Hack: 16M dollars in Bitcoin (BTC) stolen from an Electrum wallet
Hackers have managed to steal 1,400 BTC from an Electrum wallet due to a crucial mistake made by the victim. 1,400 is currently worth $ 16,366,924.00 (€ 13,744,337.20) according the current Bitcoin price.
The wallet holder made himself known on Twitter under the name “1400BitcoinStolen” and explained how the hack occurred.
The 1400 Bitcoins contained in the address had not been moved in 2017. The owner wanted to transfer 1 BTC and for this, he reinstalled the Electrum wallet, but the mistake he made was to install the file that was built in 2017.
On launching the wallet, a pop-up appeared with a prompt message to upgrade to a newer version. The user agreed and this was how the hackers managed to steal the BTC.
Was the security of the Electrum wallet at fault? Not really, according to Ben Kaufman who explained that it was the user’s error. Since the Electrum wallet is a thin client, it must be connected to the blockchain via a server each time it is opened and anyone can operate this server.
In the event that a transaction is invalid, the Electrum server may send an error message in the form of a pop-up displayed on the client. However, previous versions of Electrum allowed any text to be displayed on the pop-up.
The hack exploited this vulnerability by setting up a server that did not commit any transaction, but instead sent a pop-up prompting the user to update their client. The pop-up referred to a phishing site, where the user was prompted to install malware.
Be careful with hot wallets!
Although the safety of Electrum is not in question, the user would not have suffered this BTC hack if he had used a cold wallet. When using a hot wallet it is always advisable to download the latest version of the software, also check the source beforehand to ensure the maximum security of your bitcoins. However it is preferable to use a hardware wallet to be totally secured.