Botnet targeting Electrum Wallet steals $4.6 million

A botnet used to steal money from the Electrum bitcoin wallet network continues to grow. According to researchers, at its peak, it passed over 150,000 hosts. A total of $4.6 million has now been stolen from victims.

The botnet was first discovered on 8 April, writes Silicon Angle. This is a new variation of a campaign that was first discovered on 27 December.

Electrum works on a distributed model, where users of the wallet connect to different servers. The people behind the attacks introduce their own Electrum servers into the network with a rogue version of the wallet code. This malicious version misleads users to download it. The rogue wallet then lets cybercriminals steal the victims’ crypto balance sheet.

The botnet is used to run a DDoS attack for the purpose of taking legitimate Electrum servers offline. This forces users to connect to the rogue servers instead of the real Electrum servers. Although Electrum has solved the problem by updating the wallet software, users do have to update their wallet. As the botnet grows rapidly, it is clear that many people have not done so.

Rapid growth

Malware bytes is monitoring the Electrum botnet and now says that $4.6 million has been stolen via the botnet. “The botnet that spreads through the Electrum infrastructure is growing rapidly,” says the researchers. “On April 24, the number of infected machines was just under 100,000. A day later that number reached its highest point so far: 152,000.” After that, the number of infected machines has fallen slightly again and remains at around 100,000.

The researchers also identified two distribution campaigns that control the botnet. It concerns the Smoke Loader and RIG exploit kit. Both are used to install ElectrumDoSMiner malware, which drives the DDoS attack against legitimate Electrum servers.

Most of the infected devices are located in Asia, as well as in Brazil and Peru. It seems that some machines are being cleaned up while others are being infected.