The four most famous international exchanges:

Binance INTL	OKX INTL	Gate.io INTL	Huobi INTL
China Line　APP DL	China Line　APP DL	China Line　APP DL	China Line　APP DL

Note: The above exchange logo is the official website registration link, and the text is the APP download link.

One day, when you are transferring money on Alipay, a pop-up window prompts you that the transfer failed because the version is too low. If the pop-up window not only prompts you that the transaction failed, but also includes an Alipay update link, most people will probably click on the link to proceed. renew.

If this link is a phishing link and directly obtains your transfer permission, it means that the money in your account will also be ruthlessly transferred. This time, a user encountered a similar situation.

On August 31, Beijing time, CertiK Skynet system (Skynet)
It was detected that the 1,400 Bitcoin tokens stolen by Github user "1400BitcoinStolen" have begun to be transferred to multiple different addresses.

The victim told electrum's Github issue that he lost 1,400 Bitcoins and posted his Bitcoin wallet address.

In the blockchain browser (reference link 3), you can see that a total of 1,404 BTC (worth $16.7 million) was withdrawn from his wallet on August 30 and deposited into the hacker's wallet.

Event restoration and analysis

The user is using the Electrum Bitcoin wallet, which was last used in 2017. Electrum has since released security updates, but the user has not installed them.

When a user uses Electrum to conduct a transaction, the wallet will broadcast a transaction to the server. If there is a problem with the transaction, the server will return an error message and display it to the user in the form of a pop-up window.

Electrum wallets before version 3.3.2 will not verify the error information returned by the server, and will even render the returned information in HTML (refer to link 4).

It is worth mentioning that anyone can build an Electrum node server. If a user connects to an attacker's server and initiates a transaction, the server can return any designed error message. For example, an error message is returned asking the user to update the Electrum wallet, as shown in the figure below.

However, the link in the picture points to malware written by the attacker himself. Once the user downloads and installs the software and imports his wallet into it, all the Bitcoins in the wallet will be transferred by the attacker.

This is essentially a phishing attack, but because the phishing information sent by the attacker is displayed through the official Electrum wallet, many people will believe it to be true.

In this incident, the victim's wallet was connected to a server controlled by the attacker, which caused the victim to receive a phishing message from the server, and all his Bitcoins were transferred by the attacker.

This problem with the Electrum wallet caused widespread discussion as early as the end of 2018 (refer to link 4).

Electrum officially fixed this problem in wallet version 3.3.4 in 2019. Subsequent versions of Electrum wallet will no longer directly display the content returned by the server to the user, nor will it perform html rendering.

In addition, because old versions of wallets still have this problem, all normal servers will conduct denial-of-service (DoS) attacks on wallets before version 3.3 to force users to update (refer to link 5).

CertiK Security Team Recommendations

When using a wallet for transactions, users need to ensure that the wallet is the latest version. Wallets that have been protected from old versions may have vulnerabilities that can be exploited by hackers.

When downloading wallet updates, users should pay attention to verify whether the download URL is consistent with the official one. After the download is completed, the signature of the wallet must be verified. For the wallet development team, it is necessary to find a professional team to do testing work to avoid loopholes in the project that may bring problems to users. Come to loss.