Crypto Wallet Electrum Bleeds 250 BTC in Phishing Attack

Hackers used a malicious app update to steal funds from Electrum Wallet users.

Cryptocurrency wallet Electrum has fallen victim to a phishing attack that was first reported on social media Reddit and later confirmed by the company’s development team. The hack has resulted in nearly 250 Bitcoin (BTC) (about $917,000 at current exchange rates) stolen from users.

The attack involved creating a fake new version of the wallet and directing users to it through an official-looking message. The notice, which said they had to update their Electrum Wallet, was followed by a scam GitHub link. Once installed, the malware prompted users to enter their two-factor authentication codes during login — something Electrum normally requests only when making a transaction. With the user’s security thus compromised, the hackers could empty their wallet balance, transferring the funds to their own Bitcoin address.

“To make the attack more effective, the attacker is creating lots of servers (sybils), hence increasing the chance a client would connect to him,” an Electrum developer known as SomberNight wrote on GitHub.

The hack began on December 21. After discovering the security breach, the Electrum team responded by “silently updating” the wallet app so that these messages do not render as rich HTML text anymore.

“This is not a true fix, but the more proper fix of using error codes would entail upgrading the whole federated server ecosystem out there,” SomberNight wrote.

The attack was halted on Thursday after GitHub admins removed the repository containing the malicious wallet version. However, the Electrum team believes that more attacks could be looming as the developers keep working to fix the vulnerability that allowed Electrum servers to generate pop-ups using custom text.

Electrum posted the following warning through its official Twitter account:

“There is an ongoing phishing attack against Electrum users. Our official website is  Do not download Electrum from any other source.”

Reading now