In August and September, multiple reports surfaced that users of the Electrum Bitcoin software wallet had seen significant amounts of Bitcoin stolen via an exploit in an older version of the wallet.
A new investigation has detailed the process behind the exploit and the extent of the damage inflicted on users to date.
According to an investigation from ZDNet, more than $25 million worth of Bitcoin at today’s valuation has been stolen via the exploit, with 1980 Bitcoin ($22.9 million) held in wallets tied to attackers. That’s on top of the 202 BTC ($2.3 million) stolen in earlier attacks, as reported in December 2018.
The largest haul came in late August, with a Bitcoiner claiming on GitHub that he lost 1,400 BTC via the exploit. The following day, a separate user claimed to have lost 36.5 BTC thanks to the Electrum exploit.
The same exploit has been in use by attackers since 2018, according to reports from purported victims. According to the investigation, users of an older version of Electrum may be prompted during use to update the app, however the security update is coming from an outside attacker rather than Electrum developers.
Electrum’s ElectrumX servers are used to communicate with the Bitcoin blockchain, but the wallet app’s open ecosystem means that bad actors can fire up their own gateway servers and wait for users who connect. From there, attackers can launch a prompt that tells users they must update the app to send a transaction, but it points them to malware instead of a legitimate update.
Once updated with the malware, the compromised Electrum wallet asks for the user’s one-time passcode—and if provided, their funds are then stolen and sent to the attacker’s address. Newer versions of Electrum have implemented fixes to account for the exploit, including blocking certain server pop-up prompts and also blacklisting servers, but older versions of the wallet are more susceptible to attackers as evidenced by these recent reports.
Electrum developer Thomas Voegtlin told Decrypt in August that the team has been aware of the phishing attack for some time and has warned users via its website. “The warning has been on display on our website for the last 18 months,” said Voegtlin. “The user was scammed because he used old software, susceptible to phishing,” he added.
Voegtlin also commented on GitHub last month, and suggested that any affected users report attacks to the police. “There is a police investigation going on in Germany and in the UK. We (Electrum developers) have reported the phishing attack to the police about a year ago,” he wrote, adding “I cannot make any comments about the progress of the investigation, but it helps if victims report it independently.”