More than $22 million in cryptocurrency stolen from Electrum wallets

Million stolen from Electrum wallets
Written by Emma Davis

The first reports of problems among users of Electrum cryptocurrency wallets began to appear back in December 2018, when criminals attacked the project’s infrastructure and stole about a million dollars in cryptocurrency. Now it turned out that more than $22 million in cryptocurrency were stolen from Electrum wallets.

In 2018, the Electrum developers called an accident a phishing attack and, in essence, they were right, it really was phishing, although in an unusual format.

The attack was very simple: the scammers found a way to show users of legitimate wallets officially looking messages, according to which the victim should immediately download and install the Electrum update from the GitHub repository. The repository indicated in the messages, of course, belonged to the cybercriminals and distributed malware that steals cryptocurrency.said information security specialists.

The fact is that in order to process transactions, Electrum wallets connect to the Bitcoin blockchain through the Electrum server network known as ElectrumX. As a rule, wallet applications control users that can manage such servers, but the Electrum ecosystem works differently: here anyone can raise an ElectrumX gateway server.

Million stolen from Electrum wallets

How Electrum works

Possibility to raise an ElectrumX gateway server is the main feature of the project that abuse attackers, who deploy malicious nodes and send fake messages to users about the need to urgently update the wallet. Usually, the download link for such an “update” does not lead to the official Electrum website (, but to a similar domain or directly to the GitHub repository.

If the victim doesn’t pay attention to the URL, it installs a malicious version of Electrum on their machine, and the next time the user tries to use the wallet, the malware will ask them for a one-time password.

Such passwords are requested only to confirm the transfer of funds, and not when the wallet is launched, but users regularly fall for the bait of scammers and enter the requested code, thereby giving the malware official permission to transfer all their funds to the attacker’s account.say information security researchers.

Unfortunately, by mid-2019, the situation had changed only for the worse, although the developers released patches and tried to combat such attacks by exploiting a DoS unknown to the public vulnerability in old Electrum clients, forcing them to stop connecting to the attackers’ nodes and update.

The developers also implemented a server blacklisting system on ElectrumX servers and prevented servers from showing HTML pop-ups to end users. Alas, all this did not help much, and as of April 2019, scammers managed to steal about $4.6 million, when the Electrum infrastructure was attacked by a botnet whose maximum size exceeded 152,000 hosts.

Now the ZDNet publication reports that hackers have continued to use this scheme of attacks over the years, and some incidents have occurred quite recently, for example in September 2020.

Electrum users continue to receive fake pop-ups informing them of the need to update, and once they are updated, their funds are immediately sent to attackers.reports ZDNet.

According to journalists, currently, about 1980 BTC is stored in the wallets of fraudsters engaged in such attacks, that is, approximately $22 million. If you add here 202 BTC stolen back in December 2018, the total amount of stolen funds is already more than $24.6 million.

Notably, most of these funds appear to have been stolen in one single incident: in August 2020, when a user reported the theft of 1,400 bitcoins (about $15,800,000) following an Electrum wallet update.

However, this is not the most large-scale attack on cryptocurrency holders, let me remind you that Cybercriminals have stolen $32 million from Bitpoint cryptocurrency exchange and even more: attackers hacked Upbit cryptocurrency exchange and stole $48.5 million.

We also reported, for example, an attack on the Monero cryptocurrency official website. Site was hacked and distributed malware.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

One Response

  1. beastmode January 13, 2021

Leave a Reply