Hackers used a clever new tactic to steal over $800k from the users of a popular bitcoin wallet.
Admins of popular Bitcoin wallet, Electrum, are warning users of a phishing attack that tricks its users into downloading a malicious update that steals their passwords.
Users of this updated version will be asked to enter their 2-factor authentication code, which the hackers will use to access their wallet— and thus emptying their balance. Hackers were able to steal over 200 bitcoins, approximately $830k at the time of writing.
According to ZDNet, the core issue for Electrum is that it allows “popups with custom text” to trigger in a user’s wallet interface. This enables attackers to get direct access to their victim’s interface and render authentic-looking server messages like the one below.
According to Electrum’s devs, these attacks began on December 21st and while the developers have taken down the hacker’s GitHub repository, which contains the malicious code, they have yet to patch the main attack vector.
Developers warn that another attack may soon be underway.
The hack began last Friday, December 21, and has been temporarily halted by GitHub administrators as of today.
To acquire users’ bitcoin, the attacker added several malicious servers to Electrum’s network. If an initiated bitcoin transaction reached one of these servers, it would respond with an error message prompting the user to follow a GitHub link to download an update.
After download, the updated application would request a two-factor authentication code, which, if provided, would allow the malicious software to transfer the user’s funds into the attacker’s Bitcoin addresses.
Some users even manually copy-and-pasted the link provided in the error message and downloaded the malicious update via that route.
An Electrum developer, known as SomberNight, said the team did not publicly disclose the attack until today because the hacker had apparently stopped.
However, Electrum anticipates yet another attack to occur using either a different GitHub repository or another download location.
The malicious servers also remain on the Electrum network – in fact, Electrum developers have identified at least 33 of them. The team has not disclosed what it intends to do about these servers.