By Adam Thomas and Jérôme Segura, with additional contributions from Vasilios Hioueras and S!Ri

Since at least late December 2018, many users of the popular Electrum Bitcoin wallet have fallen victim to a series of phishing attacks, which we estimate netted crooks well over 771 Bitcoins—an amount equivalent to approximately $4 million USD at current exchange rates.

Threat actors were able to trick users into downloading a malicious version of the wallet by exploiting a weakness in the Electrum software.

As a result, in February the developers behind Electrum decided to exploit the same flaw in their own software in order to redirect users to download the latest patched version. The software was in such trouble that in March, developers began exploiting another vulnerability unknown to the public, essentially attacking vulnerable clients to keep them from connecting to bad nodes.

Shortly after, a botnet launched distributed denial of service (DDoS) attacks against Electrum servers for what is believed to be retaliation against developers for trying to fix the bug. Attackers reversed the scenario so that legitimate nodes became so overwhelmed that older clients had to connect to malicious nodes.

In this post, we shed light on the phishing scheme used to push the malicious Electrum update, discuss where the stolen funds have gone, and finally look at the malware infections directly involved with the DDoS botnet.

Electrum wallet 101

In order to get a better idea of how these attacks became so successful, it is helpful to have a basic understanding of how the Electrum wallet functions.

Known as a “lightweight” Bitcoin wallet, Electrum implements a variation of a technique described in Satoshi Nakamoto’s Bitcoin white paper called Simplified Payment Verification (SPV). SPV allows​ ​a user to send and receive transactions without downloading a full copy of the Bitcoin blockchain (which is hundreds of gigabytes in size).

Instead, Electrum operates in a client/server configuration. The wallet (client) is programmed by default to connect to a network of peers (server) in order to verify that transactions are valid.

While this has historically been a fairly secure method of transacting, attackers have taken advantage of the fact that anyone is allowed to operate as a public Electrum peer. As shown below, there has been a substantial increase in the number of peers active on the Electrum network:


Fake Electrum wallet update notification

On December 26, 2018, the developer of Electrum issued a public warning on the official GitHub page providing some information about an ongoing attack:

To users: when you broadcast a transaction, servers can tell you about errors with the transaction. In Electrum versions before 3.3.3, this error is arbitrary text, and what’s worse, it is HTML/rich text (as that is the Qt default). So the server you are connected to can try to trick you by telling you to install malware (disguised as an update). You should update Electrum from the official website so that servers can no longer do this to you. If you see these messages/popups, just make sure you don’t follow them and that you don’t install what they tell you to install. The messages are just messages, they cannot hurt you by themselves.

The threat actors basically conducted a Sybil attack on the Electrum network by introducing more malicious nodes than honest nodes.

Legitimate Electrum wallet app showing malicious nodes

If a user connects to a malicious node (a high likelihood), and attempts to send a transaction through it, it would be blocked due to the weakness in Electrum allowing arbitrary HTML/rich text to be received and displayed, such as the fake update message seen below:

Phishing code injected into Electrum app when attempting to send Bitcoins

This second stage of the attack tricks the user into installing a malicious version of the Electrum wallet. Two different rogue projects were active on Github from around December 21 through December 27.

Malicious Electrum app repository

Malicious Electrum wallets

For practical purposes, we will refer to the following malware as Variant 1 and Variant 2, however, further research has revealed that the actors behind this specific campaign have been in operation for quite some time. Thus, it seems likely that there were other variations of this malware in existence prior to December 21, 2018. Variants 1 and 2 appear to be operated by distinct actors based on several differences in the malware.

Variant 1

Variant 1 is unique in the fact that malware authors have implemented a function to upload stolen wallet keys and seed data to a remote server. Additional effort has been made to ensure that this function is kept hidden by obfuscating the data exfiltration code inside a file not normally found in Electrum named

Rogue module responsible for data exfiltration

As mentioned, the exfiltration domains are not visible in the above code and are instead constructed during execution of the malware. This is most likely a technique used by the malware authors in order to make the code contained within appear legitimate.

In addition to the theft of wallet data, any balance present in the wallet is sent to one of several pre-programmed public addresses under control of the attackers. The destination address chosen is dependent on the address format utilized by the infected users’ Electrum wallet.

Pay-to-PubkeyHash (P2PKH) addresses are the default in use during setup and likely the most common address type in use by the casual Bitcoin user. This fact is evident when looking up the activity of each address.

14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5 (P2PKH address type)
Total Received: 202.91141530 BTC ~ 776,243.23 USD

Total Received: 0.01927492 BTC ~ 73.75 USD

Total Received: 0 BTC

Total Received: 15.22210788 BTC ~ 58,239.77 USD

Total Received: 0 BTC

Variant 1 Bitcoin total: 218.1527981 BTC
Variant 1 USD total: ~$1,101,034.00

Sample extended Private Key (xprv) sent to malicious server using HTTP POST
Sample wallet seed words sent to malicious server using HTTP POST

All of the malicious data exfiltration domains observed during our analysis of Variant 1 were created at the same time and all have been observed resolving to the IP address This address belongs to, a hosting company based in Moscow, Russia.

Variant 1 binaries are also unique from later variants due to the fact that its Windows installers have been digitally signed.

Malicious app using a digital certificate

Interestingly, the digital certificate used to sign one of the malicious Windows Electrum files (EIZ Ltd) has recently been used to sign an unrelated malware.

Variant 2

Since Variant 1 was so successful in stealing substantial amounts of Bitcoin, it seemed almost inevitable that additional attacks would be mounted by threat actors looking to cash in on this reasonably easy scheme. Surely enough, a second variant of these malicious Electrum wallets appeared. This variant has attacked quite aggressively, overtaking the Electrum network and resulting in the theft of more Bitcoin than Variant 1.

Instead of redirecting victims to a malicious Github site, Variant 2 hosts the malicious downloads on a domain with similar spellings as the legitimate Electrum download site. The HTML content is essentially a mirror image.

Fake website, a copy-cat of the legitimate one

The threat actors seem to have a good understanding of Electrum and its code. For example, they disabled auto updates, removed prompts, such as “Yes I am sure”, and even took away the ability to perform Replace-by-Fee (RBF) transactions.

Contents of

Replace-by-Fee is a function that was added to the Bitcoin codebase later on in development that would allow users to essentially create a double spend transaction. In this case, if you knew about this function (and probably few do), you could reverse the stolen funds transfer by double spending the input using a higher fee.

Replace-by-Fee function commented out in code

For example, if you installed the malicious wallet and lost a bunch of Bitcoin, one of the only ways you could get it back would be by attempting a RBF transaction to reverse the malicious one. But you’d have to act quick before the malicious one was confirmed. By disabling this feature, the threat actors made sure this wouldn’t be possible.

Below is the modified source code of Variant 2, a paytoedit.pyc script file redirecting payment to a hard-coded attacker Bitcoin address:

Bitcoin address that will receive stolen funds
Total received: 187.8298 BTC / 941,436 USD

Total received: 55.9948 BTC / 201,326 USD

Total received: 36.7358 BTC / 126,972 USD

Total received: 75.2927 BTC / 291,342 USD

Total received: 21.8628 BTC / 84,678 USD

Total received: 27.3636 BTC / 138,733 USD

Total received: 232.6469 BTC / 1,166,068 USD

Variant 2 Bitcoin total: 637.7264 BTC
Variant 2 USD total: ~$2,950,555.00

Where have all the coins gone?

Some simple blockchain analysis on the funds stolen by Variant 1 show us that the attackers have broken the BTC down into smaller amounts. In this case, 48.36 BTC is re-grouped mostly into 3.5 BTC amounts followed by 1.9 BTC amounts.

Such a pattern is likely evidence that a money laundering technique known as “smurfing” is being used. With 1.9 BTC equal to approximately $7,000 USD, deposits of this amount are unlikely to trigger a currency transaction report (CTR), as this amount is under the $10,000 threshold.

Smaller chunks of Bitcoin being laundered

Finally, the 11 outputs seen above are combined with an additional 15 inputs before being sent to 329nUnJxz5zgr4vnNPu8JNwpa3qEJfucQX, an address that feeds into the well-known hot wallet address for the cryptocurrency exchange Bitfinex.

First step before reaching Bitfinex wallet
Final step before reaching Bitfinex hot wallet (1Kr6QSydW9bFQG1mXiPNNu6WpJGmUa9i1g)

On Sunday, April 14, we noticed that the attackers behind Variant 2 had just cashed out their newest wallet for 114.61050153 BTC (over half a million dollars):

Variant 2 Bitcoin wallet notification

Many of the movements of stolen funds from Variant 2 appear to follow a similar pattern. Let’s take a look at a recent withdrawal of 38.38517511 BTC from attacker address “bc1qhsrl6ywvwx44zycz2tylpexza4xvtqkv6d903q”. The transaction is always split into 2 outputs:

Transaction split in two outputs

Taking note of the transfer of 36.38011271 BTC which we will revisit later, let’s first follow the transfer of 2.0050624 BTC to address “1BCtXcP3gc7FygZMegeKUPsogo68aKRSPA” followed by “1wotccCFTuLQdCv46Bz3zqcosDCDwAWhd”. We see a transaction containing 2 outputs in which address “3DvWYYkzgHbyBgUTSjtPsLmkzs1R9frSrz” consumes all of the funds. The other output named “not-address”, is what is known as an OP_RETURN script opcode. This opcode is typically used to record data on the blockchain.

OP RETURN script opcode

Indeed, the transaction contains some encoded data most likely stored as part of a multi-signature transaction:

While the exact purpose of the data stored using OP_RETURN is unknown, it doesn’t matter too much and we can still follow the forward movement of Variant 2 BTC funds in order to learn their destination:

The next largest output, 1.96991794, from the prior transaction, is consumed by transaction ID f5abb14ffc1d57494934d10a2114b2e4fc812b7e18f73d0f6202a995d2bea1be, which contains 445 inputs totaling 100.02103004 BTC.

These 100 BTC are then moved to address 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s, the known hot wallet address for Binance. Let’s take a quick look at the destination of the 36.38011271 BTC which we noted earlier. In the interest of brevity, we follow a similar path forward tracking funds as they are split up in similar fashion as those above:

As we see, 25.8 BTC are sent to the address “3MRqgoPe6vBNVEn9Fo85qK7zvaLb9e9T2x”. Many addresses associated with this wallet appear to be associated with what are seemingly scam websites offering to “double your Bitcoin”.

3FF1uZ5oEaSZYKCvGbywu39djsknrGeu96 – Continvest
3AxHFZ2ivJUBgveyNj1PQak6FsKBcLJ42N – Bitcoin Doubler

Since it is highly unlikely that you can simply double any amount of Bitcoins that you send, it is probable that these websites exist to offer another function such as mixing/laundering of funds for criminals.

Countermeasures and reprisals

Faced with such widespread attacks against their user base, the developers behind Electrum decided to exploit the very same vulnerability in order to display a legitimate update notification. However, this was not enough to stop the attackers, so later Electrum decided to run denial of service attacks against their own users to prevent them from connecting to rogue nodes.

Criminals began doing the opposite with the help of a botnet.

A list of attacking IP addresses (consisting of 72,977 machines at the time of writing) is being kept up-to-date. That number almost tripled within the span of the week, confirming that the attacks are ramping up at a fast pace.

Client IP addresses attacking Electrum servers. List updated every few minutes.

The malware behind the botnet and DDoS attacks

Even though the exact size of the botnet is not clearly known, we were able to find out more about how new bots are recruited. We came across the malware behind this botnet from two different infection paths—we assume that there are several more out there. One was via a Smoke Loader instance that downloaded a secondary payload, while the other was from the RIG exploit kit.

In the latter instance, we saw a malvertising campaign redirecting to the RIG exploit kit and ultimately delivering a loader that may appear as a coin miner, but is in fact malware that turns infected computers into individual bots for denial of service attacks against Electrum servers.

Malvertising into RIG EK pushing Electrum malware behind DDoS attacks

We see the loader gathering a list of Electrum nodes to attack using a number of public wallet addresses. Each infected machine will start hammering legitimate Electrum nodes to wreak havoc.

An analysis of this loader confirms the network activity we observed above:

Reversing loader shows network artifacts

It retrieves a large file (>40MB) that is Python-compiled code (transactionservices.exe) for the Electrum wallet and writes it to disk.

This .exe is a Python-compiled binary

It also adds a persistence mechanism for a sub-process called transactionserviceshelper.exe.

Persistence mechanism via registry’s Run key
Folder view of malicious Electrum application

Denial of service attacks against ElectrumX servers

This attack consists of flooding ElectrumX servers on port 50002 or 50001, as can be seen in the following traffic capture:

SYN flood attacks observed from packet capture

We also noticed another type of packet shown as TCP spurious retransmission. This is also known as “needless retransmission,” where the receiver had already acknowledged receipt but the initiator sent it again anyway. However, it’s possible this traffic is a by-product of the SYN flood attacks.

Large amount of spurious retransmission messages seen in traffic capture

The IP address of the lab machine we used to detonate the malware ended up being blacklisted in that same up-to-date list of clients attacking the Electrumx servers mentioned above, confirming our temporary presence in this botnet.

Infected machine participating in attacks against Electrum nodes

According to our telemetry, this is the distribution of most victims participating in the DDoS during the past few days based on connection attempts to the malware command and control servers.

Telemetry from infected endpoints reaching to the C2

Ongoing attacks and still more theft on the horizon

Anyone keeping track of cryptocurrencies knows they’re in for a wild ride. Determined threat actors exploited a vulnerability in the most popular Bitcoin wallet to create a clever phishing attack that was able to net them over $3 million USD in only a few months. Other criminals will soon take notice.

When Electrum responded to spare more victims from this theft, the criminals retaliated with sustained DDoS attacks. There most likely was some animosity between the two parties, but as the botnet continues to disable legitimate Electrum nodes, rogue ones get promoted to continue the vicious cycle of pushing the fake update and robbing more victims of their cryptocurrency.

People running their own Electrum servers can mitigate the DDoS attacks in different ways. They can set up a cron job to download the list of attacking IP addresses and block them. They can also create an iptables rule to rate-limit the connection attempts on the known ports being attacked.

Electrum wallet users need to update the software to the latest version (3.3.4) from the official repository and be particularly careful with update or other warning messages that could be disguised phishing attempts.

Malwarebytes detects the malicious wallets for Mac OS X as OSX.ElectrumStealer and Electrum.Stealer for Windows.


Malicious Electrum wallet binaries


Fake domains​


Attacker Bitcoin addresses


Fraudulent/malicious digital certificates (Windows only)

Serial Number: 15 8F D7 D2 FB 6E 69 E7 75 AB EE 6E
Name: EIZ Ltd
Serial Number: 06 6A F7 6B 79 4F 63 79 3C C0 CA 33 78 6F 07 47

RIG EK payload


transactionservices.exe (Electrum wallet)


IPs (Electrum wallet host and configs)