In August and September, multiple reports have risen, stating that the Electrum Bitcoin software wallet users have seen significant amounts of Bitcoin stolen by an exploit in an older version of the wallet.
A new study had detailed the process behind the exploit and the extent of the damage inflicted on the users until now.
From a study from ZDNet, more than $25M worth of Bitcoin at today’s valuation that has been stolen by the exploit, with an amount of 1980 BTC held in wallets that had tied to the attackers. That has been on top of the 202 BTC ($2.3M) stolen in the earlier attacks, as reported in December year 2018.
The biggest haul came late in August; one Bitcoiner claimed that he had lost 1,400 BTC with the exploit. The next day, a separate user has claimed that he has lost 36.5 BTC by the Electrum exploit.
The same thing has been in use by the attackers since 2018, according to the reports from the purported victims. An investigation says that an older version of the Electrum may be prompted during the updated app; however, the security update came from the outside attacker than the Electrum developers.
Electrum’s ElectrumX servers are then used to communicate with the Bitcoin blockchain. The wallet app’s public ecosystem means that the bad actors can fire up their gateway servers and then wait for the users who connect.
Starting from there, the attackers can launch a prompt that tells the users that they must update the app to send a transaction, but it further points them to the malware as an alternative of a legitimate update.
Once updated with the malware, the compromised Electrum wallet asks for the user’s one-time passcode—and if provided, their funds are then stolen and sent to the attacker’s address.
Newer versions of Electrum have implemented fixes to account for the exploit, including blocking specific server pop-up prompts and blacklisting servers. Still, older versions of the wallet are more susceptible to attackers, as evidenced by these recent reports.
The Electrum developer Thomas Voegtlin stated that the team has been aware of the phishing attack and has warned users on its website.
Voegtlin had commented on Github in the previous month and further suggested that any affected users report the police’s attacks.