Those affected were then redirected to an unauthorised GitHub repository where an unofficial update was made to the software. Although stopped for now, the Electrum team believes that more attacks could be on the way.
Reports in ZDNet state that the security compromise was made possible because of a vulnerability that allows Electrum servers to generate popups using custom text. The hackers used fake Electrum servers to display such a popup requesting users make an emergency update. There are believed to be a total of 33 of these servers.
The Electrum attack began on Friday, December 21 and, although it now appears to have stopped, there is reason to believe that those behind it will strike again soon. This is because the dev team are still to patch the vulnerability. For now, GitHub admin have removed the fraudulent repo but there are concerns that the same scam could be repeated using a link to a different repository or alternative download source.
Despite not working out how to stop similar repeat attacks, there was an early attempt to mitigate the amount of damage done to the balances of users’ wallets. The Electrum team were able to change the hackers’ message from a rich HTML text. This radically altered the appearance of the text and removed the attached link to the fake GitHub repo.
An anonymous developer at Electrum, known as SomberNight, stated the following after the team had changed the hackers’ message:
“We did not publicly disclose this [attack] until now, as around the time of the 3.3.2 release, the attacker stopped… However they now started the attack again.”
Unfortunately, some users still fell for the attack and manually copied and pasted the URL featured within the illegitimate message. They then downloaded the unofficial update and had their funds taken. This prompted GitHub admins to remove the repo itself.
A large red flag for anyone concerned that they may become a victim of the Electrum hack is that the newly installed, compromised software requests users to enter a two-factor authentication (2FA) code upon startup. On the Electrum wallet, 2FA codes are only requested when transferring funds. By entering the code on startup, the unsuspecting wallet users’ essentially green-lighted the theft of their own Bitcoin.
Although certainly unfortunate for those impacted by the hack, the robust security model of Bitcoin remains unaffected. Rather than demonstrate weakness within the network itself, attacks like this one serve to highlight the dangers of storing funds in a desktop wallet rather than a paper or hardware one.
Such hacks remind users of Bitcoin to be vigilant of their own security. All “hot wallets” (desktop, mobile, online – anything connected to the internet) should be considered at risk of breach by some method.
Perhaps the group most at risk of such attacks are users of centralised cryptocurrency services like exchanges. They would be much better served with proper cold storage methods (like those listed above), rather than whatever custodial solution the service in question offers. Exchanges have been hacked many times previously and will be again.
Such instances of security compromise recently prompted Bitcoin billionaire Trace Mayor to publicly encourage what he has named “Proof-of-Keys” on January 3. The idea behind this is encourage Bitcoin users to remove all funds from wallets that users do not possess the private keys of – thus being able to utilise all the truly ground-breaking qualities of Bitcoin.
A fun little video to remind people about #ProofOfKeys by the Hungry Hodler and music by @JoakimKarud. The moneybadger running off with its own private keys is a wonderful touch! Thanks guys. ????https://t.co/xep4mQXp5p — Trace Mayer [Jan/3➞₿????∎] (@TraceMayer) December 24, 2018
Related Reading: Electrum Copycat Crypto Wallet Steals Seed Keys