Someone Just Lost $16M in Bitcoin by Using a Malicious Install of the Electrum Wallet

download-GettyImages-835897554
31 August 2020

An Electrum wallet user claims to have lost a fortune in bitcoin after installing an older version of the software from a malicious source.

  • In a Sunday post on GitHub, the individual described the loss of more than 1,400 bitcoin (worth around $16.2 million at press time) as a result of "foolishly" installing an old version of the lightweight wallet.
  • Going by the username "1400BitcoinStolen," they described how a pop-up message asked to update their security prior to being allowed to transfer any funds.
  • Upon installing a purported "security update" for the wallet, it immediately triggered a transfer of the user's entire balance to an address in the possession of a hacker.
  • Binance's CEO Changpeng "CZ" Zhao has moved to blacklist the stolen funds from his exchange, stating users should "beware of this Electrum official update."
  • 1400BitcoinStolen said they had contacted blockchain analytics company Coinfirm for assistance in tracking the bitcoin and were awaiting a response.
  • Electrum has been around since 2011 and has gone through multiple updates while also being unable to stop bad actors exploiting previous versions by Sybil attacks using malicious servers.
  • Another member on the GutHub thread, "gits7r" – who seems to be associated with Electrum – said the problem comes from the decision by the team early on to allow users to "run their own servers or use servers that they trust."
  • If users download a version from a different source than electrum.org and don't check signatures, they may "install a backdoored Electrum," gits7r said.
  • In 2018, the Electrum network suffered such an attack from a bad actor who created multiple fake servers on the Electrum network that saw 245 bitcoin siphoned from unsuspecting victims.

See also: Crypto Wallet Maker Ledger Loses 1M Email Addresses in Data Theft