Electrum Wallet Botnet Hack Analysis
There have been numerous “hacks” involving Electrum, with the most common ones involving “fake/modified” versions that people are tricked into downloading from unofficial sources from the outset. On average this botnet has involved more than 100,000 infected machines.
But this attack is different in that it doesn’t rely on the user to make any mistake or trick them initially. The articles on the internet in my opinion do not make it clear how this happened or how it works.
Initial Source Of Infection + Theft
In my opinion the initial problem is a huge flaw in the Electrum network. Anyone can run an Electrum server and anyone running a server can send a message to the wallet/client, including one that contains a hyperlink. Malicious actors who created this malware and botware used a bunch of Electrum servers to send these “error messages” that look like a legitimate message from the software develops of Electrum, instructing them to download a new version from a Github page.
The problem of course is two-fold, the malware/fake wallet allows the hackers to steal your coins by prompting for your private key password and also makes your computer a zombie that attacks legitimate Electrum servers so they go offline, making the infection multiply quicker through other Electrum servers the hackers control.
With any new technologies and even existing, there will always be attacks but this one is particularly disturbing since it is a huge hole that anyone can run an Electrum server and send these messages to the users.
Over 200 Bitcoin have been stolen this way – which amounted at the time of $750,000 (worth more now). If the transaction initiated by the user was routed through one of the 33-50 malicious servers on the Electrum Wallet Server, the user received an error message prompting them to download a wallet app update coming from an unauthorized GitHub depository. They would then get a message from the app asking the user for a two-factor authentication code, (which is used by the hacker to steal the funds and transfer the funds to the hackers bitcoin address). Since this, the Electrum wallet has updated to no longer appear in rich HTML text.
In a way, it’s a clever phishing scam that has elements of hacking. The users were not at fault because they were prompted by Electrum and followed what appeared to be real messages from the app.
And of course since it’s Bitcoin, it’s not regulated or insured and there pretty much is no recourse on getting the stolen Bitcoin back.