The users of Electrum wallet have lost almost 771 BTC or Bitcoins, which accounts for $4 million in total value. This has been going on since last December of 2018, via various targeted phishing attacks. One can use PhishProtection.com to avoid this. It has been reported by the Malwarebytes Labs that this was possible as the fraudsters were able to make the unsuspecting users download a malicious version of the wallet, due to an exploit that was found in the original wallet software.
In the month of February 2019, the users of the wallet were exploited by redirecting them to download a patched version of the wallet, and then in March of 2019, vulnerable clients were attacked, which was referred as to ‘counter attack’. Finally a botnet DDoS or Distributed Denial of Service attack was launched against target users with out of date wallet versions.
Reasons for the attack
Electrum uses a technique known as Simplified Payment Verification or SPV. This helps in users send and also receive transactions, without downloading the full copy of Bitcoin blockchain, which can amount to hundreds of GBs in size. Electrum operated in client-server configuration, via which transactions were verified. This method has allowed the attackers to operate a public Electrum peer. And the number of peers has increased since January 2019. Attacks like these can be avoided by using ProofPoint.com.
The malicious wallets
There were two variants of the malicious wallets of Electrum, known as Variant 1 and 2. Both of these variants were operated by different users. Variant 1 was mainly used to upload all the stolen key wallet data to a remote server. This function was hidden with a file name of ‘initmodules.py’. The balance of the user’s wallet was then sent to one of the public address controlled by the fraudsters.
Variant 2 was used to attack aggressively, and thus stole more Bitcoin than Variant 1. Variant 2 hosted the malware via a domain that looked similar to the legit Electrum download website. The attackers had good grasp of the Electrum code and thus very much exploited it in a much worse fashion.
The location of the lost Bitcoins
It has been known by researcher that the BTC that were stolen via Variant 1 was used to be broken down to smaller amounts, which is pattern of money laundering technique known as smurfing. For example, 48.36 BTC ($244,001) was broken down to 3.5 BTC ($17,659) amounts followed by 1.9 BTC ($9,586) amount. Amount more than $10,000 willcreate a CTR or Currency Transaction Report, and therefore is kept around the $7,000 threshold.
About future attacks
Malwarebytes researchers are very certain that attacks will happen in the future. There will be determined exploiters in the wild, and those who are keeping track of cryptocurrencies already knows the related risks as well. Even when Electrum responded to the attacks, the fraudsters continued with sustained DDoS attacks. The users running their own Electrum servers can mitigate these attacks in various ways, are still advised to update their wallets to the latest version and thus look for warning messages which are disguised as phishing attacks, with the help of Mimecast.com.