User Loses $14 million worth of BTC Due To Electrum Wallet Exploit
Per Github, a user posted their horrific story of losing $14 million worth of BTC due to a scam.
“I had 1,400 BTC in a wallet that I had not accessed since 2017. I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds.
I installed the update which immediately triggered the transfer of my entire balance to a scammers address.”
The problem here is that Electrum versions older than 3.3.4 are susceptible to phishing. The electrum wallet itself my be totally legit, but the server that communicates with it is running a phishing scam. The user “updates” to a new version of the wallet, unknowingly installing a malicious program, that promptly sends their BTC to the scammer’s wallet.
There’s a good post on this here.
User Theymos writes:
“This message is false, sent to you by a hacker. If you click the link in the message and install the software, then your BTC will be stolen. If you ignore the message, then you should be OK. Version 3.3.2, released a week ago, makes the messages less readable/convincing, though you could still receive such messages.
Note that altcoin derivatives of Electrum are very common, with over 1600 forks on github, and they will also be affected.”
The old versions of Electrum were compromised by their design of peer-discovery, whereby users communicate with servers that may or may not be compromised.
A representative of Electrum had this to say regarding the exploit. The comment is from 2019:
“We are sorry for this, but this message is confusing and too alarming and causes panic among users.
Electrum doesn't have a bug that can be exploited, it cannot be controlled remotely, it has no open vulnerability that can cause loss without user's action. Electrum was no more "hacked" or "exploited" than gmail, yahoo, outlook and all financial institutions (banks, etc.) as well as various other online services are every day.
Because of how peer discovery works in Electrum, there is not much we can do for old versions, since we can't prevent them with 100% success rate to run into a malicious server. This is because, unlike other lightweight wallets, Electrum decided to not have only few harcoded servers that will be responsible for the privacy of all users, and act as single point of failure, but instead allow users to run their own servers or use servers that they trust. Electrum takes user privacy very seriously, which is why proper peer to peer discovery without central authority arbitration was adopted, instead of anything else. This way an attacker cannot keep an Electrum user offline, or isolate him, or pull various attacks.
While the entire Electrum team is doing absolutely everything possible to protect the users, such as:
- patch Electrum wallet to not display rich text, and don't allow arbitrary messages, only strict codes;
- patch ElectrumX server implementation to detect sybil (malicious servers that send the phishing message) and not further broadcast them to clients;
- implement blacklist logic to maintain malicious servers outside the view of the clients;
- heavily advertise on social, website and all communication forms existent with the users that they should always run the latest version and always only install from the official source (electrum.org), accessed over secure protocol (https) with prior verifications of the PGP signature;
...the sad truth is that nothing can be truly done to protect an user from its own actions. If you are willing to install Electrum from a different source, when the official is electrum.org, and you don't verify signatures, even with the latest patch that does not display rich text you are still vulnerable as you can receive an email or text message with the same phishing message, and install a backdoored Electrum.
After all, when you install and use security software and finances software such as Electrum the first rule is to make sure you are running a version that has no discovered vulnerabilities and your build is signed and genuine.
I know this is not pleasant to read after loss of funds, and we are sorry, but this is the sad truth. This is not a vulnerability in Electrum, so we are going to respectfully close such issues / tickets on github because we are already doing everything possible to limit the effects of phishing attacks, and such issues do not provide any new information.”
There is little that can be done for the user who lost 1400 BTC. It can be marked by exchanges, maybe, but many smaller exchanges will simply not bother to do so.
Always be 100% vigilant. Even your own wallets on your computer are not safe to your own user errors.
These mistakes and exploits will continue to render BTC a pariah to mainstream investors. Until there is a compromise-free level of custodial oversight over BTC, akin to modern banks, don’t expect mainstream adoption anytime.