- A Bitcoiner has fallen victim to an Electrum wallet phishing scam, losing 1,400 Bitcoin ($16 million).
- An Electrum developer confirmed that it's a known exploit.
- The exploit has claimed around 2,171 Bitcoin ($25 million) to date.
A year-old GitHub thread dedicated to Electrum-based phishing hacks sprang back to life yesterday when a user claimed to have had 1,400 BTC ($16 million) stolen after falling for an old trick.
"I had 1,400 BTC in a wallet that I had not accessed since 2017," explained the Bitcoin holder. "I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds," he added.
Ouch. https://t.co/Dryl3d3Otz pic.twitter.com/iuSEr5so1Y
— Ben Verret⚡ (@verretor) August 30, 2020
According to the luckless holder, the update immediately triggered a mass transfer of funds to an unknown address assumed to be the scammers.
An old Electrum exploit
But while the sheer breadth of the loss has garnered headline news, this exploit isn't anything new. Speaking to Decrypt, Electrum developer Thomas Voegtlin confirmed that the phishing attack used is one that's been floating around since late 2018.
"The warning that has been on display on our website for the last 18 months," said Voegtlin. "The user was scammed because he used old software, susceptible to phishing," he added.
While the phishing exploit has been around for well over a year, the developer noted that this latest swindle marks the largest ever lost to the attack.
Per a 2019 investigation from threat analysts, Malwarebytes Labs, after exploiting faulty Electrum software, the hackers managed to subvert users from legitimate nodes to malicious ones controlled by the bad actors. Once redirected, users are then prompted to install a bogus security update, which automatically downloads a malware-infested wallet. From there, hackers remotely control the wallet and send the contents to a separate address.
This latest haul included, hackers have succeeded in appropriating an estimated 2171 Bitcoin ($25 million) since the first exploit in 2018.
Nevertheless, with the address of this latest hack known, and the news quickly spreading, word reached Binance boss, Changpeng "CZ" Zhao, who moved to blacklist the address.
Not your code, not your funds. Beware of this Electrum official update, This guy lost 1400 BTC, and plenty of others lost funds too," CZ tweeted, adding, "We blacklisted the addresses involved."
We blacklisted the addresses involved, but ...
— CZ Binance (@cz_binance) August 30, 2020
Even with Binance blacklisting the funds, it's unlikely the Bitcoin will ever be recovered. And with no permanent fix to the exploit, it’s a sobering reminder that crypto users need to stay on guard against many different types of scam.