Electrum, the popular Bitcoin (BTC) wallet for desktop and mobile users, has once again been targeted by hackers, who are rumored to have made off with Bitcoin worth millions. The perpetrators once again used a Denial-of-Service (DOS) attack to block user access to the Electrum servers, then duped them into updating their software on a malicious server, from where their funds were stolen. While the company has now updated its servers, Electrum warned that older version wallets are still at risk.
2nd Electrum “hack” in 4 months
The latest attack on this PC and mobile Bitcoin wallet application follows a nearly identical incident in December 2018 where 200 BTC were stolen. The latest breach has already cost users millions of dollars, with one user supposed over 140,000 USD out of pocket.
According to a security expert who wishes to remain anonymous, the new DOS attack started a week ago and targets Electrum users through a phishing scam.
Phishing is a scam where a malicious party makes a fraudulent attempt to get valuable sensitive information such as passwords and bank card details by posing as a legitimate entity through emails, texts and other forms of electronic communication. Examples are SIM swaps, spyware and spam emails.
Electrum’s latest Denial-of-Service attack was allegedly carried out by a powerful botnet (a large number of Internet-connected devices) of nearly 150,000 machines which overloaded the Electrum servers.
Electrum Bitcoin Wallet- What is it?
Electrum is a pioneering cryptocurrency software wallet which first launched in November 2011.
It’s a lightweight, open-source Bitcoin wallet that interacts with the Bitcoin network without the need for users to run a full blockchain node and is still very popular with many crypto owners. Electrum can be installed on both desktop and mobile devices. Here’s an in-depth review of this BTC wallet.
Software and browser-based wallets also exist for other cryptocurrencies, such as MyEtherWallet (MEW)and Exodus for Ethereum and Neon for NEO.
How the Electrum DoS attack happened
- Botnet: The hacker(s) created a botnet, which is a network of compromised personal computers which is infected with bad software and controlled as a group without the owners’ awareness.
- Backdoor: The hackers created a “backdoored” version of the Electrum client, which it then hosts on their own compromised Electrum servers. (“Backdooring” software or an app is basically hacking and modifying an officially released version in order to make it operate differently than intended. )
- Flood server: The botnet targeted an Electrum server, making it unavailable to users. It does this by temporarily flooding the server with so many requests that legitimate requests cannot be fulfilled. This is called a DoS attack.
- Redirect users: Unsuspecting users who try to access the official Electrum are directed towards a malicious server hosted or controlled by the hackers.
- Hacked upgrade: Users are instructed to sync their compromised Electrum wallet with a malicious server, which then tricks them to upgrade their old software with a hacked copy.
- Bye Bye Bitcoin: Once upgraded, all user funds on the old wallets are immediately taken by the hackers and irretrievably lost.
DoS attack vs DDoS attack
Most of you have probably also heard of a DDoS attack.
A DoS attack differs from a distributed-denial-of-service (DDoS) attack, where the incoming traffic attack comes from many different sources, often thousands of IP addresses, too many to block simultaneously.
Both DoS and DDoS are very sophisticated and serious security attacks that can cripple any online entity. Even if it doesn’t succeed, it still cripples the target’s operations and stops users from accessing it.
Let’s use an example: imagine a massive protest or riot outside a building, where a throng of people crowd the door and effectively stops real customers from going inside, leading them to try and find different ways to access the building.
How to protect your Electrum funds
According to lead Electrum developer Thomas Voegtlin, the issue should be resolved within days. The company said on Twitter that users most at risk are those who downloaded the Electrum software a long time ago and hadn’t updated since. At present, according to the website, software versions older than 3.3 cannot connect to public servers.
Electrum users should do the following (as instructed by Electrum):
- Upgrade your Electrum software to avoid receiving phishing messages
- Only download software directly from the official website, electrum.org. If you’re not sure, check the security certificate by clicking on the lock icon next to the URL address. (More advanced users can also access their GitHub repositories.)
- Disable the auto-connect option and select your server manually (a short-term solution according to Electrum, until the issue is fixed)
Who’s behind the Electrum DoS Attacks?
DoS attacks are often carried out on big web-based servers such as online banking and payment gateways and can be driven by motives such as revenge, blackmail or activism.
In this case, it is rumored to be retaliation by the unknown hackers responsible for December’s breach, where a sophisticated trojan virus nicknamed “Electrum Stealer” was eventually thwarted by Electrum, but only after cryptocurrency worth millions of dollars were stolen.
Are Desktop and Mobile Bitcoin Wallets Safe?
Any cryptocurrency wallet can be vulnerable under certain conditions, depending on the precautions the user takes.
Even sophisticated hardware wallets like Ledger and Trezor can be penetrated under controlled conditions by a supply-chain or side-channel attacks, or something as simple as a “$5 wrench attack”, where your private keys are extracted by a third party through violent means.
However, computer and phone-only wallets can make for especially easy targets. Here’s why:
- They need the Internet: They’re “hot” wallets, meaning they need to connect to the Internet and the client-server in order to function and sync with their related blockchain.
- They’re Software-based: These wallets are only made of ones and zeroes and aren’t able to employ additional safety measures such as a dedicated secure element, encrypted communication and a more robust factor authentication that a hardware wallet allows. This means that if someone gains access to your computer or phone, they might be able to crack the device and steal your private keys.
- Example: You leave your phone in the office. A colleague has noticed the PIN code or pattern you use to unlock your phone and can now steal your funds, provided that the wallet app doesn’t require a password. When you return from lunch, your funds are gone and you’re none the wiser.
- Volunteers & Freeware: Also, desktop, mobile and web wallets are often created and maintained for free by a community of volunteers. How active are they, and do they constantly catch and patch any security issues? How well do you know these contributors? Enough to risk your cryptocurrency portfolio that they didn’t slip in some malicious code?
- Saved on device: Another vulnerability is that most inexperienced software-based users download their private key, JSON and seed phrase files to their computers and keep them there after they set up their wallets because they’re worried they might lose them. This means that your private information is only as secure as your computer or mobile phone.
- The next time you click on that dodgy link, download that movie or visit your favorite adult site, your computer or phone might be compromised and as a result, give full access to a hacker who has all the time in the world to find and extract your most sensitive data.
If you want to know more about desktop and mobile wallet security issues, read this CoinSutra article.
Why is a hardware wallet safer than desktop and mobile wallets?
A cold storage device like the CoolWallet S avoids this vulnerability, even though it also “connects” to the Internet in order to access funds. The CoolWallet S and other hardware wallets such as Ledger and Trezor offer additional security lines of defense that the attacker has to breach.
In the CoolWallet’s case, the CC EAL5+ secure element and encrypted bluetooth ensures that the user’s private keys are never revealed, not even to the users themselves. While balances are updated on the app, any sending or trading of cryptocurrencies require the transaction to be signed by the Secure Element, which also checks the authenticity of its app through a complicated process which we’ll explain in another post.
Lastly, any pending transaction will be displayed on the CoolWallet’s e-paper screen and needs to be confirmed with a physical button push.
Therefore, the only realistic way to steal a hardware wallet user’s funds, is for the malicious party somehow be in physical possession of both the hardware wallet and the mobile phone (for the app). The hacker likely also needs to know the user’s PIN code to unlock the phone and access the app.
This scenario is very unlikely to happen to any crypto owner who values their investment and takes the necessary security precautions to safeguard their virtual currencies.
Ultimately, how you store and protect your cryptocurrency investment is a personal matter.
A Bluetooth hardware wallet like the CoolWallet S, the first Bluetooth mobile hardware wallet (currently retailing at only $99) or the upcoming Ledger Nano X (RRP $129) is an extremely safe option for any serious-minded investor.
However, if you keep your small portfolio on an exchange or a free desktop, mobile or web wallet application, please DYOR (do your own research) and make sure you select a good project with an active community that frequently issues new updated firmware.
Just remember though:
Even if you’re just holding a bit of small-change in crypto: That fraction of a Bitcoin you’re storing on your phone or computer right now, might be worth a fortune one day. So treat it as such.