A botnet targeting Electrum wallet has reportedly stolen over $4.6 million from customers. The network was first detected on April 8 but has since grown to target many more customers and steal their coins.
Old attack repackaged for more damage
The new botnet is a variation of a targeted campaign against Electrum wallets first detected on December 27 last year. It has surpassed 150,000 at its peak, stealing more cryptocurrencies from the users than before. The attackers make use of the distributed model of the wallet to launch the attack.
Electrum wallet allows users to connect to several different servers. The attackers introduce their own servers into the system and introduce a malicious version of the wallet code. Users are tricked into downloading it, allowing the hackers to steal the victim’s cryptocurrency.
This distributed-denial-of-service attack is being operated using the botnet, which tosses the legitimate Electrum servers offline and forces the users to connect to malicious servers instead. Electrum has updated its wallet software to address this issue. However, the users have to update their wallets to remain secure, and given the rise in the losses, it is apparent that they haven’t done so.
Malwarebytes reveals the damage
The new data about the botnet’s devastating impact on Electrum wallet was revealed by Malwarebytes Inc. which detailed a $4.6 million loss to customers. The researchers noted that the botnet is growing rapidly in the Electrum infrastructure. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000,” they added. Since last week, the botnet has hovered around 100,000, but it is still quite huge.
The researchers were also able to identify two distribution campaigns that are adding to the botnet’s impact, called Smoke Loader and RIG exploit kit. Each of these distribution campaigns is used to install the ElectrumDoSMiner. This malware is then used to launch the DDoS attack against real Electrum servers.
The locations of the devices infected with the botnet are centered in the Asia-Pacific region, but a significant number of instances have been recorded in Peru and Brazil as well. Malwarebytes researchers have also said that the number of victims affected by this botnet is constantly changing. They believe that when some machines are cleaned, new ones are infected and they join others in the DDoS attack.