Electrum Wallet User Loses $16 Million in Bitcoin to Old Exploit
An Electrum wallet user has revealed he lost a total of 1,400 BTC, worth over $16 million, to an old exploit because he was using old software.
According to a post on GitHub, the user lost the funds after he started using an Electrum wallet he had not used since 2017. Per his words, he was prompted to install an updated to the Electrum wallet before being able to move his funds off his wallet. When he did, his entire balance was moved to a scammer’s address.
I had 1,400 BTC in a wallet that I had not accessed since 2017. I foolishly installed the old version of the electrum wallet. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds I installed the update which immediately triggered the transfer of my entire balance to a scammers address.
The user lost funds to a clever attack on the infrastructure of the Electrum Bitcoin wallet, which initially started in December 2018. The hacker or group of hackers behind the exploit essentially added tens of malicious servers to the wallet’s network.
When an Electrum user with an old version of the wallet tries to initiate a Bitcoin transaction, if a malicious server picks up on it, the user is urged to download an update from a malicious GitHub repo, not the official one. Once the update is downloaded, it asks the user for their two-factor authentication code, which is used to move the funds to the attacker’s address.
The hackers who received the 1,400 BTC have already moved it out of the wallet they received the funds in, and likely moved them to launder them and cash out. To date, the address has received over 1,500 BTC.
Binance CEO Changpeng Zhao revealed the cryptocurrency trading platform has already blacklisted the hackers’ address.