Cyber Incident Victim: Electrum

The incident involving Electrum Bitcoin wallets began on December 21, 2018, when threat actors deployed malicious servers into the Electrum network. These servers generated fraudulent error messages displayed to users attempting to broadcast transactions through their wallets. The messages instructed users to download what appeared to be an updated version of the Electrum wallet application from a malicious GitHub repository. Upon installation, the compromised application prompted victims to enter their two-factor authentication codes, which attackers then used to steal Bitcoin funds from their wallets. Electrum confirmed the attackers had spawned numerous malicious servers across different /16 IPv4 subnets to maximize their reach within the network infrastructure.

Electrum responded by releasing a software modification on December 28, 2018, altering how error messages appeared to users. The update removed rich text formatting from server-generated messages, making phishing attempts visually conspicuous through mangled text formatting instead of polished HTML. This change aimed to reduce the perceived legitimacy of malicious prompts. However, Electrum acknowledged this measure did not constitute a complete technical resolution, as a permanent fix required overhauling the federated server ecosystem underpinning wallet transactions. The initial attacks proved particularly effective due to the authentic appearance of rich-text error messages prior to the patch. By the time of reporting, attackers had stolen over $750,000 worth of Bitcoin, with funds transferred to their cryptocurrency addresses. Electrum advised users exclusively to download wallet software from its official website to avoid compromised versions, though the core vulnerability in server message handling remained unpatched at the network level.