Author

Topic: [2018-12-19] Electrum Wallet Attack May Have Stolen As Much as 245 Bitcoin! (Read 388 times)

legendary
Activity: 1652
Merit: 1483
Yeap. Custodial services and insured deposits are going to be the main attraction (even though it's been pointed out that not a single one of those hacked exchanges in South Korea or Japan, supposedly insured with licences, have actually paid out a single cent in insurance!).

I would be extremely curious to see if anyone ever gets a successful insurance payout if they were cleaned out.

The only Western one I can think of was Bitpay trying to claim $1 million when an employee was old school phished or something. They were told to bugger off.

that's totally different though. deposit insurance protects depositors from the bank's losses (or an exchange's). if a bank gets robbed or an exchange gets hacked, it covers depositors.

in the bitpay incident, the policy only covered unauthorized access (hacking) of bitpay's system. that's why the court dismissed the case pretty quickly---bitpay executives got fooled by spoofed emails. there was no hacking.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
Yeap. Custodial services and insured deposits are going to be the main attraction (even though it's been pointed out that not a single one of those hacked exchanges in South Korea or Japan, supposedly insured with licences, have actually paid out a single cent in insurance!).

I would be extremely curious to see if anyone ever gets a successful insurance payout if they were cleaned out.

The only Western one I can think of was Bitpay trying to claim $1 million when an employee was old school phished or something. They were told to bugger off.

It's almost always someone being slack somewhere which is exactly the type of thing insurers use to reject claims.
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
Maybe soon people won't even remember what a private key is.

Unfortunately, that's the case already to a small (but constantly growing) degree. There where you have a problem popping up, some entity will use that problem in its advantage to develop a whole new set of products, where these products being insured is a very important one. It completely takes out the risk for the buyer, whoever that may be, and that's what the non crypto enthusiasts are looking for in the end.

Financial institutions are champions in creating new products, and I'm sure one of the mega banks will pop up and feast on a whole new group of investors looking to buy into Bitcoin's exposure. Let's be honest, most of them don't need a new form of money, they just want to be part of the new thing that keeps going up. If there is demand for centralized products, the supply will be there as well.

Yeap. Custodial services and insured deposits are going to be the main attraction (even though it's been pointed out that not a single one of those hacked exchanges in South Korea or Japan, supposedly insured with licences, have actually paid out a single cent in insurance!).

For now, the neo banks are leading the way, but I'm seeing now consultancies like Accenture already offering wholesale banking products - blockchain-based - and recruiting the talents for that too. Can't tell what these are exactly, but they're all spins on crypto and like you said, feeding the demand.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
Big Electrum user here, and the increased threats we've seen to me is a compliment to Electrum's reach and popularity. I wouldn't say it's more vulnerable than other clients in its class - kind of the same argument that Chrome is more vulnerable than Vivaldi because it's got more attacks on it.

I think that's the case too. It's extremely popular. Years ago, it was estimated to account for 10% of the world's Bitcoin transactions, and its visibility has only grown over time. Countless altcoins have forked Electrum too, signifying its popularity. It's the best lightweight wallet on the market so it has a large contingent of casual and newbie users -- who have big targets on their back.
legendary
Activity: 1652
Merit: 1483
why not?

Because numpties respond to phone calls from fake bank fraud departments all the time and told to send their money to other accounts for 'safekeeping,'

Similarly you get man in the middle stuff where the bank details of house sales are sent through a hijacked email and off goes someone's money to a scammer.

You'd think that since it's all on their ledger banks would be able to squash moves like this flat immediately but a lot of the time they don't and tell the customer they're on their own. Crypto totally removes that ability, not that they seem to exercise it at present.

This is how it is in the UK where bank transfers are instant and free. It may well be different in countries with third world banking like the US.

it would actually work quite the same. if banks already tell customers they're on their own with bank transfers, why can't that apply to crypto? crypto doesn't remove that ability at all since it's all internal ledgers until interbank settlement occurs. whether we're talking bank wires or on-chain settlements between banks, once interbank settlement occurs, customers who got scammed are out of luck because the money is gone. same as today.

banks may protect consumers from fraudulent use of credit cards under specific circumstances, but it's not their job to reimburse customers for irreversible payments like wires and cash withdrawals. the same applies to crypto depositors who withdrawal to external addresses.

within the banking app, i think it would work the same as credit cards today---you have a trusted network processor like mastercard. these can be protected from fraudulent use like credit card purchases because it's pre-settlement.
legendary
Activity: 2170
Merit: 1427
Maybe soon people won't even remember what a private key is.

Unfortunately, that's the case already to a small (but constantly growing) degree. There where you have a problem popping up, some entity will use that problem in its advantage to develop a whole new set of products, where these products being insured is a very important one. It completely takes out the risk for the buyer, whoever that may be, and that's what the non crypto enthusiasts are looking for in the end.

Financial institutions are champions in creating new products, and I'm sure one of the mega banks will pop up and feast on a whole new group of investors looking to buy into Bitcoin's exposure. Let's be honest, most of them don't need a new form of money, they just want to be part of the new thing that keeps going up. If there is demand for centralized products, the supply will be there as well.
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
Big Electrum user here, and the increased threats we've seen to me is a compliment to Electrum's reach and popularity. I wouldn't say it's more vulnerable than other clients in its class - kind of the same argument that Chrome is more vulnerable than Vivaldi because it's got more attacks on it. But yes, it's going to be really difficult to get normies to use software if their basic behaviours regarding security aren't fixed.

Hell, you could use the toughest hardware or paper wallet, but if you fall for a message telling you to do stuff you're not supposed to...

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins.

you're right. a lot of people can't be bothered figuring out cold storage. for those with poor security practices, a bookmarked secure web site + password and 2FA can be the best option. that's just the unfortunate reality. the UI can be difficult for technophobes on top of security matters too. i've known people who have fucked up by sending to their "sent" addresses instead of their "receiving" addresses and things like that.

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

Never mind figuring out cold storage, far too many people aren't even willing to do more than remember a username and password - which is the crazy reason why so many people I know just refuse to use a proper wallet where they control their own private keys. They deliberately want to trust someone else, so yeah, Bitcoin banks? With custodian protection and deposit insurance? That idea is just going to appeal to them. Maybe soon people won't even remember what a private key is.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
The common response from people on this forum is to check the PGP signature from the official site, before you do any updates, but most people do not even know what it is and how to look for it. They will have to find a way to prevent people from downloading any software from phishing sites, without making it too difficult to spot the phising site from the original source.

The average user have difficulty with the most basic concepts, so why would they not struggle with complex concepts like this? The developers always over engineer the software and it goes over the heads of most basic users.  Sad
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
why not?

Because numpties respond to phone calls from fake bank fraud departments all the time and told to send their money to other accounts for 'safekeeping,'

Similarly you get man in the middle stuff where the bank details of house sales are sent through a hijacked email and off goes someone's money to a scammer.

You'd think that since it's all on their ledger banks would be able to squash moves like this flat immediately but a lot of the time they don't and tell the customer they're on their own. Crypto totally removes that ability, not that they seem to exercise it at present.

This is how it is in the UK where bank transfers are instant and free. It may well be different in countries with third world banking like the US.
legendary
Activity: 1652
Merit: 1483
also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

As banks are closing physical branches and pushing their, quite often totally unwilling, customers into online banking they're becoming far less forgiving of those who fall for online scams. I seem to remember my online banking having some sort of disclaimer about that.

Though this is unfortunate in the extreme I'm sure much more coinage is lost to user gullibility and slackness during login and sending. Bitcoin banks won't address that.

why not? bank applications are walled gardens---i don't see that changing. it's not like you'll login to hsbc and start making bitcoin transactions like it was a bitcoin wallet. you would do p2p transfers among intra-bank customers same as you would today (via account, not bitcoin address). i'm guessing there would be an approved network of merchants (think mastercard or the plus network) and you would interface with them through a touchless banking app. we're talking about a trusted network of verified/approved customers and merchants.

in other words, nobody would be using bitcoin at all. these would all be offchain transactions that only require a bank to manipulate its internal ledger, until and unless they had to periodically settle with other banks.

if you were to withdraw BTC from the banking system (like withdrawing cash at an ATM), obviously you're on your own and the bank won't protect you.
hero member
Activity: 672
Merit: 526
It was such a stupid and yet so profitable mistake. It is becoming increasingly clear that people need to separate spend wallets from pig wallets. And pig wallets need to be rarely accessed. So, if any error occurs, you would lose only a small part of what you own.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

As banks are closing physical branches and pushing their, quite often totally unwilling, customers into online banking they're becoming far less forgiving of those who fall for online scams. I seem to remember my online banking having some sort of disclaimer about that.

Though this is unfortunate in the extreme I'm sure much more coinage is lost to user gullibility and slackness during login and sending. Bitcoin banks won't address that.
legendary
Activity: 1652
Merit: 1483
This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins.

you're right. a lot of people can't be bothered figuring out cold storage. for those with poor security practices, a bookmarked secure web site + password and 2FA can be the best option. that's just the unfortunate reality. the UI can be difficult for technophobes on top of security matters too. i've known people who have fucked up by sending to their "sent" addresses instead of their "receiving" addresses and things like that.

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.
hero member
Activity: 1073
Merit: 666
Hmm I won't use Electrum wallet, it seems too vulnerable.
legendary
Activity: 4228
Merit: 1313

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.

Perhaps not banks alone per se, but bitcoin financial instruments and entities and by that I mean bitcoin ETFs and similar instruments.  Anyone can go online or call their broker and say "buy $5000 of a bitcoin ETF" and not have to worry about private keys and such.  Of course this is an investment use case vs a transactional use case, but both have a place in the bitcoin ecosystem.

Right now though I wouldn't trust most of the people I know to verify signatures and be sure that they are downloading a legit client for bitcoin (or any other crypto) let along a grandmother.
legendary
Activity: 1526
Merit: 1179
I myself has been a Electrum user, and I thought that it's really secure but this kind of exploit is really a wake up call for everyone not everyone is vulnerable and those hackers will attack when you least expect it. So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.
I was seriously considering to ditch Electrum and stick to Core, but the thing is that I use ChipMixer regularly and I need a light weight client to near instantly import any private key, which is what Electrum does.

If you do that with Core, it will take hours and hours to get the job done. Yes, I could use something else, but there isn't much that I trust enough to expose my private keys to it.

It's not the first time Electrum messed up, and it probably won't be the last one. The good thing is that they patch exploits quickly, but this could have been prevented by simply disabling links from the very beginning....
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.

I'm not sure this will be a circle that can ever be fully squared myself. The people looking to steal your crypto will always be sharper and further ahead than their placid suppliers.

If storage is taken care of in that scenario, they head back to phishing and faking addresses to divert coins and grandma doesn't get a bailout again. It's a conundrum indeed.
legendary
Activity: 3024
Merit: 2148

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.

Electrum make quick fix very fast in a way they change how message is displayed in popup window, so it is not have direct clickable link to fake wallet but it looks like this :



And they do it same day when attack is started, so maybe they save few users who have problem with copy/paste. However the notice was officially published in Electrum site https://electrum.org/#download and version is still the same. So far there is no way to prevent that popup to be displayed if user is connect to fake server, only way is to ignore it and close that window.
legendary
Activity: 3080
Merit: 1353
this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.

For God's sake they are criminals, they don't f*** care and I'm sure once they encash all Bitcoins they have stolen, they going to party and sleep like a baby.

I myself has been a Electrum user, and I thought that it's really secure but this kind of exploit is really a wake up call for everyone not everyone is vulnerable and those hackers will attack when you least expect it. So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.
legendary
Activity: 2170
Merit: 1427
As horrible as it is for those who lost funds in the process, these things need to happen in order to have people wake up and realize that they are a walking target, regardless of what client/software/mobile/desktop they use. I'm glad that I am extremely paranoid by nature, so I always ignore pop ups from whatever piece of software that I have installed.

If there is an update ready, I'll head to the main site, scan the file, sign keys (where possible) and then upgrade.

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
You wouldn't use a PC-based wallet -- what does that mean? The reference client is a PC-based wallet. Are you saying you'd only use a hardware wallet, or a paper wallet (generated on offline PC)?

The most important distinction to make is where your private keys are held -- online or offline. I figure any online desktop wallet is a target for theft, but I don't particularly like hardware wallets either. They have fairly large and untested attack surfaces, multiple theoretical attack vectors, centralized firmware updates, etc. Major vulnerabilities have been found (and quickly patched) as well, just like Electrum.

Electrum can be used such that private keys are kept offline on an airgapped device. That's why I use it. It's also got great UI, is lightweight, Segwit-compatible and can be used in conjunction with your own full node. Lots of selling points!

Paper and hardware indeed. Phones for piddling amounts.

Obviously any wallet is fine on an offline machine. The fact these people got ravaged means they were using it online with a PC.

I'm increasingly less enamoured with hardware wallets too. I think people have been too rapid to embrace them as the ultimate answer when that looks like it's starting to unravel a bit.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
I may well have fallen for this if I was an Electrum user, but I would never use a PC-based wallet in the first place. I've never really understood why Electrum is rated when many use it on an inherently insecure platform.

You wouldn't use a PC-based wallet -- what does that mean? The reference client is a PC-based wallet. Are you saying you'd only use a hardware wallet, or a paper wallet (generated on offline PC)?

The most important distinction to make is where your private keys are held -- online or offline. I figure any online desktop wallet is a target for theft, but I don't particularly like hardware wallets either. They have fairly large and untested attack surfaces, multiple theoretical attack vectors, centralized firmware updates, etc. Major vulnerabilities have been found (and quickly patched) as well, just like Electrum.

Electrum can be used such that private keys are kept offline on an airgapped device. That's why I use it. It's also got great UI, is lightweight, Segwit-compatible and can be used in conjunction with your own full node. Lots of selling points!
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.

If something is possible then someone somewhere is going to do it. It only takes one wrong 'un.

People need to account for that and act accordingly.

I may well have fallen for this if I was an Electrum user, but I would never use a PC-based wallet in the first place. I've never really understood why Electrum is rated when many use it on an inherently insecure platform.
newbie
Activity: 60
Merit: 0
this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Electrum Wallet Attack May Have Stolen As Much as 245 Bitcoin

A phishing attack on the Electrum wallet network has possibly managed to steal around 245 bitcoins, worth over $880,000 at today’s prices.

Warning of the attack on Thursday, the firm tweeted: “There is an ongoing phishing attack against Electrum users. Our official website is https://electrum.org Do not download Electrum from any other source.”

The bad actor set up the attack by creating multiple fake servers on the Electrum wallet network. As a result, when wallet users that connected to those servers attempted to broadcast a bitcoin transaction, they received an error message providing a malicious link to malware disguised as an updated wallet, the firm explained on its Github page.

https://www.coindesk.com/electrum-wallet-attack-may-have-stolen-as-much-as-245-bitcoin

Now we know it is much more then 245 BTC stolen in this attack which is still in progress, and will probably eventually result with thousands of stolen BTC.

More info and the development of the situation in Electrum board : https://bitcointalk.org/index.php?board=98.0
Jump to: