Cyber Thieves Steal $24 Million with a Fake Bitcoin Wallet Update
Table of Contents
- By Dawna M. Roberts
- Published: Oct 13, 2020
- Last Updated: Mar 18, 2022
A technique first used in 2018 has allowed cybercriminal gangs to bilk $22 million from Bitcoin users. ZDNet reported on Monday that by pushing a fake update to users of the Electrum Bitcoin app, thieves installed malware stealing money from hundreds of accounts.
How Does it Work?
Victims from all over have reported the same thing. They opened the Electrum wallet app and received a pop-up message to update to a newer version. When they clicked the update button, all of their Bitcoin funds were diverted to the scammer's account, and theirs were left empty.
This technique works so well because of how the Electrum wallet app functions and its back-end infrastructure. When processing transactions, the app routes communications through a network of Electrum servers called ElectrumX. Unlike other wallet apps that control the management of Bitcoin servers, Electrum allows anyone to set up an ElectrumX gateway server. This open-source ecosystem doesn't discriminate against criminals.
This dangerous loophole allows criminal gangs to set up a server and wait for Bitcoin users to initiate a transaction and connect to their system in the lineup. Once there, the user receives a pop-up that their software version needs updating. The update is simply malware that diverts their funds and drains their Bitcoin accounts.
Users have noted that the pop-up usually contains some random error message that their transaction did not go through, thus the need for the upgrade. The download link does not come from the official Electrum website but instead diverts to a fake domain or GitHub repository.
Because users think they are updating through the official Electrum website, when it asks for a one-time passcode, most users provide it, effectively giving the app permission to transfer all their funds to the hacker's account. Users have dubbed this technique the "fake Electrum update scam."
The Staggering Figures
To date, since 2018, when this scam first reared its ugly head, cybercriminals have stolen roughly $24.6 million. A large portion of this total was nabbed in a single incident this September when a user who owned 1,400 Bitcoin ($15.8 million) was scammed using this technique. The victim commented that "I foolishly installed the old version of the Electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds. I installed the update, which immediately triggered the transfer of my entire balance to a scammer's address."
Back in 2018, this scam surfaced when almost $1 was reported stolen by users. A network of malicious servers was used to steal the cash and was reported on Reddit by an Electrum wallet user.
Shortly after that first cyber attack, Electrum suffered a denial-of-service attack also. Any time cyber criminals access electronic devices, it opens the user up to possible identity theft, fraud, and other scams.
What is Electrum Doing About It?
Although Electrum added a server blacklisting system to ensure that no malicious ElectrumX servers connected to the network, one or two slips through the cracks every now and then. Electrum also updated the app to prevent servers from displaying HTML pop-ups to users to push a fake update. But as of September, this obviously did not stop thieves from stealing $15+ million from one user.
Users who have older versions of Electrum are more at risk because these new safeguards are not in place.
The Dangers of Using Crypto
Electrum uses the peer-to-peer network architecture to keep the system decentralized; however, it also works in favor of hackers trying to intercept large transactions and trick users into downloading malicious files.
Industry experts warn against software apps and recommend using only hardware Bitcoin wallets like Ledger or Trezor. Electrum suggests that users keep a close eye on URLs and links when being asked to update the software. If it doesn't look legit, close it, and do not update the app.
