Electrum Wallet Botnet Hack Analysis

The Electrum Hack, bitcoin's wallet

There have been numerous “hacks” involving Electrum, with the most common ones involving “fake/modified” versions that people are tricked into downloading from unofficial sources from the outset.  On average this botnet has involved more than 100,000 infected machines.

But this attack is different in that it doesn’t rely on the user to make any mistake or trick them initially.  The articles on the internet in my opinion do not make it clear how this happened or how it works.

Initial Source Of Infection + Theft

In my opinion the initial problem is a huge flaw in the Electrum network.  Anyone can run an Electrum server and anyone running a server can send a message to the wallet/client, including one that contains a hyperlink.  Malicious actors who created this malware and botware used a bunch of Electrum servers to send these “error messages” that look like a legitimate message from the software develops of Electrum, instructing them to download a new version from a Github page.

The problem of course is two-fold, the malware/fake wallet allows the hackers to steal your coins by prompting for your private key password and also makes your computer a zombie that attacks legitimate Electrum servers so they go offline, making the infection multiply quicker through other Electrum servers the hackers control.

With any new technologies and even existing, there will always be attacks but this one is particularly disturbing since it is a huge hole that anyone can run an Electrum server and send these messages to the users.

Over 200 Bitcoin have been stolen this way – which amounted at the time of $750,000 (worth more now). If the transaction initiated by the user was routed through one of the 33-50 malicious servers on the Electrum Wallet Server, the user received an error message prompting them to download a wallet app update coming from an unauthorized GitHub depository. They would then get a message from the app asking the user for a two-factor authentication code, (which is used by the hacker to steal the funds and transfer the funds to the hackers bitcoin address). Since this, the Electrum wallet has updated to no longer appear in rich HTML text.

In a way, it’s a clever phishing scam that has elements of hacking. The users were not at fault because they were prompted by Electrum and followed what appeared to be real messages from the app.

And of course since it’s Bitcoin, it’s not regulated or insured and there pretty much is no recourse on getting the stolen Bitcoin back.

You’re thoughts?



Areeb Soo Yasir

Business and technology have always gone hand in hand for me, and now I've built nearly 20 years of expertise. A few notable achievements: -> Tier III-Designed & deployed multiple mission critical datacenter environments in Canada, US, Hong Kong, Singapore & China. -> Software Engineering: Created a Linux OS from scratch, including a custom kernel to maintain millions of dollars in client infrastructure, deploy and report as needed. Created the “Windows Geeks” and “Password Pros” Windows Password Reset software recommended by Microsoft. -> Business Negotiations: Conducted intensive negotiations with branches of the Peoples Republic of China and the various state-run Telecom operations including China Telecom and China Unicom for access to their trillion dollar backbone infrastructure. We were the first western company to have such network access where other IT companies such as Vodafone and Google failed. -> Cloud Infrastructure Creation: Created the first proprietary “Clustered Cloud Architecture” that rivals competing Google, IBM, Microsoft & Alibaba alternatives. I'd love to chat #IT or #Linux or even #Business, so don't hesitate to connect. Cheers!

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *