- Electrum hacker
stole 245 BTC
Electrum wallet was yesterday compromised by a malicious
phishing attack, which we wrote about yesterday. New details about this hack
emerged today as the potential address of the hacker was revealed, alongside
his potential loot.
As a reminder, the phishing attack saw the hacker spam the
Electrum network with fake servers he controlled. When- wallet users that
connected to a compromised server attempted to broadcast a Bitcoin transaction,
they would receive an error message, asking the owner of the wallet to download
an “update”. The software downloaded this way wasn’t an actual Electrum update
but rather a piece of malware designed to steal your Bitcoin.
Reddit community managed to get a hold of the hacker’s address,
indicating that a disturbing amount of funds might have been stolen by this
attack. At the moment of writing, the wallet contains 245 BTC (currently worth
just above $880 thousand). The wallet saw a total of five transactions sent to
it, with one user apparently losing just over 200 BTC in the attack. As of now,
Electrum released a quick fix that prevents the attacker from sending the error
messages to victims. Even with that, the issue still hasn’t been completely
Cash lags behind other popular cryptocurrencies
Popular crypto data aggregator LongHash revealed some rather
interesting data about Bitcoin Cash. While the proponents of said
cryptocurrency like to boast about BCH’s scalability, block size adjustments and
low fees, it just can’t keep up with the market top dogs in various areas.
LongHash looked into most popular cryptocurrencies for online
transactions and determined that Dash, Dogecoin and Litecoin currently dominate
this specific segment of crypto markets. Bitcoin Cash lags behind these
mentioned currencies, recording four times fewer transactions than a meme
cryptocurrency like Dogecoin.
These numbers become even more jarring if we look at what Bitcoin,
the currency BCH was made to replace, is able to do. BTC’s blockchain processes
20 times as many payments per day as Bitcoin Cash. The numbers become even harsher
if we look at daily active addresses that each of these payment solutions has. Blame
it on the market volatility, Bitcoin maximalism, head start that these
currencies had on BCH or the recent hard fork controversy the project went
through, the fact remains that the market doesn’t seem very interested to use
BCH for value transfers.
wallets vulnerable after all?!
During the 35th Computer Chaos Congress in Leipzig, Dmitry
Nedospasov, Thomas Roth and Josh Datko gave a presentation called wallet.fail,
where they tried presented a case as to why hardware wallets like Ledger Nano S
or Trezor were vulnerable to several types of attacks.
Attacks performed against said hardware wallets ranged from
breaking the proprietary bootloader protection, over breaking the web
interfaces used to interact with wallets, up to physical attacks including
glitching to bypass the security implemented in the IC of the wallet. As a
result of their testing, the individuals found 5 types of vulnerabilities that
apparently every hardware solution on the market suffers from:
- Firmware Vulnerabilities-
Firmware vulnerabilities are vulnerabilities affecting the software that runs
on the hardware wallet. Since most wallets provide update mechanisms this class
of bug can be patched in a future firmware release.
- Software Vulnerabilities-
Software vulnerabilities are vulnerabilities affecting the host software that
runs on the PC or smartphone and communicates with the hardware wallet. Since
most wallets provide update mechanisms this class of bug can be patched in a
future release of the host software.
- Hardware Vulnerabilities-
Hardware vulnerabilities are vulnerabilities affecting the device hardware of
the hardware wallet. Hardware vulnerabilities are generally incorrectly set
configurations of the hardware either during manufacturing or by the firmware.
If the configuration is set by firmware these vulnerabilities can be patched in
a future firmware release. Otherwise, they are unlikely to be fixed by the
- Physical Vulnerabilities-
Physical vulnerabilities are vulnerabilities affecting the hardware design of
the hardware wallet. Once the device has been manufactured, hardware
vulnerabilities cannot be mitigated and can only be fixed in a future hardware
revision of the device. This class of vulnerabilities is unlikely to be fixed
by the vendor.
- Architectural Vulnerabilities-
Architectural vulnerabilities are vulnerabilities affecting the overall
architecture of the hardware wallet. These are inherent design flaws in the
device and can only be fixed in a major hardware revision, i.e. a new version
of the device. This class of vulnerabilities is unlikely to be fixed by the
Overall, the 1-hour long presentation addressed architectures,
attack vendors and challenges of building a hardware wallet solution, revealing
both the good and the bad of current hardware wallet lineup. Full presentation
can be seen here.
The community criticized the analysts for not responsibly disclosing their
findings to the wallet manufacturers first before going live with the
TREZOR’s manufacturer SatoshiLabs responded to this
presentation via his- Twitter: “With
regards to #35c3 findings about @Trezor: we were not informed via our
Reponsible Disclosure program beforehands, so we learned about them from the
stage. We need to take some time to fix these and we’ll be addressing them via
a firmware update at the end of January.”
SatoshiLabs also responded, but through their subreddit: “Per my latest information (I am not present
at the conference), we were not informed about this vulnerability via our
Responsible Disclosure process, and therefore we are working with the
information as it arrives. We will address this vulnerability as soon as
possible, though we will need some time. Until then, you can mitigate it by
using a passphrase (make sure to learn how it works first, as in case of
passphrase-loss your funds are irrecoverable), or by making sure you do not
lose physical access to your device. To exploit the vulnerability,- the
attacker needs to have physical access to your device- — directly to its
- Cardano launches
an ambassador program
One of the market mainstays Cardano has decided to launch an
ambassador program. Through this initiative, the project looks to leverage the power
of their community to make the entire Cardano ecosystem a better place to be a
Cardano ambassador program will be looking to recruit and
reward 4 types of community members: assistants to arrange meetups, moderators
for forums and chats, pros for the creation of content and translators into
Charles Hoskinson, the man behind IOHK (entity in charge of
Cardano development) explained that Ambassadors will be selected based on their
good work in the community; the Ambassador position is not something that is
awarded directly by IOHK or other project members. A full list of requirements
one ambassador needs to fulfill can be found here.