UPDATED Crystal™ Investigation of the Electrum Theft Case
January 26, 2019 Update:
As of Jan. 25, 2019, the alleged hacker has withdrawn funds in bitcoin from all his wallets. Further investigation revealed that the alleged hacker had moved the significant part of bitcoin to the exchange service MorphToken. All the funds that reached Bitfinex were sent there by the MorphToken service.
MorphToken provides the ability to check the status of a transaction using its API. Having checked all the wallets in the hacker’s withdrawal chains in this way, we have managed to find out that at least 243 BTC were sent by the alleged hacker to this service. Almost all funds were exchanged for XMR. However, a small amount (0.07 BTC) was transferred to Ethereum.
Original Post:
On Dec. 27, 2018, the bitcoin wallet Electrum notified users about a phishing attack that was targeting users through malicious servers. At that point, the alleged hacker(s) had already stolen more than 245 BTC.
Using Crystal analytics, we investigated the movement of funds from the hack, tracking them to two major exchanges. Below, we present those findings.
The phishing attack worked in the following way:
1. First, the alleged hacker managed to add dozens of malicious servers to the Electrum network
2. The user initiates a bitcoin transaction using their legitimate wallet;
3. In response, the user receives a push error message — a phishing message that requires the user to immediately download the “update” from the malicious site (the GitHub repository);
4. The user clicks on the link and downloads the malicious update;
5. After the user installs a malware version of the wallet, the program asks the victim for a two-factor authentication code (which, under normal circumstances, is requested only for transferring funds);
6. The fake Electrum wallet uses the code to send the user’s funds to a hacker’s wallets.
Crystal’s findings showed that the majority of funds were sent to the address: 14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5.
After a few hours, the alleged hacker had transferred all funds to the address 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj, where the funds have currently settled.
As of Jan. 11, 2019, 245 BTC remain in 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj. However, it’s important to note that on Dec. 27, the alleged hacker sent 5 BTC to the address 1N1Q7fEF6yxnYsMjvH2jtDDzzW6ndLtfEE.
In the days since the original hack, the alleged hacker has moved those funds, withdrawing 0.2 BTC on Jan. 3 to a Bitfinex wallet (3Kk8aWoGexBo52bY8TJuMseoxKBnGD5QqH), and withdrawing 0.41 BTC on Jan. 11 to a Binance wallet (13cRSL82a9x2MMCedFQBCJJ2x5vCgLyCXC).
January 20, 2019 Update
On January 18, the alleged hacker became active again by moving funds through chain of transactions. They have now withdrawn 3 BTC to a Bitfinex wallet (33d8Dm2hyJx6NHhHep7KM4QKbjTgWpAQQt).
Moreover, the alleged hacker transferred 49 BTC from 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj wallet and distributed them within 13 addresses. Crystal team will keep an eye on further actions.
January 21, 2019 Update
The alleged hacker is consistently withdrawing funds to Bitfinex. To date, the attacker has already withdrawn over 32 BTC in total.
Follow Crystal on Twitter to stay up to date on other investigations: @CrystalPlatform
About Crystal
Crystal is the all-in-one blockchain investigative tool. Designed for law enforcement and financial institutions, Crystal provides a comprehensive view of the public blockchain ecosystem and uses advanced analytics and data scraping to map suspicious transactions and related entities. Whether it is tracking a bitcoin transaction to a real-world entity, determining relationships between known criminal actors, or surveying suspicious online behavior, Crystal can help move your investigation forward. To learn more, visit crystalblockchain.com
