Infected Electrum Bitcoin Wallets Result In $4.6M Stolen Funds

An ongoing attack is targeting Electrum bitcoin wallets and causing huge devastation. The number of infected Electrum bitcoin wallets has now reached a record 152,000 after an ongoing Denial-of-Service (DoS) attack on its servers.

The anti-malware firm, Malwarebytes reported on the 152,000 infected wallets and $4.6 million stolen funds in their blog post on 29 April.

The blog post stated:

We have been closely monitoring the situation involving the continued attacks against users of the popular Electrum Bitcoin wallet. Initially, victims were being tricked to download a fraudulent update that stole their cryptocurrencies. Later on, the threat actors launched a series of Distributed Denial of Service (DDoS) attacks in response to Electrum developers trying to protect their users.

Malwarebytes previously reported on the attacks and on 24 April stated the number of infected Electrum machines was just below 100,000. Less than one week later, that number is now over 150,000.

Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing.

Electrum has been the victim of cyber attacks since December 2018 when a hacker or group of hackers made over 200 bitcoin tricking users to download a malicious version of the wallet. As part of the attack, the legitimate Electrum wallets displayed a message to users urging them to download the malicious version of the wallet from a GitHub repository. GitHub took down the malicious download repository but Electrum was expecting another attack to follow since the vulnerability that allowed for the attack remained unpatched at this point.

Attackers added tens of malicious servers to the Electrum network and used these servers to push the message to users. The message read:

Security Update Required (2018-002 v3.4.1)

This important security update provides a fix for transaction deserialization vulnerability and is recommended for all users. 

Transactions can only be sent after applying the update. Please visit the link below to find instructions on how to update to Electrum 3.4.1

When users downloaded and logged into the malicious version of the wallet, hackers were able to obtain credentials from the users and use them to steal hundreds of bitcoins and gain full control over the infected systems.

In response to the attack, Electrum pushed their own message also encouraging users to download the latest and patched version of the wallet.

The attackers countered this move by conducting DoS attacks on Electrum’s servers hoping that by overloading the legitimate servers, unsuspecting users would use one of the malicious ones. This technique seems to have been very successful for the attackers.

The botnet distributing the malware appears to be growing and dropping the Electrum malware from various IP addresses located around the world.

By analyzing the IP addresses and mapping them to a country, we are able to have a better idea of where the bots are located. We find the largest concentration in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru.

These attacks have caused millions of dollars in losses over the last 5 months and don’t seem to be slowing.