Electrum wallet users have suffered at the hands of phishing attackers who falsified a wallet update in order to steal over 240 Bitcoin, worth some $850,000 at current prices. Starting on December 21, Electrum users were greeted with a message telling them to download a new version of the wallet for security reasons. This fake wallet gave away the users’ two-factor authentication code which the hackers then used to steal their Bitcoin, which they sent to a single address.
A Little Bit of History Repeating
This is not the first time Electrum users have been targeted. Back in May of this year, a hacker posted an ‘Electrum Pro’ wallet available for users to download. This wallet was nothing of the sort and was instead a piece of malware designed to steal users’ seed keys, meaning the wallet could be infiltrated and the funds stolen. An article written about the Electrum Pro hack at the time offered the following tips for verifying a wallet download, advice it seems that was either not known or went unheeded:
When installing wallets, verify on every step that what you’re doing is correct. Make sure that URLs are correct, confirm said URLs with external sources if possible, and always verify hashes and signatures. In Electrum’s case, for signatures, all official binaries are signed with ThomasV’s PGP key. To verify other wallets, you should be able to use the keys and hashes provided on the wallet’s home page. This may seem like a lot of work, but it’s worth it to keep your coins secure.
Don’t Trust, Verify
In this case, the malicious wallet was digitally signed by EIZ Ltd of London, nothing to do with Electrum. Other signs users may or may not have known to look out for included the Github address where the malicious wallet was located. The Github address for the malicious wallet was only one day old, in comparison to the official Electrum address which contains files over a year old. These details may be too technical for many people to know to look for, in which case following basic precautions such as navigating to official download pages independently rather than following links and verifying updates is a good first step to avoiding falling prey to such scams. Keeping funds in cold storage is the most secure way of storing funds, although even hardware wallets aren’t foolproof.