One Bitcoin investor was stripped of over $16 million in Bitcoin, held since 2017, after downloading a long-exploited version of Electrum wallet.
A year-old GitHub thread devoted to Electrum-based phishing hacks sprang back to life when an individual claimed to have had 1,400 Bitcoins ($16 million) stolen after falling for an old trick.
“I’d 1,400 BTC at a wallet that I hadn’t obtained since 2017,” clarified the Bitcoin investor. “I foolishly installed the old version of the exploited Electrum wallet. My Bitcoins propagated. I tried to move about 1 BTC however was not able to proceed. A pop-up displayed stating I was expected to upgrade my security prior to having the ability to move funds,” he added.
According to the luckless holder, the upgrade immediately triggered a mass transfer of capital to an unknown address supposed to be the natives.
An Old Electrum Exploit
But while the sheer breadth of this reduction has garnered headline news, this exploit is not anything new. Electrum programmer Thomas Voegtlin verified that the phishing attack used is one that has been floating around since late 2018.
“The warning that’s been on display on the site for the past 18 months,” said Voegtlin. “The consumer was scammed since he used old software, vulnerable to phishing,” he added.
While the phishing exploit has been in existence for well over a year, the programmer noted that this latest scam marks the biggest ever loss to the assault.
Per a 2019 investigation from threat analysts, Malwarebytes Labs, after exploiting faulty Electrum software, the hackers could subvert users from legitimate nodes to malicious ones controlled by the poor actors. Once redirected, users are then prompted to put in a bogus security upgrade, which automatically downloads a malware-infested wallet. From that point, hackers remotely command the wallet and send the contents to another address.
This latest haul included, hackers have succeeded in appropriating an estimated 2k Bitcoins ($25 million) because of the first exploit in 2018.
But with the address of the latest hack understood, and the information quickly dispersing, word reached Binance boss, Changpeng “CZ” Zhao, who proceeded to blacklist the address.
Not your code, not your own funds. Beware of the Electrum official upgrade, This man lost 1400 BTC, and tons of others lost funds also,” CZ tweeted, adding, “We blacklisted the addresses included.”
Despite Binance blacklisting the capital, it is unlikely the Bitcoin will ever be retrieved. With no permanent fix to the tap, it is a sobering reminder that crypto consumers will need to remain on guard against several distinct kinds of scams.