An Electrum wallet user claimed to have lost a big amount in Bitcoin [BTC] after installing an older version of the software from a malicious source.
Within a recent official web-blog post on GitHub, the user described the loss of over 1,400 Bitcoin worth around $16.2 Mln at the reporting time as a result of “foolishly” installing an old version of the lightweight wallet.
User “1400BitcoinStolen,” described how a pop-up message asked to update their security before being allowed to transfer any funds.
Thereby installing a purported “security update” for the wallet, it immediately triggered a transfer of the user’s entire balance to an address within the possession of a hacker.
Binance CEO Changpeng “CZ” Zhao has moved to blacklist the stolen funds from his exchange, stating users should “beware of this Electrum official update.”
1400BitcoinStolen added that they had contacted blockchain analytics firm Coinfirm for assistance in tracking the Bitcoin and is still waiting for a response.
Electrum has been around since 2011 and has undergone several multiple updates while also being unable to prevent bad actors from exploiting previous versions by Sybil attacks using malicious servers.
Another member on the GutHub thread, “gits7r” – who seems to be related to Electrum – added that this issue comes from the choice by the team earlier to permit users to “run their own servers or use servers that they trust.”
If users download a version from another source rather than electrum.org and don’t check signatures, they’ll “install a backdoored Electrum,” gits7r added.
Earlier in 2018, the Electrum network suffered such an attack, who created multiple fake servers on the Electrum network that saw 245 bitcoin siphoned from anonymous victims.