Pages:
Author

Topic: Electrum Phishing Attack 2018-2019 – A closer look into the stolen funds. (Read 823 times)

legendary
Activity: 2394
Merit: 2223
Signature space for rent
I read the blogs and there is interesting information about hacked fund. But unfortunately we couldn't identify hackers due to decentralized exchange. Very likely even centralized exchanges would not expose scammer due to their business policies (if there is no pressure from higher government). That's crypto nature and that's the reason how hackers are skipping. Also that's the reason why bitcoin is most popular as well.
legendary
Activity: 2730
Merit: 7065
Help.  I was just scammed by this fake Electrum security update 4.0.0.  Where is the sticky/ FAQ on how to clean up the mess after it already happened?  This was just my second BTC transaction.  Im new.
There is no such sticky as far as I know.
If you clicked on a fake message that was shown to you when you opened your Electrum client and downloaded a wallet from a phishing site chances are that your funds are already gone.

If you want to be 100% sure that it has not left any malware or other traces on your computer you should reinstall your OS and in the future download Electrum manually ONLY from the official site and make sure you verify the signatures before installing anything on your computer.

Everything you need to know is explained on the official Electrum site.
newbie
Activity: 4
Merit: 0
Help.  I was just scammed by this fake Electrum security update 4.0.0.  Where is the sticky/ FAQ on how to clean up the mess after it already happened?  This was just my second BTC transaction.  Im new.
newbie
Activity: 49
Merit: 0
Hello,

Clain investigated Electrum wallet attacks and concluded at least two groups of hackers succeeded  in stealing 810 BTC and laundering them via decentralised crypto exchange such as Bisq and MorphToken.

https://blog.clain.io/electrum-phishing-attack/

Interesting reading. Thank you.
legendary
Activity: 2730
Merit: 7065
Also whenever i typed electrum in google, i dont think i ever seen any fake electrum wallets sites under google search on the 1st page... unless you are talking about those google ads where they list electrum wallet at the top which are most likely fakes? 
You don't see them because they get reported and then removed by Google.
Never trust the AD results! Currently there are none for Electrum and lately they are hard to come by even for famous exchanges. In the past googling Electrum or Binance would show you an ad as well. The lack of crypto related ads is probably Google's way of fighting crypto.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I can't get any ads to show up for Electrum, so I'm guessing Google might have finally just blocked that as a keyword after receiving so many reports (or maybe the Electrum devs simply purchased the keyword themselves).

There is no fake sites on top of my search results also with adblock off, but this does not mean they do not exist, they are just being displayed by geolocation probably. I am not sure is AdWords have this option, but recenty there is thread about fake bitcointalk sites, and by using same keywords few users get different results.

It is possible that hackers are targeting users from specific countries, or that Google is block such ads, but I doubt in this option.
HCP
legendary
Activity: 2086
Merit: 4361
How does one get to the fake domain?  You mean by typing electrum in google right?  
That generally seems to be how people end up finding these "fake" domains... personally, I don't ever see them. But I put that down to the adblockers that I use.

There is reason why people say, don't just rely on whatever is the top result on Google. A lot of time it'll be a keyword ad... and they don't really moderate what shows up until the sites are reported via their "safe browsing" reporting system.

I can't get any ads to show up for Electrum, so I'm guessing Google might have finally just blocked that as a keyword after receiving so many reports (or maybe the Electrum devs simply purchased the keyword themselves).
legendary
Activity: 3472
Merit: 10611
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?

that would require the "official site" or electrum.org to be compromised, and just because so far it has never happened it doesn't mean it never will. in other words you should never trust anything, always try to verify. all you have to do is spend enough time figuring out if the PGP public key that you have acquired is the right one or not. then from that day onward you only have to verify if the downloaded file is signed with the same key or not and whether you want to trust the owner of that key (Thomas V.)
full member
Activity: 1750
Merit: 186
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
Not that I'm aware of... most of the "I definitely downloaded from Official site" claims turn out to be incorrect after the user actually views their browser history and sees exactly where they downloaded from. In most instances they simply see an identical site and think it's the official one, but it'll be electrum.net or electrun.org or one of the punycode URLs etc.

The sneakiest one I've seen so far is a fake domain that redirects you to the official site on subsequent visits... so it lets you download the fake, then if you try and goto that URL again, it simply redirects to the official site to make you think you were on the official site all the time... very sneaky.

But even though there hasn't been a hack on the official server that puts fake versions on their download server... I still verify the signature. It takes less than 30 seconds.


Hey hcp... yes the first statement you say make lot of sense.  Ppl could think they installed it from the actual site when they did not. 


But the fact that there has not been a case of downloading from legit site... means hackers havent did that yet.


How does one get to the fake domain?  You mean by typing electrum in google right?  Also whenever i typed electrum in google, i dont think i ever seen any fake electrum wallets sites under google search on the 1st page... unless you are talking about those google ads where they list electrum wallet at the top which are most likely fakes?  I think when these electrum issues and fake wallets were happening in early 2018, i dont think i seen a fake wallet site on the 1st page of google.  I mean if there were, it had to been maybe 1 or max 2 right?  Of course im not talking about the ones at the top with google ads.  So im wondering how do ppl find these fake electrum wallet sites unless its always the one at the top?


HCP
legendary
Activity: 2086
Merit: 4361
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
Not that I'm aware of... most of the "I definitely downloaded from Official site" claims turn out to be incorrect after the user actually views their browser history and sees exactly where they downloaded from. In most instances they simply see an identical site and think it's the official one, but it'll be electrum.net or electrun.org or one of the punycode URLs etc.

The sneakiest one I've seen so far is a fake domain that redirects you to the official site on subsequent visits... so it lets you download the fake, then if you try and goto that URL again, it simply redirects to the official site to make you think you were on the official site all the time... very sneaky.

But even though there hasn't been a hack on the official server that puts fake versions on their download server... I still verify the signature. It takes less than 30 seconds.
jr. member
Activity: 428
Merit: 7
This is very unlikely that this happens.
But I always check the download link in the left bottom
of my browser and in the browser-adress on top.

If your computer is infected, then it`s way more likely,
that you will redirected to another site.
This is why you should use a clean computer
which you only use for wallet-transactions.
full member
Activity: 1750
Merit: 186
...but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?
One could also argue that if a piece of software they've been using for a long time suddenly does something they've never seen before (ie. Suddenly pops up an 'Update' message), would that not make you suspicious that something might not be right? Huh

Still, I agree with pooya87... verifying the digital signature is an absolute must... even when I've manually typed in electrum.org and downloaded the .exe from the official site... I'll still grab the .asc and verifying the .exe is legit BEFORE I run it.

EVERY. SINGLE. TIME.



HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I didn't open my electrum for a while because of this issue as i didn't want to risk anything.

To my knowledge you have Ledger Nano S, so why you worried about Electrum security so much? You can use Electrum only as user interface with Nano S, and if you download it from official site, you have nothing to worry about - your private keys are safe.

Any fork of Electrum is unsafe in older versions, they all share same code which hackers exploit. You just need to read what is written on any site you visit, and for example this is warning on official Electrum LTC :

IMPORTANT NOTICE (February 2019)

Versions of Electrum and Electrum-LTC older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. To prevent user exposure, versions older than 3.3 can no longer connect to public servers, and must be upgraded. Do not download software updates from sources other than electrum.org and electrum-ltc.org.
legendary
Activity: 2730
Merit: 7065
Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  
That is exactly the problem. Users clicking on those messages that leads them to fake websites where they download fake wallets and use them without verifying if they are genuine or not so you should not do that!

We have gotten used to our software informing us that there are new updates and we can simply update by clicking on the displayed buttons but unfortunately that is not the case with Crypto and Electrum.

There are 3 big mistakes all users have made who have lost Bitcoin this way.
1. They clicked on unsafe links
2. They downloaded software from fake websites without noticing it.
3. They used that fake software without verifying the signatures of the downloaded files.

 
 
HCP
legendary
Activity: 2086
Merit: 4361
...but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?
One could also argue that if a piece of software they've been using for a long time suddenly does something they've never seen before (ie. Suddenly pops up an 'Update' message), would that not make you suspicious that something might not be right? Huh

Still, I agree with pooya87... verifying the digital signature is an absolute must... even when I've manually typed in electrum.org and downloaded the .exe from the official site... I'll still grab the .asc and verifying the .exe is legit BEFORE I run it.

EVERY. SINGLE. TIME.
legendary
Activity: 3472
Merit: 10611
The thing is this.  If you haven't used electrum in a long time, you have to agree most ppl wouldn't have a clue about this right?  I mean if someone used electrum but haven't opened it in long time and just hold their btc, you can't really fault them for seeing a message there and upgrading it right?  I know lot of ppl say its the person's fault... but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?

no you can't blame people for seeing such messages and trusting it and even if they download the binaries provided by the fake link. but you can blame them for not verifying the signature of the file they just downloaded because it is the very first step that they should do before they install anything that is this serious security-wise.
full member
Activity: 1750
Merit: 186
Okay i did not know it was other electrum versions as well... thought it was only btc version of it.


The thing is this.  If you haven't used electrum in a long time, you have to agree most ppl wouldn't have a clue about this right?  I mean if someone used electrum but haven't opened it in long time and just hold their btc, you can't really fault them for seeing a message there and upgrading it right?  I know lot of ppl say its the person's fault... but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?



I didn't open my electrum for a while because of this issue as i didn't want to risk anything.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
Doe anyone know if this was only done to electrum users?  What about electrum-ltc?  
There are some electrum LTC version 4.0 which is fake the same as electrum 4.0 for bitcoin. Not only Electrum bitcoin suffering on this attack most of the Electrum forks.


Also i had no idea of this but there are other electrum-dash wallets as well.  Did those get hacked as well with the version or it was only the electrum with bitcoin?
Like I said above not only original Bitcoin is suffering also other Electrum forks for altcoins.

Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  Or did it automatically download the program?  I assume it goes to a site... then you have to still click on the link itself?  What is the site of the link?  Was it github or electrum site itself but a phishing site?  What if you downloaded the program but never opened it?  Does anyone know if you are still safe if that was the case?   Also didn't these electrum attacks started happening in late 2017?  I remember in early 2018 it was huge but i thought it started in late 2017?  When did those fake electrum wallets started happening?  That was 2017 right?  But it was this complicated and tricky hacking that happened in early 2018?

If you click the link you will be redirect to the phishing site where you can download the fake electrum it sometimes a fake electrum and sometimes redirect you to the github.

If you just download it and never open it won't affect your wallet.

I heard around 2017 when this attack started.

Forgot to add this if you want to see list of fake electrum you can check this thread below but this is only for original Electrum.

- ⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated)
full member
Activity: 1750
Merit: 186
Doe anyone know if this was only done to electrum users?  What about electrum-ltc? 



Also i had no idea of this but there are other electrum-dash wallets as well.  Did those get hacked as well with the version or it was only the electrum with bitcoin?



Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  Or did it automatically download the program?  I assume it goes to a site... then you have to still click on the link itself?  What is the site of the link?  Was it github or electrum site itself but a phishing site?  What if you downloaded the program but never opened it?  Does anyone know if you are still safe if that was the case?   Also didn't these electrum attacks started happening in late 2017?  I remember in early 2018 it was huge but i thought it started in late 2017?  When did those fake electrum wallets started happening?  That was 2017 right?  But it was this complicated and tricky hacking that happened in early 2018?
HCP
legendary
Activity: 2086
Merit: 4361
i understand how Tails Uses Linux but do you mean using Electrum on a Portable Version on a Hard-Drive with Tails Installed on it would that work?
Tails actually has a version of Electrum pre-installed... However, I am not sure if it is has been updated to Electrum 3.3+ as yet tho (so you may get Sync issues). Having said that, there are ways to manually update it yourself: https://blog.thestever.net/2019/02/26/upgrading-electrum-on-tails-to-3-3-4/
Pages:
Jump to: