A botnet used to target the Electrum bitcoin wallet network is continuing to grow as researchers say it surpassed 150,000 at its peak with even more cryptocurrency now stolen from users.

The botnet targeting Electrum customers, first detected April 8, is a new variation of a targeted campaign first detected Dec. 27.

Electrum works on a distributed model, with users of the wallet connecting to different servers. Those behind the attacks introduce their own Electrum servers into the network with a malicious version of the wallet code that tricks users into downloading it. The malicious wallet then allows those behind the hack to steal the cryptocurrency balance of the victim.

The botnet is being used to run a distributed-denial-of-service attack that aims to knock legitimate Electrum servers offline and force users to connect to malicious servers instead. Although Electrum has addressed the issue through an updated wallet software, it requires users to update their wallet and given the escalation of the botnet, it’s clear many have not done so.

The new data comes from Malwarebytes Inc., which has been closely monitoring the Electrum botnet. According to security researchers at the company, the amount of funds stolen has now increased to $4.6 million.

“The botnet that is flooding the Electrum infrastructure is rapidly growing,” the researchers say. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000.” Since that time, the botnet has floated around the 100,000 mark, lower but still large.

The researchers have also identified two distribution campaigns that are fueling the botnet dubbed Smoke Loader and RIG exploit kit. Each of them is used to install ElectrumDoSMiner malware that powers the DDoS attack against legitimate Electrum servers.

The locations of the devices infected and being used in the botnet are primarily located in the Asia-Pacific Region as well as Brazil and Peru.

“The number of victims that are part of this botnet is constantly changing,” the researchers conclude. “We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DDoS attacks.”

Photo: Pixabay