at the Electrum wallet’s startup. If users enter the requested code —and most do, thinking they are using the official wallet— they effectively give official approval for the malicious wallet to transfer all of their funds to an attacker’s account.

Since December 2018, users have reported around ten Bitcoin accounts being used in what’s currently known as the “fake Electrum update scam.”

These wallets currently hold 1980 bitcoin, which is roughly just over $22 million in current currency. Taking into account the 202 bitcoin stolen in our original December 2018 report, this brings the total to more than $24.6 million stolen with one simple technique.

However, it must be said that a large chunk of these funds appear to have been stolen in one single incident in August, when a user reported losing 1,400 bitcoin (~$15.8 million) after updating an Electrum wallet.

Since this technique was first seen in late 2018, the Electrum team has taken several steps to mitigate this attack.

They first implemented a server blacklisting system on Electrum X servers to block malicious additions to their networks, and they also added an update preventing servers from showing HTML formatted popups to end users.

Nevertheless, a malicious server usually slips through the cracks here and there, and the attack still works very well for Bitcoin users still using older versions of the Electrum wallet app to manage funds.

Source link

Recent articles

Monster Sanctuary Release Date on Consoles and PC Set for December

Monster Sanctuary from developer Moi Rai Games and publisher Team17 (Blasphemous) will soon leave Early Access. The colorful metroidvania is coming to the PlayStation...

Blender Animation ReTarget Addon Tutorial

NRK writes: This tutorial will show you how to use a new script I just finished writing that will take an armature with an...

SARS: Lagos under lockdown after protesters ‘shot’ | Nigeria

Heavy security presence in Nigeria’s biggest city; dozens taken to hospital after soldiers reportedly shot at protesters.Lagos was under lockdown on Wednesday as...

FIFA World Cup 2022™ – News – FIFA World Cup 2022™ First Sustainability Progress Report published

The FIFA World Cup 2022™ First Sustainability Progress Report provides an update on the progress made by FIFA, the...

Google Antitrust Fight Thrusts Low-Key C.E.O. Into the Line of Fire

OAKLAND, Calif. — When Sundar Pichai succeeded Larry Page as the head of Google’s parent company in December, he was handed a bag...

How do I know if grad school is worth it?

College enrollment is down overall compared with last year due to the coronavirus. But the economic effects of the pandemic may actually be...

Leave a reply

Please enter your comment!
Please enter your name here