Connect with us

Bitcoin News

Behind the scenes: Electrum hackers steal $4M with Bitcoin phishing attacks

Electrum Bitcoin BTC wallet users have lost 771 BTC (approximately $4 million) since late December 2018, in an ongoing series of targeted phishing attacks. According to research released by Malwarebytes Labs, fraudsters were able to trick unsuspecting users into downloading a malicious version of the wallet by exploiting a weakness in the software. In February, the developers…

Behind the scenes: Electrum hackers steal $4M with Bitcoin phishing attacks

Electrum Bitcoin BTC wallet users have lost 771 BTC (approximately $4 million) since late December 2018, in an ongoing series of targeted phishing attacks.

According to research released by Malwarebytes Labs, fraudsters were able to trick unsuspecting users into downloading a malicious version of the wallet by exploiting a weakness in the software.

In February, the developers behind Electrum decided to exploit the same flaw in their own software to redirect users to download the latest patched version.

Then, in March, things got worse and developers started exploiting another unknown vulnerability, essentially attacking vulnerable clients to keep them from connecting to bad nodes, which they referred to as a “counter attack.”

After that, a botnet launched distributed denial of service (DDoS) attacks against Electrum servers to better target users with out-of-date, vulnerable wallets.

Why did the attacks happen?

Known as a “lightweight” Bitcoin wallet, Malwarebytes researchers explain Electrum implements a variation of a technique called ‘Simplified Payment Verification’ (SPV).

This technique enables users to send and receive transactions without downloading a full copy of the Bitcoin blockchain (which amounts to hundreds of gigabytes in size).

Instead, Electrum operates in a client/server configuration. The wallet, or client, is programmed by default to connect to a network of peers in order to verify that transactions are valid.

While this has historically been a fairly secure method of transacting, attackers have taken advantage of the fact that anyone is allowed to operate a public Electrum peer.

As the below graph evidences, there has been a significant increase in the number of peers active on the Electrum network:

Source: http://vps.hsmiths.com:49001/munin/hsmiths.com/vps.hsmiths.com/electrumx_peers.html

Malicious wallets

In its findings, Malwarebytes refers to malicious Electrum wallets as “Variant 1,” and “Variant 2.” Research showed the actor(s) behind this specific campaign have been active for some time.

With this in mind, the researchers say it’s plausible that other variations of this malware had been in existence prior to December 21, 2018.

Variants 1 and 2 appear to be operated by different actors, based on several differences found in the malware.

Variant 1 is unique in that the malware authors implemented a function to upload stolen wallet keys and seed data to a remote server. Efforts were also made to make sure this function was hidden by obfuscating the data exfiltration code inside a file not normally found in Electrum named “initmodules.py.”

Additionally, any balance found in the wallet was sent to one of the several pre-programmed public addresses controlled by the scammers. In this instance, the selected destination address was dependent on the address format used by the infected users’ Electrum Wallet.

Researchers found that Pay-to-PubkeyHash (P2PKH) addresses were the default method in use during setup, meaning users running default settings appear to be the most hit. This is evidenced by looking at the activity in each of the following addresses: 

Variant 1 total: 218.1527981 BTC, approximately $1,101,034 million

Variant 2 attacked aggressively, which resulted in it stealing more Bitcoin than Variant 1, the researchers say.

Instead of redirecting victims to a malicious Github site, Variant 2 hosted the malware through a domain that appeared similar to the legitimate Electrum download site.

Fake website, basically a copy-cat of the legitimate one.

The findings indicate that the attackers seemingly had a good grasp of Electrum and its code.

For example, they disabled auto-updates, removed prompts for things such as “Yes I am sure”, and even took away the ability to perform Replace-by-fee (RBF) transactions – a function added to the Bitcoin code-base later on in development that would enable the creation of a double spend transaction. In this case, if you were aware about this functionality (and probably few are), you could reverse the stolen funds transfer by double-spending the input using a higher-fee.

Variant 2 total: 398.5208 BTC, approximately $2,018,436 million

So, where have all the coins gone?

By analyzing the transactions on the blockchain, researchers have found that the funds stolen by Variant 1 have been broken down into smaller Bitcoin amounts.

Specifically, 48.36 BTC ($244,001) is re-grouped mostly in to 3.5 BTC ($17,659) amounts followed by 1.9 BTC ($9,586) amounts.

The researchers believe this pattern means it’s likely evidence of a money laundering technique known as “smurfing.” 

This is because deposits of $7,000 are less likely to trigger a CTR (currency transaction report) as this amount is under the specified $10,000 threshold.

Future attacks?

Overall, researchers at Malwarebytes ascertain that future attacks are likely.

“Anyone keeping track of cryptocurrencies knows they’re in for a wild ride. Determined threat actors exploited a vulnerability in the most popular Bitcoin wallet to create a very clever phishing attack that was able to net them at least over 3 million dollars in only a few months,” they said in a blog post.

When Electrum responded to protect unsuspecting victims from this theft, the criminals retaliated with sustained DDoS attacks. “There most likely was some animosity between the two parties, but as the botnet continues to disable legitimate Electrum nodes, rogue ones get promoted to continue the vicious cycle of pushing the fake update and rob more victims of their cryptocurrencies,” continued the researchers. 

Ultimately, people running their own Electrum servers can mitigate theses attacks in different ways, but are generally advised to update their wallet to the latest version (3.3.4) from the official repository and asked to remain vigilant in the way of more warning messages disguised as phishing attempts.

Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out. eToro will also be making an appearance there!

Published April 16, 2019 — 15:02 UTC

Source

Continue Reading
Advertisement
Loading...
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Bitcoin News

Moonday Mornings: Binance to resume deposits and withdrawals after $40M Bitcoin hack

It’s time for Moonday Mornings, Hard Fork’s wrap-up of the weekend’s top cryptocurrency and blockchain headlines. Here’s what happened. 1. Binance says it will resume deposits and withdrawals on its platform on Tuesday. The cryptocurrency exchange had suspended the functions following an attack in which hackers stole over $40 million worth of Bitcoin. 2. The…

Moonday Mornings: Binance to resume deposits and withdrawals after $40M Bitcoin hack

It’s time for Moonday Mornings, Hard Fork’s wrap-up of the weekend’s top cryptocurrency and blockchain headlines.

Here’s what happened.

1. Binance says it will resume deposits and withdrawals on its platform on Tuesday. The cryptocurrency exchange had suspended the functions following an attack in which hackers stole over $40 million worth of Bitcoin.

2. The figureheads of the fake cryptocurrency scheme, OneCoin, are being sued. Brother and sister duo, Konstantin Ignatov and Ruja Ignatova are facing a class action law suit for their involvement in the scam which was “based completely on lies and deceit,” ZDNet reports.

3. A Bitcoin BTC fueled ransomware attack hit the Baltimore City government last week. Despite being cleaned of the ransomware, hackers are allegedly still accessing the infected computers, ZeroHedge reports. The Federal Bureau of Investigation is now investigating the attack.

4. The creator of the Bitcoin treasure hunt Satoshi’s Treasure is claiming nearly 60,000 people are following the global challenge, CoinDesk reports. One player has already claimed the first prize, and didn’t even have to go anywhere to claim it.

And finally.

5. William Shatner is putting William Shatners on the blockchain. The former Star Trek actor is joining Mattereum, a legaltech firm, to document the authenticity of science collectibles and memorabilia from a range of franchises on the blockchain.

That’s another weekend’s headlines for you. Live long and prosper.

Published May 13, 2019 — 07:58 UTC

Source

Continue Reading

Bitcoin News

Amazon granted patent for Bitcoin-style system to fight DDoS attacks

Cryptocurrency rumor mongers are likely to be dancing today as Amazon has successfully filed a patent for a Bitcoin-styled Proof-of-Work system. But don’t get ahead of yourself, it doesn’t look like the Seattle-based ecommerce giant will be accepting Bitcoin for payments. Despite first being filed in December 2016, Amazon’s patent application was granted earlier this…

Amazon granted patent for Bitcoin-style system to fight DDoS attacks

Cryptocurrency rumor mongers are likely to be dancing today as Amazon has successfully filed a patent for a Bitcoin-styled Proof-of-Work system. But don’t get ahead of yourself, it doesn’t look like the Seattle-based ecommerce giant will be accepting Bitcoin for payments.

Despite first being filed in December 2016, Amazon’s patent application was granted earlier this week and appears to outline a system that uses Proof-of-Work to prevent distributed denial-of-service (DDoS) attacks.

“One way to mitigate against such attacks is to configure a service such that requests to the service incur some sort of expense, thereby providing a disincentive to participating in the attack,” the application reads.

Planting a Merkle Tree

Amazon proposes to use Merkle Trees to present a Proof-of-Work challenge and make it too costly for a series of computers to perform a DDoS attack.

But what’s a Merkle Tree? In short, Merkle Trees are cryptographic tools where blocks of data are manipulated to give them a unique identifier also known as a hash.

These hashes are then manipulated again to create a parent hash. Parent hashes are always a combination of two or more child hashes. It’s layers on layers of hashed data.

Since computing power is required to build a Merkle Tree, performing such hashes could get very costly in terms of time, electricity, and resources. In turn, this makes DDoS attacks economically unfeasible.

In the case of Amazon’s patent, imagine having to construct a Merkle Tree before you’re allowed to access a website hosted on one of its servers. To an individual the cost might be insignificant, but to an organization trying to carry out a DDoS attack – which might involve many hundreds of computers – it could become prohibitively expensive.

Amazon’s Merkle Tree

Merkle Trees are also used in Proof-of-Work blockchains like Bitcoin as part of its consensus mechanism. But for now that’s as close as Amazon will get to Bitcoin.

Indeed, with this news it seems Amazon is still of the “blockchain, not Bitcoin” mantra. Earlier this month, the web giant said that AT&T, Accenture, and Nestlé are all using its cloud-based blockchain tools.

Read next:

South African voters fear mobile political campaigns will steal their personal info

Source

Continue Reading

Crypto Live Prices

  • USD
  • EUR
  • GPB
  • AUD
  • JPY
Advertisement
Loading...
Advertisement
Advertisement

Trending

Copyright © 2018 Crypto141.com