Electrum Impostor Steals User Seed Keys
Researchers at Electrum, a popular Bitcoin wallet app, have discovered a malevolent impersonator that has been created to swipe seed keys. The suspicious copycat which calls itself Electrum Pro made its online appearance in March and since then it has been flagged as malware.
Fake Electrum Wallet Steals Seed Keys
The team behind the original Electrum wallet reportedly posted a document on Github which gave instructions on how to eliminate the impostor. It was clear for a while that the doppelganger wallet had malicious intent and that it used the company’s name without its consent. The cybercriminals further attempted to trick users into downloading the malware by registering their domain under electrum.com to mimic the original electrum.org.
Developers have found out that a line of code from the fake wallet was designed to steal the user’s seed key and upload it to the fake domain. The seed keys are cryptographic keys which are used by its owners to access certain wallets through the app. Once the keys have been hacked, these keys can be used to steal the contents from the crypto wallets of unsuspicious users that downloaded the malicious app.
Developers at Electrum had previously issued cautions regarding the copycat:
“We previously warned users against ‘Electrum Pro’, but we did not have formal evidence at that time.”
They have already investigated MacOS and Windows binaries and found there is a high chance of other binaries being malevolent also.
Crypto Malware Rising
Earlier this month, it was exposed that a Chrome extension which used Facebook’s messenger app to inject malware mining scripts had re-emerged in April. The FacexWorm drains the CPU computing resources to mine Monero while also spamming affiliate links for several crypto exchanges.
It was also reported that as many as 400 US government and business websites which run on the Drupal content management system have a high possibility of being infected with such mining scripts. These sites were operating on an out-of-date version of the platform and among the infected websites were: the US National Labor Relations Board (NLRB), Taiwanese network hardware manufacturer D-Link, Chinese tech giant Lenovo, and the University of California (UCLA).
The report also shows that websites administered by the governments of Mexico, Turkey, Peru, South Africa, and Italy have also been victims of this mining malware attack. Like most cases of such infection, Coinhive is once again to blame. As crypto are becoming more used by the mainstream public, mining malware attacks such as these will continue to grow.