Hacker behind 1,400 BTC Electrum wallet theft transacted on Binance

On Aug. 30, a Github user made a post about losing 1,400 Bitcoin (BTC) via an elaborate hack that affected his Electrum wallet. On-chain analysis indicates that the hackers had a Binance account and that some of the transactions used to move the stolen coins may have originated in St. Petersburg, Russia. However, It is important to note that conclusions afforded by on-chain research are generally more probabilistic than deterministic. 

On-chain analysis of the hack. Source: Cointelegraph, Crystal Blockchain.

Even so, there is no clarity on how the attack was perpetrated, as Electrum's software is considered to be secure if properly configured. The claimant said that the attack happened after he ran the wallet for the first time since 2017. He alleges that when he installed a software update, his entire balance was transferred to an unknown address.

Two hops away from the scammer’s address is a 5 BTC Binance withdrawal that occurred in January 2018. However, the corresponding transaction number is associated with over 75 different addresses, according to a Binance spokesperson, and is not from a specific Binance user. The exchange's CEO Changpeng Zhao tweeted yesterday that Binance has blacklisted the addresses involved:

We blacklisted the addresses involved, but ...

After gaining control to over 1,400 BTC, the criminals began to move them around and diversify them into smaller wallets. On a few occasions, the Bitcoin node that processed these transactions was traced to St. Petersburg, Russia — though it is possible the thieves were using a VPN to obscure their true location.