Main Page > Blog >


Phishing Attack on Electrum Wallet - AMLT Crypto Alert of the Week

Jan 04, 2019

About Us

Recognized as a global leader in RegTech for blockchain, Coinfirm serves as a foundation for the safe adoption and use of blockchain. The Coinfirm AML/CTF Platform uses proprietary algorithms and big data analysis to provide structured, actionable data that solves compliance and transaction risk issues in blockchain and cryptocurrencies. The blockchain agnostic platform is currently used by anyone ranging from major financial institutions to exchanges. In addition, Coinfirm develops dedicated blockchain solutions such as the data provenance platform Trudatum that was recently integrated by the largest bank in CE.

Follow Us


Welcome to week 21 of the Crypto Alert of the Week series by AMLT, a series dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network and show how the AMLT Network can help track and prevent it in the future.

A new phishing attack vector has surfaced in the last few days of 2018. The hacker targeted the popular Electrum wallet trying to get the users to download a fake update, that would then proceed to steal all of the users funds.

The hacker has reportedly created a lot of servers (sybils) and thanks to the messaging capabilities (and rich text display) was able to send the fake error message prompting for a security upgrade. The link was cleverly disguised with the official GitHub site URL.

It’s important to keep in mind, that the Electrum wallet itself was not compromised, the whole attack is only possible if the victim installs the fake electrum client and provides it with his seed and passwords. So far, the developer has already removed the rich text capabilities from their newest release so that the messages relayed by nodes don’t look as convincing.

The attack started out on Dec 21 but was not publicly disclosed until the latest release of the wallet software (not to encourage any more attacks). Since then, the attacks have been going on and off, varying with the phishing messages.

As of the time of reporting, the attacker has stolen around 243 BTC (which is nearly $900K).

As there is no easy way of preventing such attacks without fully centralizing the nodes, users must remain vigilant and spread awareness of such attacks in order to protect others. The AMLT Network exists to highlight, mark and help with prevent such attacks from occurring. The addresses related to the Electrum sybil attacker have been reported by a member of the network, after which both the hack along with corresponding addresses have been marked with appropriate risk.

Below you can see an AML Risk Report generated for the attackers' address. Now any entity using the Coinfirm AML Platform can not only see the risk of the associated address and funds but limit their exposure to it along with their clients, partners and users. Protecting the crypto economy as a whole

If you're interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Twitter, Facebook, LinkedIn and Telegram Community.

The AMLT Team