Electrum Phishing Attack 2018-2019 – A closer look into the stolen funds.

[clainio]

Hello,

Clain investigated Electrum wallet attacks and concluded at least two groups of hackers succeeded  in stealing 810 BTC and laundering them via decentralised crypto exchange such as Bisq and MorphToken.

https://blog.clain.io/electrum-phishing-attack/

[1715404484]

1715404484

[1715404484]

1715404484

[squatter]

Interesting reading, thanks for posting.

I hope these schemes aren't used as fodder to pass more stringent AML/KYC regulations on crypto-to-crypto exchanges, but they probably will be. I'm not sure how governments will address decentralized exchanges like Bisq, but I think there will be more clamping down on centralized services like MorphToken, who are offering high value exchanges with no account registration. Shapeshift obviously couldn't retain that model for long, ostensibly because of pressure from regulators.

[rdbase]

I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin.
I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet.

[Pipdips]

I keep everything in a cold storage wallet device where it is safe!

[squatter]

I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin.

They weren't really "hacks." They were social engineering attacks. Attackers were setting up malicious Electrum servers and sending out in-app messages that convinced some people to download a malicious "update" that stole their coins.

I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet.

What good is that alert going to do when a hacker empties out your wallet in one move?

You should use cold storage. Offline key storage allows me to sleep at night.

[rdbase]

^^
Yes. Your correct when I receive the alert it would be too late in that case. But atleast it will allow me to be aware not to send anymore coins to it or they would be in jeopardy too. The bitcoin wallet on my mobile is used for small transactions on the road.
Good advice with having it in cold storage with offline key storage like a usb stick for alot of bitcoins.

[Genemind]

It's the first time that I have heard about this attack. I was surprised because that's really a huge amount of Bitcoin.
I have thought that electrum is really a safe wallet. I realized now that everything online is hackable. It's a good thing that I have transferred my funds in my hard wallet.

[Ailmand]

At least they have sent an alert. However, it's just a sign that no wallet is now 100% secured. There will always be lapses. We have to keep our funds safer in a cold wallet now. I'm using a nano ledger or our local wallet to keep everything safe and away from phishing.

[Pmalek]

I have thought that electrum is really a safe wallet. I realized now that everything online is hackable.

Electrum itself wasn't hacked. The wallet is not compromised. It is the users who clicked on phishing links and downloaded fake and/or infected wallets.
The biggest problem is that these messages came from the servers within Electrum itself and the users trusted and clicked on the links leading them to the fake wallets. Once that was discovered, Electrum prevented the possibility to send messages in this way.

That is why it is imperative to check the download links for Electrum and verify the signatures of the downloaded apps before using them.

[Lucius]

We can name this problem by any name, some will say it is hack, other will use social engineering attack, but in the end it is only important that there is a large number of ordinary users affected by this attack. Although responsibility is largely shifted to users who have become victims of their ignorance, part of the responsibility is also on Electrum developers. They were supposed to detect this vulnerability and fix it, before it is used by hackers.

In this example we also see why KYC is important, and why DEX is in such cases an ideal money laundering machine in combination with Monero. We can call this a perfect crime which still continues, there is too many users with outdated Electrum who are not aware of the dangers.

[rdluffy]

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

[squatter]

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

I feel sorry for people who lost coins this way, but it was at least partially their fault for using terrible security practices. Always go to the original source to download updates and verify the release signature -- this is a basic precaution.

If you click on a link simply because a pop-up told you to and then download and run executable applications, you are bound to lose any coins that are stored on your machine.

[Pmalek]

If the message is displayed on app, it's not the user's fault

I agree with this statement. And that is the reason that so many members trusted the messages displayed by their Electrum wallet. Any other software we use on our computers shows notifications about new updates and features and we install these.
Electrum's fault here was that they were not aware that something like that was possible or that it could be abused.
But, they also suggest that users check what they download and verify the signatures and the users who got phished didn't do that.

[HCP]

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster?

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".

[rdluffy]

I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster?

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".

They are totally different aplications, you are comparing web browsers to wallets, it's nonsense
It's allowed in web browsers, you can block if you want
But imagine you downloaded an specific app, and a message is displaying on app, you will think it's official, commom, it's not hard to know the differences

[HCP]

It doesn't change the fact that it wasn't a "hack" and was "Social Engineering".

If a user did absolutely nothing at all, their funds would be safe. The thieves could not steal any funds using the richtext vulnerability. All they could do was show messages and clickable links. The attack required that the user download a piece of malware, install it and then run it. That could not be done remotely or automatically.

Granted, it was a very clever use of a non-obvious vulnerability... and, by all accounts, quite an effective one. Sure, you're more likely to trust a message in your "official" app... But one of the golden rules of crypto is "don't trust, verify!". So, if a user stopped to ask "Is that the official download repository?" and/or they followed recommended procedure and checked the digital signature of the downloaded file... the attack would fail.

It is a harsh (and expensive) lesson to learn... but the crypto call to arms of "Be your own bank"... also implies "Be your own bank's security department".

I don't blame the users and I don't blame the devs... I blame the "bad people"™ 

[BobbySmithJones]

I keep everything in a cold storage wallet device where it is safe!

Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks

[Pmalek]

Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks

Cold storage means that your wallets private details such as seed/private keys have never been sent or viewed online and have never left the safety of the device, like in the case of hardware wallets. A paper wallet is another good way of storing your keys.

You can read more about that here:
https://en.bitcoin.it/wiki/Cold_storage

Also have a look at this thread:
https://bitcointalk.org/index.php?topic=2865766.0

[Artemis3]

You cannot call it "hack" because it implies Electrum is at fault when it isn't.

While i do agree showing server messages and rendering url inks was a design mistake from the earlier than the 3.3 versions.

Electrum cannot police and control fake websites 24/7 and or browser/os exploits (all it takes is some dns manipulating to make electrum.org resolve to a fake phishing site)...

While not discussed here, the same attacks have been done to people using Electrum fork's such as Litecoin's; and the amount stolen is not negligible.

But for most of them it was simple user mistake/ignorance, or social engineering. Do not be surprised if they escalate and combine with dns manipulation done via malware (probably done already).

Good habits and secure OS are a must. If you want to make or manipulate a cold wallet, you should boot from a secure live OS (such as Linux Tails OS).

[pooya87]

You cannot call it "hack" because it implies Electrum is at fault when it isn't.

technically Electrum is never at fault no matter what the incident is, because it is open source and released under MIT license which means the program is released as is without any guarantees and they are not liable.
but this case was an exploitable bug that existed in the application and like any other application out there that is normal.