Hackers hit Electrum bitcoin wallets stealing over 200 Bitcoin

• Attackers recently hacked Electrum wallets stealing over 200 bitcoins worth around $750,000.
• The attack continued lasted for seven days and temporarily stopped after Github took down the attacker’s Github repository.

Cybercriminals have hacked the Electrum wallets on December 21, 2018, and have stolen $750,000 worth bitcoins over the past seven days. The attackers have temporarily stopped the attack earlier today after the Github admins removed the attacker’s Github repository.

However, Electrum wallet admins expect that the cybercriminals may launch a new attack soon. The attackers may use a different Github repository or a new link redirecting to another download page, as the vulnerability exploited by the hackers to conduct the attacks, remains unpatched.

Modus Operandi

The attack resulted in the Electrum wallet apps displaying a message on users’ systems that asked them to download a malicious update from an unauthorized Github repository. The attackers added multiple malicious servers to the Electrum wallet network.

When users initiate a bitcoin transaction and if the transaction reaches one of these malicious servers, an error message is displayed to users that tricks them into downloading a wallet app update from a malicious Github repository.

Once victims download the malicious update and open the malicious Electrum wallet, the app then asks for a two-factor authentication code. This two-factor authentication code is used to steal victims' funds and transfer them to the attacker's Bitcoin addresses.

The error messages were in rich formatted texts making these messages look very legitimate. The messages also provided victims with ready-to-click links. However, the initial attacks were more effective and seemed to have tricked more victims when compared to later attacks.

The Electrum wallet team quietly updated the app once they discovered the attack. The update ensures that these error messages don't appear in rich HTML text anymore.

"We did not publicly disclose this attack until now, as around the time of the 3.3.2 release, the attacker stopped," said SomberNight, a developer part of the Electrum wallet team.

SomberNight added that the Electrum devs identified at least 33 malicious Electrum servers that have been added to their network, but the actual number could be around 40 to 50.