The cryptocurrency market has had their share of scams through the years, with hackers attacking at every single weak point they can find.
Hackers have plagued this nascent industry frequently, and a recent report from Malwarebytes Labs says that one of the recent groups of victims is that of the users of the Electrum Bitcoin wallet.
In the article, the researchers explained that there have been about $4 million stolen from these wallets since December 2018 as a result of phishing attacks. The users were tricked by downloading a version of the wallet that has since proven to be malicious, while the phishers also exposed and used a weakness in the software for these wallets.
In a comparable manner, Electrum developers exploited the same flaw in February, which led the users to download a patched version of the wallet. The mess created by all of these changes ultimately resulted in the developers exploiting another vulnerability the following month that the public didn’t even known about, attacking the clients in an effort to deter them from bad nodes.
The attack was hardly over at this point. Multiple distributed denial of service (DDoS) attacked were launched against the Electrum services by a botnet. Research suggests that the attack was due to the attempts of the developers to fix the bug, acting in retaliation. The attackers ended up overwhelming the authentic nodes so that clients were forced into using the malicious nodes instead.
To understand why the attacks happened at all, there are a few things that consumers should know about the wallet. Electrum uses a variation of a technique that the Bitcoin whitepaper included, known as “Simplified Payment Verification” (SPV).
This technique makes it possible for a user to avoid downloading a full copy of the Bitcoin blockchain, which includes hundreds of gigabytes, whenever they send and receive transactions. Electrum’s variation uses a client/server configuration, wherein the wallet automatically connects to a server with a group of peers to validate the transactions.
This option is often secure in the scheme of performing transactions. However, since anyone can be a public Electrum peer, attackers found their weak.
A warning was issued in December about the start of the attacks, informing the public that updates should only come from the official website to avoid malware. As the attackers flooded the platform with malicious nodes, it was easy to instigate an attack and steal funds over time.
Once the user linked up with a malicious node and tries to send a transaction, they would see that the transaction is blocked, and the attackers would display this fake update message:
During the second part of the attack, the user is tricked into downloading an “update” to the Electrum wallet, which is actually the malicious software that the attacker is implementing. As The Next Web reported on the data, the malicious wallets were called Variant 1 and Variant 2.
The unnerving fact is that the parties behind this campaign have been active for a while, hiding from the view of the platform. However, the wallets are operated by two different actors, which Electrum deduced from the differences in malware.
The Variant 1 uploads the stolen keys from these wallets, and the data is then saved on a remote server. This function was hidden with the use of an exfiltration code that was on a file that is not typically placed on Electrum. The balance of the affected wallets was then sent to an address that the scammers control, which was pre-programmed into the coding.
Variant 2 was aggressive, making it possible to steal much more Bitcoin than was stolen with Variant 1. Victims were not redirected to a GitHub site, but Variant 2 impersonated the Electrum download site, which many customers believed. Based on the way that these attackers came after Electrum, it is safe to say that they had a pretty clear understanding of the code surrounding the platform.
At this point, the funds stolen from the wallets have already been reduced to smaller amounts, which suggests that the attackers are using a money-laundering technique called smurfing. The transactions appear to be sent in groups of 3.5 BTC or 1.9 BTC. When a transaction exceeds $10,000, a currency transaction report is triggered, but a smaller amount will not trigger the warning.
The researchers behind the content with Malwarebytes have already commented that it is pretty likely that other attacks are going to happen. The blog post even says that anyone in cryptocurrency already knows the odds that they are up against, and that this sneaky infiltration made these attackers over $3 million in a matter of months.
Even with the company’s attempt at protection, the attackers pushed harder.
The only way to really protect funds in any e-wallet is to always go through the official website, avoiding links through other windows and only upgrading from the official website.