A ZDNet investigation recently discovered that malicious actors had siphoned more than $22 million worth of BTC stored in Electrum wallet apps. The hackers managed to steal the approximated 1,980 coins via a fake wallet update.
Essentially, the attackers instructed the wallet server to send a pop-up message to user’s screens requesting that they access an URL and install an Electrum wallet app update.
By exploiting a loophole on the Electrum app and its backend infrastructure, the hackers managed to access several wallets of BTC holders who fell for the fake update scam.
As per the ZDNet report, these criminals have used this particular scam repeatedly for several years to siphon BTC from unsuspecting users.
In Dec 2018, the Electrum developers uncovered a hacking incident where hackers sent legitimate wallets officially looking messages urging them to download and install a wallet update. This fake update posted on the GitHub repository was in fact controlled by cybercriminals and distributed malware that stole crypto.
Then in August of this year, one Electrum BTC wallet user posted on Github that he lost 1,400 BTC in a similar fake update attack. Investigations now reveal that the hackers have managed to amass more than $24.6 million worth of BTC in two years.
Electrum Wallets Are Under Increasing Attack
The recent flurry of hacks on Electrum wallets highlight a growing trend where criminals are exploiting vulnerabilities in this particular app.
Unlike most crypto wallets, the Electrum app has an open ecosystem, where anyone can set up and manage their own ElectrumX gateway servers. Hackers seem to have exploited this feature to post fake Electrum app update requests on several occasions.
By sending lookalike domains or GitHub repositories, criminals successfully trick BTC holders to install a fake version of the Electrum wallet. The next time users launch the app, it requests them to enter a one-time passcode (OTP), which effectively approves the hackers to siphon funds stored in their wallets.
In mid-2019, developers unsuccessfully attempted to introduce patches to combat hacks by exploiting a DoS unknown to the public vulnerability in old Electrum wallets.
Following the latest hack, the Electrum team has enabled a server blacklisting structure on ElectrumX servers. This move should block malicious additions to their networks.
Moreover, the team has released an update that stops servers from displaying HTML formatted pop-up messages to end-users.
Wallet Users Urged to Stay Vigilant
Cybersecurity experts are advising users to pay attention to the wallet update URL, so they avoid installing malicious versions of the Electrum wallet.
One expert also emphasized the need for users to refrain from entering their OTP while launching their wallet app.
“Such passwords are requested only to confirm the transfer of funds, and not when the wallet is launched, but users regularly fall for the bait of scammers and enter the requested code,” he explained.
