Crypto wallet update scam nets criminals more than millions

Cybercriminals are reportedly tricking owners of Electrum wallets into installing malware so they can steal user funds, according to a ZDNet report. So far, more than $22 million has been stolen per the outlet’s investigation. 

The scam involves sending fake updates to wallet owners. This tactic was first noticed in December 2018. Since then, thieves have reused the attack pattern in multiple campaigns over the past years, with some attacks taking place as recently as last month. 

How it works

The heist begins when users of the Electrum crypto wallet app receive an unexpected update request via a pop-up message. They update their wallet, then discover that the funds contained within were stolen and sent to the attacker’s BTC account.

This attack method works because of the inner workings of the Electrum wallet app and its backend infrastructure.

Developers designed Electrum wallets to connect to the BTC blockchain to process any transactions. It connects through a network of Electrum servers known as ElectrumX. 

While some crypto wallet services control who can manage these servers, Electrum is an open ecosystem where everyone can set up an ElectrumX gateway server. Since 2018, the bad actors have been abusing this system to spin up malicious servers and wait for unsuspecting users to connect to their systems randomly.

Once this happens, the attackers instruct the server to show a pop-up on the user’s screen, leading the victim to access an URL and download and install an Electrum wallet app update on what turns out to be lookalike domains impersonating the official Electrum website or GitHub repositories.  

If users ignore the URL without confirming it is electrum.org, they end up unwittingly installing a malicious version of the Electrum wallet.  

The next time the user tries to use the wallet, it will uncharacteristically ask for a one-time passcode (OTP). The code is only requested before sending funds and not at the wallet’s startup. If users enter the requested code without thinking, they have given the malicious wallet’s official approval to transfer all of their funds to an attacker’s account.

The report tracked down multiple crypto accounts where thieves have allegedly gathered stolen funds from the heist they carried out. These wallets hold 1980 BTC, which is roughly over $22 million in fiat currency. A significant portion of those funds appears to have been stolen during one event in August when one unlucky victim reported losing 1,400 BTC (~$15.8 million) after updating an Electrum wallet.

The Electrum team has taken many steps to mitigate this attack. They implemented a server blacklisting system on Electrum X servers to prevent malicious additions to their networks. They also added a system update, stopping servers from showing HTML formatted pop-ups to end-users.

Nonetheless, a malicious server can still slip through the cracks. The attack still works well on those still using older versions of the Electrum wallet app to manage funds.

Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream and Ethereum—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.