It was December 21, 2018, just days before holiday celebrations, when Electrum developers received a screenshot that had been making the rounds in a German chat room. Depicted was an error message one user had received when sending a transaction, but something about the message wasn’t adding up to developers, since it directed users to what was discovered to be a malicious GitHub repository with a malware version of wallet.
According to SomberNight the user who received this error message was likely using a legitimate Electrum client, but connected to a maliciously operated Electrum server when they attempted to broadcast a transaction. When the transaction couldn’t resolve, the client displayed the user the malicious error message, which directed them to install malware that would have prompt users to enter and subsequently steal any private keys.
In order to increase their chances of intercepting transactions from clients the attacker created multiple servers in what is commonly referred to as a sybil attack. The rich text error message users who connected to the malicious servers received is a throwback to bitcoin dev code where it was used to report back errors to users like low incremental fee, missing inputs, or other issues could crop up.
A Persistent Attacker
Once the team caught wind of the attack a patch (3.3.2) was issued to the client but it was not a long term solution, as SomberNight explained: “This is not a true fix, but the more proper fix of using error codes would entail upgrading the whole federated server ecosystem out there…”
Despite the team’s efforts, the patched iteration of their client later succumbed to the attacker again:
Published at Thu, 03 Jan 2019 19:59:33 +0000