x
.jpg)
In brief
Ayear-old GitHub thread dedicated to Electrum-based phishing hacks sprang back to life yesterday when a user claimed to have had 1,400 BTC ($16 million) stolen after falling for an old trick.
"I had 1,400 BTC in a wallet that I had not accessed since 2017," explained the Bitcoin holder. "I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds," he added.
According to the luckless holder, the update immediately triggered a mass transfer of funds to an unknown address assumed to be the scammers.
But while the sheer breadth of the loss has garnered headline news, this exploit isn't anything new. Speaking to Decrypt, Electrum developer Thomas Voegtlin confirmed that the phishing attack used is one that's been floating around since late 2018.
"The warning that has been on display on our website for the last 18 months," said Voegtlin. "The user was scammed because he used old software, susceptible to phishing," he added.
Get top stories as they break and join the conversation by following us on Twitter Follow
While the phishing exploit has been around for well over a year, the developer noted that this latest swindle marks the largest ever lost to the attack.
Per a 2019 investigation from threat analysts, Malwarebytes Labs, after exploiting faulty Electrum software, the hackers managed to subvert users from legitimate nodes to malicious ones controlled by the bad actors. Once redirected, users are then prompted to install a bogus security update, which automatically downloads a malware-infested wallet. From there, hackers remotely control the wallet and send the contents to a separate address.
By Will Heasman
