UPDATED Crystal™ Investigation of the Electrum Theft Case

January 26, 2019 Update:

The Bitfury Group
Jan 11, 2019 · 4 min read

As of Jan. 25, 2019, the alleged hacker has withdrawn funds in bitcoin from all his wallets. Further investigation revealed that the alleged hacker had moved the significant part of bitcoin to the exchange service MorphToken. All the funds that reached Bitfinex were sent there by the MorphToken service.

MorphToken provides the ability to check the status of a transaction using its API. Having checked all the wallets in the hacker’s withdrawal chains in this way, we have managed to find out that at least 243 BTC were sent by the alleged hacker to this service. Almost all funds were exchanged for XMR. However, a small amount (0.07 BTC) was transferred to Ethereum.

Original Post:

On Dec. 27, 2018, the bitcoin wallet Electrum notified users about a phishing attack that was targeting users through malicious servers. At that point, the alleged hacker(s) had already stolen more than 245 BTC.

Using Crystal analytics, we investigated the movement of funds from the hack, tracking them to two major exchanges. Below, we present those findings.

The phishing attack worked in the following way:

1. First, the alleged hacker managed to add dozens of malicious servers to the Electrum network

2. The user initiates a bitcoin transaction using their legitimate wallet;

3. In response, the user receives a push error message — a phishing message that requires the user to immediately download the “update” from the malicious site (the GitHub repository);

4. The user clicks on the link and downloads the malicious update;

5. After the user installs a malware version of the wallet, the program asks the victim for a two-factor authentication code (which, under normal circumstances, is requested only for transferring funds);

6. The fake Electrum wallet uses the code to send the user’s funds to a hacker’s wallets.

Crystal’s findings showed that the majority of funds were sent to the address: 14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5.

After a few hours, the alleged hacker had transferred all funds to the address 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj, where the funds have currently settled.

As of Jan. 11, 2019, 245 BTC remain in 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj. However, it’s important to note that on Dec. 27, the alleged hacker sent 5 BTC to the address 1N1Q7fEF6yxnYsMjvH2jtDDzzW6ndLtfEE.

In the days since the original hack, the alleged hacker has moved those funds, withdrawing 0.2 BTC on Jan. 3 to a Bitfinex wallet (3Kk8aWoGexBo52bY8TJuMseoxKBnGD5QqH), and withdrawing 0.41 BTC on Jan. 11 to a Binance wallet (13cRSL82a9x2MMCedFQBCJJ2x5vCgLyCXC).

On January 18, the alleged hacker became active again by moving funds through chain of transactions. They have now withdrawn 3 BTC to a Bitfinex wallet (33d8Dm2hyJx6NHhHep7KM4QKbjTgWpAQQt).

Moreover, the alleged hacker transferred 49 BTC from 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj wallet and distributed them within 13 addresses. Crystal team will keep an eye on further actions.

The alleged hacker is consistently withdrawing funds to Bitfinex. To date, the attacker has already withdrawn over 32 BTC in total.

Follow Crystal on Twitter to stay up to date on other investigations: @CrystalPlatform

About Crystal

Crystal is the all-in-one blockchain investigative tool. Designed for law enforcement and financial institutions, Crystal provides a comprehensive view of the public blockchain ecosystem and uses advanced analytics and data scraping to map suspicious transactions and related entities. Whether it is tracking a bitcoin transaction to a real-world entity, determining relationships between known criminal actors, or surveying suspicious online behavior, Crystal can help move your investigation forward. To learn more, visit crystalblockchain.com

Meet Bitfury

Learn more about Bitfury, the leading emerging technologies…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store