Electrum Wallet, a popular desktop Bitcoin client, has been facing consistent attacks since December 2018, which users are losing millions of dollars. iPhelix’s Peter Kacherginsky looked into the nature of the attack and published his findings on the Coinbase blog recently.
What Makes Electrum Vulnerable?
Electrum has unique software that works on a separate distributed networks of specialized servers that are connected to the Bitcoin network. Attackers have been targeting this supporting network, which could create an even bigger impact than the ongoing phishing campaign.
Kacherginsky wrote that Electrum Wallets had a unique feature where sever error messages were displayed as a pop-up dialogue before it released version 3.3.3. While this helped in informing users why their transactions didn’t work it also gave bad actors a chance to exploit the feature.
“Attackers have learned to modify the open source ElectrumX server software to always send arbitrary error messages… Following the website in the error message leads to a phishing site with several versions of the Electrum Wallet available for download. After the user downloads a fake update, the backdoored versions of Electrum Wallet will steal user’s funds.”
How Severe Is the Problem?
Electrum Wallet works as a light Bitcoin node and works with gateway servers which query the state of the Bitcoin blockchain and transmit transaction. One such implementation is called ElectrumX where the network relies on volunteers with no financial incentive to work in a peering process to facilitate the transactions. New ElectrumX servers can come online and announce themselves to the network and get connected to Electrum Wallet. The Wallet usually works with a hard-coded list of trusted servers when it first connects to the network but later it could discover other servers too.
In case of this phishing attack, an Electrum Wallet connected to a malicious ElectrumX server could get a popup error message leading to the attack. According to Kacherginsky’s automated scanning for phishing messages, 471 servers out of 657 active nodes were malicious- meaning that 71% of the network is controlled by attackers. A majority of them are part of the same phishing campaign.
Currently, there are at least two such phishing campaigns on the network. More details about Kacherginsky’s analysis can be found on the Coinbase blog.