Electrum Wallet Spear Phishing Campaign Nabs Bitcoin Bonanza

Electrum Wallet Spear Phishing Campaign Nabs Bitcoin Bonanza

Nearly 250 bitcoin have been stolen after some users of wallet software Electrum Wallet fell victim to a spear phishing campaign involving malicious servers sending out fake software update advisories. The attacker’s malware was then used to scrape bitcoin from the wallets of those who took the bait. 

Also see: How a Swiss Watch Giant Copied a Bitcoin Startup’s Idea and Claimed It as Its Own

Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts

Command and Control Attacks Target Electrum, Electron Cash Users

Per a GitHub disclosure by Electrum developer SomberNight, an attacker spun up malicious Electrum servers and used these servers to ping fake software update warnings to wallets connected to those sybil servers circa Dec. 21st and Dec. 27th.

The spear phishing campaign has been driven by command and control attacks, as users who downloaded the attacker’s Windows-based malware quickly saw their Electrum wallets scraped of bitcoin.

The attacker’s fake “update.” The ploy? Get users to download a malicious file in order to scrape control of their Electrum wallets. Image via SomberNight.

It’s currently not clear how many individual users have been affected by the campaign, though traced transactions have pegged the attacker as having nabbed at least 243.58 bitcoin — then worth around $1 million USD — at press time.

Electrum’s team released two fixes to mitigate the vector in their 3.3.2 software release, but the patches have been described as less than a “proper fix” and the attack as “ongoing” on Dec. 27th.

“This is not a true fix, but the more proper fix of using error codes would entail upgrading the whole federated server ecosystem out there,” developer SomberNight noted in their disclosure.

The campaign has apparently been multi-faceted. Some users of Electron Cash, a wallet software fork for bitcoin cash derived from Electrum, have also been hit with fake transaction error messages via the attacker’s infrastructure.

Electrum Wallet
The fake error message that some Electron Cash users saw during the attack. Image via u/jimfriendo

Those messages similarly told users to update their wallet software via an authoritative-looking link that dispensed malware crafted for the scam.

Like the Electrum Wallet victims, it’s currently unclear how many Electron Cash users have been affected by the spear phishing attack.

Security Concerns Abound in Early Cryptoeconomy

Between keyloggers, screen scrapers, SIM swaps, and beyond, there are no shortage of attack vectors hackers can use to part users from their cryptocurrency.

And the attacks, like this month’s targeting of Electrum, can be complex, sprawling, and well-disguised.

In recent years, most advanced persistent threats (APTs) in the cyberspace in general have involved “cocktails” of malware and command and control attacks that can prove devastatingly effective for plundering. That dynamic will remain until better awareness and cybersecurity mechanisms are actualized in the space.

And servers aren’t safe either.

The cryptoverse saw that reality firsthand back in April 2018 when Ethereum wallet provider MyEtherWallet was temporarily hit with a DNS hijack that intercepted more than 200 ether.

Of course, wherever there are vulnerabilities, blackhats will be probing. And cryptocurrency defenders of all stripes must raise their game while such vulnerabilities abound.

What’s your take? Are these kinds of attack vectors an existential threat to the fledgling crypteconomy? Let us know in the comments section below. 


Images via u/jimfriendo, SomberNight, Pixabay

Related News