Topic: Electrum Phishing (Read 454 times)

Hey BugBasher82, we wrote about a method that could help you avoid such scams in the future.

https://bitcointalksearch.org/topic/guide-using-google-alerts-to-avoid-getting-scammed-5118417

Sorry for your lost and hope this helps you.

Most likely because it is technically malware aka "malicious software"... as it does "Bad Things"™ that are not authorised/wanted by the user. It is software disguised to look like an Electrum wallet that sends out all your coins and/or your wallet seed/private keys/wallet file.


You'll note that is pretty much what I said...

why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far. it is simply an addition of a couple of lines of code that spends your coins to a specific hardcoded address. that is not malware, that is simple wallet functionality like the functionality of the real wallet!
as soon as you enter your password, so that the fake wallet has access to the decrypted keys, it runs a simple code which looks like this:
you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!

Let me be honest here, I was (gullible enough to get) hacked a couple of times over the years crypto became my hobby. I've dealt with well over 200 different wallets over the years and probably like 2 dozen different miner softwares (still have most of them) and it took a while before I started I got slapped with a dose of reality and losing many coins. Then I started using Sandboxie and quickly learned that it has to be used with custom settings (default settings are no good at all, that still have read rights of everything important, like wallet.dat or browser user data) and then moved over to using multiple separate PCs.

You always think it won't be you and when you do lose some coins you tighten up your security and given time you start to feel safer than you actually are as you drop your previous security routines. At least most people do.

As I, and many others have said before, antivirus software doesn't help at all. Malware can be sophisticated enough to fly under it (encryption) or disable it or have its payload trigger without it detecting it. Just don't ever fully trust them on an important machine. Just think about how many times you trusted something with "false positives". Great malware mostly doesn't even give false positives.


Anyway, I'm 90% sure the phising wallet had no persistent parts and that my PC was fine but after I safely moved my coins to an offline machine I reinstalled it completely. Why risk that 10%? It's not a 10% tax, it's 0 or 100%.
It's a hassle and it takes days to get everything back to the way it was and it is a pain in the ass to deal with many transactions through a separate machine, it sure beats even just having to worry about one day waking up being emptied.

And you can always store some coins in a hot wallet. Risk and reward, or in this case risk versus lack of annoyance. Don't be lazy people.

Given that your antivirus failed to actually inform you about the malware wallet in the first place, resulting in monetary loss, are you sure that your faith in your antivirus is correctly warranted?

It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).

Chances are simply deleting the wallet will be "OK", as it seems like the malware wallet, in this instance, was only used to immediately send out a transaction emptying the wallet and/or sending the users seed to the attackers... it doesn't look like it installed any additional malware... BUT if you want to be completely certain the threat is gone... reformat your PC and reinstall the OS.

Just take an observation but if things goes well then there's no need to re-install a fresh OS which it is really a very hassle thing to do when wiping out your 3rd party programs that are being
commonly used.
There are some files that cant really be removed nor detected by some AV thats why im a little bit paranoid when i do experienced malware attacks which i do always have the doubts.

I would recommend format your HD and install a new Linux.

I wouldn't risk it if I were you. If you have a lot of assets worth protecting on that PC just reinstall it to be perfectly safe. If you had a fake software installed who knows what else it could have done to your system that your AV hasn't yet picked up! 

So far my other wallet are safe, I was able to do a successful transaction after I got phish with a small amount.
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.

@DireWolfM14 Yep, the payload could be encrypted or otherwise hidden so scanners are never a 100% reliable, we know that. I got used to verifying my download sources but I've never seen an Electrum broadcast message so it took my guard down. And after seeing how many people got fooled by it, in many waves and since how long ago since the first, I'm feeling pretty annoyed with how the Electrum devteam is handling it.

I moved my funds to an offline computer and will be formating this PC.

It's just people tend to become lazy with security until they get caught. Didn't lose anything but easily could have. Anyway, thank your for your help.

I have a hard time trusting third party virus and malware removers when it comes to crypto wallets.  A scammer can take measures to mitigate the chances of their malware being found, or you could get false positives.

To be on the safe side, I would reinstall the OS.  That's likely overkill, but my financial security deserves overkill.

@OP and bathrobehero, learn to use PGP and verify the signature when you download Electrum.  It's a great desktop wallet, and is worth the extra security steps to make sure you're using it safely.  Otherwise, hardware wallets are a great alternative.

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.

I'm late but I just got tricked into the fake, 4.0.0 version in a hurry and the moment I knew it was fake when it asked for my 2FA when I launched it. So I didn't give it to them.

Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

hey OP, pooya87 made a very good point about verifying your downloads. It could have helped prevent what happened to you. This is a good site that covers it. Link. Sorry for what happened to you.

Thank you for all the info good people.

I think I am going to go with a format C: and reinstall just to be on the safe side.

Goodness knows what could have been done by me running a malicious .exe on my machine.

Serious stupidity on my part but very cleverly implemented by the hackers, they really tricked me good but have to say, I'm astounded Electrum left themselves open to this type of vulnerability. I mean the hackers actually manage to block initial outgoing transactions in order to fool you into thinking you need an update.

Bastards.

Some say that it's just enough to remove fake version, and then install original from official site, but I would not feel safe to do only that. A safer option would be to format the disc and install fresh OS, and if you do not want to do it be sure to delete all traces of fake Electrum, and to do that go just paste %appdata%\Electrum in your C:/ and delete Electrum folder.

Good AV would probably stop you to even download such fake file, so consider some better option than you have now, or even better invest in hardware wallet.

The idea to put a few bucks onto the wallet and wait for a couple of days is not bad at all.

The only thing I'd do would be a thorough scan. I don't know if you ran the AV scan from an installed Bitdefender or from a bootable DVD/USB. I would download 1-2 reputed "recovery" antivirus images (at least one different from Bitdefender), burn them, boot and scan from them. May be a bit of overkill, but if you want to be 100% sure, this is a possible direction.

I feel you man, I was a victim of this today and I loss my money as well, luckily that was only BTC0.0075.

This is what happen to me which I posted in this thread https://bitcointalksearch.org/topic/m.49936408

This is electrum related topic so it must be on Development & Technical Discussion > Wallet software > Electrum .

As they suggested, just download to the main site and don't go with any other websites which isn't owned by electrum and you're going to be fine with what you are downloading especially with desktop wallets like electrum.

Downloading from the official website is a must because then security will be guaranteed, there are currently many services that provide this.
So please note that there are a lot of phishing sites and that our assets are not guaranteed.