Anatomy of a Bitcoin Heist: The Electrum Atom Malware Saga

Nick Bax
10 min readJul 21, 2023


In January 2018, Andrew Schober was tricked into downloading a purported cryptocurrency wallet called “Electrum Atom” (also deployed under the name “Electrum Gold”) which resulted in approximately 16.4 Bitcoins being stolen from him [1]. Electrum Atom turned out to be an early variation of what has been dubbed “clipboard hijacker” malware [2,3]. The malware monitored the copy-paste (or “clipboard”) function of the infected computer until it detected that the user had copied a Bitcoin address. When the malware recognized a Bitcoin address, it modified the Bitcoin address stored in the clipboard to a similar-looking Bitcoin address controlled by the malware operator. By doing this, the malware was able to divert bitcoin from Mr. Schober to an address controlled by the creator of the Electrum Atom malware.

Figure 1. Figure and caption from Schober v. Thompson complaint. [4]

In May 2021, Mr. Schober filed a lawsuit in Colorado against two minors from the UK, Defendants Benedict Thompson and Oliver Read, and their respective parents, alleging that they stole Schober’s bitcoin via the Electrum Atom malware. Both Benedict Thompson and Oliver Read deny any involvement with the incident.

In public court filings, Schober and his legal team have released interesting forensic evidence obtained during the discovery process. This article aims to examine and explain the evidence unearthed by Mr. Schober during his lengthy investigation and provides broader insights into the reality of digital asset recovery through the judicial system. All evidence contained herein is readily auditable by other experienced blockchain analysts.

195,112 Bitcoin addresses are embedded in the malware and controlled by its operator

About 1 month after the malware diverted Schober’s bitcoin (BTC) to the address 1CZioyptarnQ3rdT9np2rwMwXftMX9ATT7, it was transferred to a Bitfinex deposit address: 3CWQ5d2XgCrYuz7F3g4fmhd6VQMv4iPio7.

Figure 2. Screenshot of flow of Mr. Schober’s stolen BTC to Bitfinex from complaint. [4]

Realizing he would need more data in order to identify who had stolen his BTC, Schober enlisted the help of a malware analyst who was able to extract a list of bitcoin addresses embedded within the malware code.

Figure 3. Screenshot of the description of the pre-generated list of bitcoin addresses in the malware code [4].

Tracing the Malware Transactions to the Defendants

Out of the 195,112 addresses embedded in the malware, a total of four, including the one which received Schober’s stolen BTC, were found to have received BTC between November 2017 and January 2018. This proved extremely valuable to the investigation: much like a forensic investigator can link bullets from different crime scenes to the same firearm, this made it possible to link multiple alleged thefts to the Electrum Atom malware and broaden the surface area of the investigation.

Table 1. Addresses embedded in the Electrum Atom malware which received BTC.

Two of the malware-controlled addresses, 1PpV and 1A6K, sent about 0.54 BTC to a different Bitfinex account than the one which received Schober’s stolen BTC. This Bitfinex account had a deposit address beginning with 1Gqt. [Fig. 4]

Figure 4. A transaction graph showing the flow of funds from a non-malware address, 3JjP, to two Electrum Atom malware addresses, 1A6K and 1PpV, and then on to the Bitfinex deposit address 1Gqt.

An FBI document reveals that the username on the 1Gqt Bitfinex account was “JamesandJohn” and the e-mail “”. [Fig. 5] Benedict Thompson acknowledged using this email, though he claims it was also used by others. [Fig. 6] Benedict Thompson has denied using the alias “JamesandJohn”. This is contradicted by the FBI document, which identifies JamesandJohn as an alias used by Benedict Thompson. [Fig. 5] This connection is further corroborated by a comment Benedict Thompson posted on Github, where he disclosed using a computer with the username “JamesandJohn”. [Fig. 7]

Figure 5. Screenshot of FBI file stating that Benedict Thompson was using the username ‘JamesandJohn’ as an aka. This username is connected to the 1GQt Bitfinex account. [Highlighting added]
Figure 6. Benedict Thompson’s response to a discovery question admitting he used the e-mail address “”. This e-mail address was used to register the 1GQt Bitfinex account, which received stolen BTC from the Electrum Atom malware. [Table 1, Figs. 4,5]
Figure 7. Screenshot of comment posted on Github where Thompson reveals he is using a computer with the username “JamesandJohn”. [Emphasis added]

In summary, there are multiple connections between Benedict Thompson and the 1Gqt Bitfinex account which received BTC from addresses embedded in the Electrum Atom malware.

The controller of the Bitfinex account which received Schober’s stolen BTC used an IP address which likely shared a subnet used by Thompson

Schober’s stolen BTC was sent to a Bitfinex account with a deposit address beginning in “3CWQ”. The 3CWQ account was registered with the username “thp2k”. An FBI document shows that on February 25, 2018, thp2pk logged in to the 3CQW Bitfinex account from Southampton, UK, where the Thompson family lives, using an IP address registered to British Telecom: [Fig. 8]

Figure 8. FBI document stating that the 3CWQ Bitfinex account was logged into with the IP address After Mr. Schober’s stolen BTC was deposited to the account by the malware controller, it was converted to Monero and withdrawn to the 44nUb Monero address. [Highlighting added]

The first three octets of the IP address are identical to numerous IP addresses used by Benedict Thompson [Table 2]. A plausible explanation for this is that the device used to login to the 3CWQ Bitfinex account was on the same subnet as Thompson’s devices.

Table 2. Documents uncovered in discovery revealed that IP addresses used by thp2pk and Benedict Thompson were likely on the same subnet.

Shortly after receiving Mr. Schober’s stolen BTC, the person in control of the 3CWQ Bitfinex address converted the BTC to Monero (XMR) and withdrew it to a Monero address beginning with 44nUb [Fig. 8]. Monero is notoriously difficult to track and Mr. Schober did not have the benefit of access to the 3CWQ account data until months after his lawsuit was filed.

Bitcoin from the Electrum Atom Malware was sent to, converted to XMR, then sent back to ShapeShift and converted to Bitcoin

A 4th address embedded in the Electrum Atom malware, 1JrT4DePAThEHarvEiYyRu2x2anhMCsoPr, received 0.10179145 BTC on December 30, 2017. On January 10, 2018, the controller of the malware address sent all of the funds to an “instant exchange” called and converted the BTC to Monero (XMR). ShapeShift was well-known for allowing users to swap between different cryptocurrencies without providing an e-mail or other identifying information. [5]

ShapeShift’s API shows that the ~0.1 BTC sent from the 1JrT malware address was converted to ~3.62 XMR, which was sent to a Monero address beginning with 46uK at 19:52:06 UTC (block 1484306) on January 10, 2018:


Immediately after the ~3.62 XMR received from the BTC → XMR ShapeShift transaction became spendable, 3.6 XMR was sent back to ShapeShift and converted to 0.09606655 BTC, which ShapeShift sent to the vanity Bitcoin address 1BeNEdictBLbmVJ9LXkSwqiyWWf36XKTD1. The 1BeNEdict address is verified as belonging to Benedict Thompson on [Fig. 9] and is also linked to Thompson’s Reddit, Github, and Twitter accounts.

Figure 9. Screenshot of Benedict Thompson’s account, linking him to the 1BeNEdict vanity bitcoin address.

The temporal correlation is striking; ~0.1 BTC from an address embedded in the Electrum Atom malware was converted to ~3.62 XMR ShapeShift, and immediately afterwards, ~3.6 XMR was sent back to ShapeShift and converted to ~0.096 BTC sent to Benedict Thompson’s bitcoin address.

Furthermore, it is possible to demonstrate that the XMR unspent transaction output (UTXO) spent and sent to ShapeShift was very likely the exact same UTXO received from ShapeShift a half hour earlier via an Eve-Alice-Eve (EAE) attack. I previously described an EAE attack against the North Korean Lazarus Group as they cashed out their proceeds from the WannaCry malware here. Briefly, Monero’s RingCT confidential transactions hide the amount being transacted on the blockchain (but ShapeShift’s API provides us with this information). Monero’s RingCT also hides the exact UTXO being spent, but does provide blockchain analysts with a list of plausible “ring members”, one of which is being spent and the remainder of which are “decoys”. [Fig. 10]

Figure 10. Screenshot of the transaction which sent 3.6 XMR to ShapeShift in exchange for ~0.096 BTC being sent to 1BeNEdict. The transaction is using exactly 1 UTXO as an input. One of the ring members is necessarily the real TXO being spent, and the remaining four are “decoys”. Ostensibly, each ring member has a similar probability of being the real TXO that is used as an input. The ‘timestamp’ column shows the time when the transaction that produced the TXO was confirmed.

Four of the five plausible ring members for the transaction were broadcast over one month earlier, whereas the 5th ring member was broadcast in the BTC → XMR ShapeShift transaction about a half hour earlier. In September 2021, a bug in Monero’s decoy selection algorithm[6] which “caused the algorithm to select marginally fewer decoy outputs roughly 10 to 20 blocks old” was disclosed, which may further increase the probability that the 12-block old ring member was the UTXO being spent, as opposed to a decoy. [6]

Schober obtained internal data from ShapeShift related to the XMR to BTC swap. The data shows that in addition to the “withdraw” parameter being set to “1BeNEdict”, the “returnAddress” parameter, a refund address provided by the customer in case of transaction issues, matched the exact same 44nUb Monero address Schober’s stolen assets were transferred to from Bitfinex 1.5 months later. [Fig. 11]

Figure 11. Screenshot of data received from ShapeShift showing the returnAddress for the XMR transaction which sent BTC to the 1BeNEdict BTC address [emphasis added]. After converting Schober’s stolen BTC to XMR at Bitfinex, the person who stole Schober’s BTC withdrew the XMR to the exact same address.

The transaction chain from the 1JrT4 malware address to Thompson’s 1BeNEdict vanity address strongly links him to the Electrum Atom malware. Temporal analysis shows that the stolen BTC was very likely “chain hopped” to Monero and then “U-turned”[7] back to BTC sent to Benedict Thompson’s 1BeNEdict address a half hour later. The Eve-Alice-Eve attack strongly corroborates that the temporal analysis is correct.

The returnAddress parameter on the XMR → BTC ShapeShift transaction which sent ~0.096 BTC directly to Thompson provides a strong link between the person who initiated the ShapeShift transaction and the person who stole Schober’s BTC; the 44nUb Monero address was reused at Bitfinex to withdraw Schober’s stolen property from Bitfinex after the stolen BTC was converted to XMR. [Fig. 12]

Figure 12. Graph of transactions tracing the flow of funds from the Electrum Atom malware address 1JrT…soPr to ShapeShift where it was converted to XMR. The XMR was then sent back to ShapeShift and converted to BTC which was sent to 1BeNEdict. The second ShapeShift transaction used the Monero address 44nU…723i as a refund address in case there were any issues with the swap.

Corroborating Evidence

In addition to the blockchain-based evidence, Mr. Schober found compelling circumstantial evidence showing that the defendant Benedict Thompson not only possessed the knowledge necessary to build clipboard jacking malware but was actively ideating it. A few weeks before the malware appeared in the wild, Thompson wrote a post to the bitcoin-dev mailing list describing how quickly a computer could maliciously generate indifferentiable Bitcoin vanity addresses that match an address to which a user intends to send BTC. [Fig. 13]

Figure 13. Screenshot of Thompson’s bitcoin-dev mailing list post describing how a computer could maliciously generate vanity Bitcoin address that are visually indifferentiable from the desired Bitcoin address. [Emphasis added]

Not only did Thompson ideate around this — his public Github actually included much of the code needed to build out the Electrum Atom malware. For instance, Thompson’s Github page included a Bitcoin vanity address generator which could be used to generate the 195,112 addresses embedded in the malware and the Electrum client with which the malware was bundled.

The complaint also alleges that another defendant, Oliver Read, was promoting the Electrum Atom malware on Reddit.


This investigation highlights a wide range of cyber investigatory methods. Andrew Schober started with standard open source intelligence techniques (OSINT). He then enlisted the help of others to analyze the malware and the cryptocurrency addresses contained therein. When Schober encountered information that was held by centralized entities, he relentlessly looked for ways to obtain it, eventually going as far as to serve them with civil subpoenas. In other instances, Schober obtained information pertinent to his investigation directly from the Cyber Division of the FBI.

Despite the fact that potential evidence was being lost due to data retention limits or because it was deleted by the defendants, Schober was able to obtain clear and convincing evidence connecting his stolen BTC to real people.

Four Bitcoin addresses embedded within the malware sent funds to three different destinations. The first destination, the 1Gqt Bitfinex account, used an e-mail and username associated with Benedict Thompson. A second malware address sent BTC to ShapeShift in exchange for the privacy coin Monero (XMR). Temporal analysis, a Monero EAE attack, and internal records from ShapeShift together showed that a transaction sending malware funds to Thompson’s bitcoin address used the 44nUb return address. The third and final destination, the 3CQW Bitfinex account, received Schober’s stolen bitcoins, which were converted to Monero and withdrawn to the same 44nUb address used at ShapeShift. This Bitfinex user logged in from a Southampton IP address that was likely on the same subnetwork used by Thompson. Ultimately, every bitcoin transaction sent by the Electrum Atom malware operator went to a destination address that was linked to Benedict Thompson. [Fig. 14] The case is ongoing.

Figure 14. A transaction graph showing the connections between BTC addresses embedded in the Electrum atom malware, the accounts that received BTC from these addresses, and the owner of these accounts.

Nick Bax’s company, Five I’s LLC, provides expert consulting and witness services on a variety of cryptocurrency-related topics including forensics. E-mail: nick at 5is dot tech


  1. Krebs, B. Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents. Krebs on Seccurity. (2021).
  2. Meskauskas, T. How to prevent financial loss caused through Clipboard Hijacker. PCrisk. (2022).
  3. Cimpanu, C. Malware author made $560,000 just from a simple clipboard hijacker. The Record. (2021).
  4. Schober vs Thompson Complaint. 1:21-cv-01382-NYW. (2021).
  5. Scheck, J. How Dirty Money Disappears Into the Black Hole of Cryptocurrency. WSJ. (2018).
  6. Berman, J. Post-Mortem of Decoy Selection Bugs. The Monero Project. (2021).
  7. Yousaf, H. et al. Tracing Transactions Across Cryptocurrency Ledgers. n Proceedings of the USENIX Security Symposium. (2019).



Nick Bax

Princeton ’12 (Chemistry), Stanford ’21 (Structural Biology PhD), Currently analyzing blockchains