Author

Topic: Electrum Phishing Attack 2018-2019 – A closer look into the stolen funds. (Read 869 times)

legendary
Activity: 2408
Merit: 2226
Signature space for rent
I read the blogs and there is interesting information about hacked fund. But unfortunately we couldn't identify hackers due to decentralized exchange. Very likely even centralized exchanges would not expose scammer due to their business policies (if there is no pressure from higher government). That's crypto nature and that's the reason how hackers are skipping. Also that's the reason why bitcoin is most popular as well.
legendary
Activity: 2730
Merit: 7065
Help.  I was just scammed by this fake Electrum security update 4.0.0.  Where is the sticky/ FAQ on how to clean up the mess after it already happened?  This was just my second BTC transaction.  Im new.
There is no such sticky as far as I know.
If you clicked on a fake message that was shown to you when you opened your Electrum client and downloaded a wallet from a phishing site chances are that your funds are already gone.

If you want to be 100% sure that it has not left any malware or other traces on your computer you should reinstall your OS and in the future download Electrum manually ONLY from the official site and make sure you verify the signatures before installing anything on your computer.

Everything you need to know is explained on the official Electrum site.
newbie
Activity: 4
Merit: 0
Help.  I was just scammed by this fake Electrum security update 4.0.0.  Where is the sticky/ FAQ on how to clean up the mess after it already happened?  This was just my second BTC transaction.  Im new.
newbie
Activity: 49
Merit: 0
Hello,

Clain investigated Electrum wallet attacks and concluded at least two groups of hackers succeeded  in stealing 810 BTC and laundering them via decentralised crypto exchange such as Bisq and MorphToken.

https://blog.clain.io/electrum-phishing-attack/

Interesting reading. Thank you.
legendary
Activity: 2730
Merit: 7065
Also whenever i typed electrum in google, i dont think i ever seen any fake electrum wallets sites under google search on the 1st page... unless you are talking about those google ads where they list electrum wallet at the top which are most likely fakes? 
You don't see them because they get reported and then removed by Google.
Never trust the AD results! Currently there are none for Electrum and lately they are hard to come by even for famous exchanges. In the past googling Electrum or Binance would show you an ad as well. The lack of crypto related ads is probably Google's way of fighting crypto.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I can't get any ads to show up for Electrum, so I'm guessing Google might have finally just blocked that as a keyword after receiving so many reports (or maybe the Electrum devs simply purchased the keyword themselves).

There is no fake sites on top of my search results also with adblock off, but this does not mean they do not exist, they are just being displayed by geolocation probably. I am not sure is AdWords have this option, but recenty there is thread about fake bitcointalk sites, and by using same keywords few users get different results.

It is possible that hackers are targeting users from specific countries, or that Google is block such ads, but I doubt in this option.
HCP
legendary
Activity: 2086
Merit: 4363
How does one get to the fake domain?  You mean by typing electrum in google right?  
That generally seems to be how people end up finding these "fake" domains... personally, I don't ever see them. But I put that down to the adblockers that I use.

There is reason why people say, don't just rely on whatever is the top result on Google. A lot of time it'll be a keyword ad... and they don't really moderate what shows up until the sites are reported via their "safe browsing" reporting system.

I can't get any ads to show up for Electrum, so I'm guessing Google might have finally just blocked that as a keyword after receiving so many reports (or maybe the Electrum devs simply purchased the keyword themselves).
legendary
Activity: 3472
Merit: 10611
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?

that would require the "official site" or electrum.org to be compromised, and just because so far it has never happened it doesn't mean it never will. in other words you should never trust anything, always try to verify. all you have to do is spend enough time figuring out if the PGP public key that you have acquired is the right one or not. then from that day onward you only have to verify if the downloaded file is signed with the same key or not and whether you want to trust the owner of that key (Thomas V.)
full member
Activity: 1792
Merit: 186
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
Not that I'm aware of... most of the "I definitely downloaded from Official site" claims turn out to be incorrect after the user actually views their browser history and sees exactly where they downloaded from. In most instances they simply see an identical site and think it's the official one, but it'll be electrum.net or electrun.org or one of the punycode URLs etc.

The sneakiest one I've seen so far is a fake domain that redirects you to the official site on subsequent visits... so it lets you download the fake, then if you try and goto that URL again, it simply redirects to the official site to make you think you were on the official site all the time... very sneaky.

But even though there hasn't been a hack on the official server that puts fake versions on their download server... I still verify the signature. It takes less than 30 seconds.


Hey hcp... yes the first statement you say make lot of sense.  Ppl could think they installed it from the actual site when they did not. 


But the fact that there has not been a case of downloading from legit site... means hackers havent did that yet.


How does one get to the fake domain?  You mean by typing electrum in google right?  Also whenever i typed electrum in google, i dont think i ever seen any fake electrum wallets sites under google search on the 1st page... unless you are talking about those google ads where they list electrum wallet at the top which are most likely fakes?  I think when these electrum issues and fake wallets were happening in early 2018, i dont think i seen a fake wallet site on the 1st page of google.  I mean if there were, it had to been maybe 1 or max 2 right?  Of course im not talking about the ones at the top with google ads.  So im wondering how do ppl find these fake electrum wallet sites unless its always the one at the top?


HCP
legendary
Activity: 2086
Merit: 4363
HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
Not that I'm aware of... most of the "I definitely downloaded from Official site" claims turn out to be incorrect after the user actually views their browser history and sees exactly where they downloaded from. In most instances they simply see an identical site and think it's the official one, but it'll be electrum.net or electrun.org or one of the punycode URLs etc.

The sneakiest one I've seen so far is a fake domain that redirects you to the official site on subsequent visits... so it lets you download the fake, then if you try and goto that URL again, it simply redirects to the official site to make you think you were on the official site all the time... very sneaky.

But even though there hasn't been a hack on the official server that puts fake versions on their download server... I still verify the signature. It takes less than 30 seconds.
jr. member
Activity: 429
Merit: 7
This is very unlikely that this happens.
But I always check the download link in the left bottom
of my browser and in the browser-adress on top.

If your computer is infected, then it`s way more likely,
that you will redirected to another site.
This is why you should use a clean computer
which you only use for wallet-transactions.
full member
Activity: 1792
Merit: 186
...but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?
One could also argue that if a piece of software they've been using for a long time suddenly does something they've never seen before (ie. Suddenly pops up an 'Update' message), would that not make you suspicious that something might not be right? Huh

Still, I agree with pooya87... verifying the digital signature is an absolute must... even when I've manually typed in electrum.org and downloaded the .exe from the official site... I'll still grab the .asc and verifying the .exe is legit BEFORE I run it.

EVERY. SINGLE. TIME.



HCP, has there been any case reported where someone downloaded electrum from the official site... did not verify the .exe... and then downloaded a fake electrum?
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I didn't open my electrum for a while because of this issue as i didn't want to risk anything.

To my knowledge you have Ledger Nano S, so why you worried about Electrum security so much? You can use Electrum only as user interface with Nano S, and if you download it from official site, you have nothing to worry about - your private keys are safe.

Any fork of Electrum is unsafe in older versions, they all share same code which hackers exploit. You just need to read what is written on any site you visit, and for example this is warning on official Electrum LTC :

IMPORTANT NOTICE (February 2019)

Versions of Electrum and Electrum-LTC older than 3.3.3 are vulnerable to a phishing attack, where malicious servers are able to display a message asking users to download a fake version of Electrum. To prevent user exposure, versions older than 3.3 can no longer connect to public servers, and must be upgraded. Do not download software updates from sources other than electrum.org and electrum-ltc.org.
legendary
Activity: 2730
Merit: 7065
Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  
That is exactly the problem. Users clicking on those messages that leads them to fake websites where they download fake wallets and use them without verifying if they are genuine or not so you should not do that!

We have gotten used to our software informing us that there are new updates and we can simply update by clicking on the displayed buttons but unfortunately that is not the case with Crypto and Electrum.

There are 3 big mistakes all users have made who have lost Bitcoin this way.
1. They clicked on unsafe links
2. They downloaded software from fake websites without noticing it.
3. They used that fake software without verifying the signatures of the downloaded files.

 
 
HCP
legendary
Activity: 2086
Merit: 4363
...but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?
One could also argue that if a piece of software they've been using for a long time suddenly does something they've never seen before (ie. Suddenly pops up an 'Update' message), would that not make you suspicious that something might not be right? Huh

Still, I agree with pooya87... verifying the digital signature is an absolute must... even when I've manually typed in electrum.org and downloaded the .exe from the official site... I'll still grab the .asc and verifying the .exe is legit BEFORE I run it.

EVERY. SINGLE. TIME.
legendary
Activity: 3472
Merit: 10611
The thing is this.  If you haven't used electrum in a long time, you have to agree most ppl wouldn't have a clue about this right?  I mean if someone used electrum but haven't opened it in long time and just hold their btc, you can't really fault them for seeing a message there and upgrading it right?  I know lot of ppl say its the person's fault... but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?

no you can't blame people for seeing such messages and trusting it and even if they download the binaries provided by the fake link. but you can blame them for not verifying the signature of the file they just downloaded because it is the very first step that they should do before they install anything that is this serious security-wise.
full member
Activity: 1792
Merit: 186
Okay i did not know it was other electrum versions as well... thought it was only btc version of it.


The thing is this.  If you haven't used electrum in a long time, you have to agree most ppl wouldn't have a clue about this right?  I mean if someone used electrum but haven't opened it in long time and just hold their btc, you can't really fault them for seeing a message there and upgrading it right?  I know lot of ppl say its the person's fault... but if they never seen that message ever and it looks legit since its from the client, most ppl wouldnt think much of it unless they are very cautious about it right?



I didn't open my electrum for a while because of this issue as i didn't want to risk anything.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
Doe anyone know if this was only done to electrum users?  What about electrum-ltc?  
There are some electrum LTC version 4.0 which is fake the same as electrum 4.0 for bitcoin. Not only Electrum bitcoin suffering on this attack most of the Electrum forks.


Also i had no idea of this but there are other electrum-dash wallets as well.  Did those get hacked as well with the version or it was only the electrum with bitcoin?
Like I said above not only original Bitcoin is suffering also other Electrum forks for altcoins.

Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  Or did it automatically download the program?  I assume it goes to a site... then you have to still click on the link itself?  What is the site of the link?  Was it github or electrum site itself but a phishing site?  What if you downloaded the program but never opened it?  Does anyone know if you are still safe if that was the case?   Also didn't these electrum attacks started happening in late 2017?  I remember in early 2018 it was huge but i thought it started in late 2017?  When did those fake electrum wallets started happening?  That was 2017 right?  But it was this complicated and tricky hacking that happened in early 2018?

If you click the link you will be redirect to the phishing site where you can download the fake electrum it sometimes a fake electrum and sometimes redirect you to the github.

If you just download it and never open it won't affect your wallet.

I heard around 2017 when this attack started.

Forgot to add this if you want to see list of fake electrum you can check this thread below but this is only for original Electrum.

- ⚠⚠️⚠~Beware on active phishing Electrum websites~⚠⚠️⚠ (Collection list updated)
full member
Activity: 1792
Merit: 186
Doe anyone know if this was only done to electrum users?  What about electrum-ltc? 



Also i had no idea of this but there are other electrum-dash wallets as well.  Did those get hacked as well with the version or it was only the electrum with bitcoin?



Also its been said that there was a message you need to click on to update.  So if you click on that link... what happens?  It brings to you a website?  Or did it automatically download the program?  I assume it goes to a site... then you have to still click on the link itself?  What is the site of the link?  Was it github or electrum site itself but a phishing site?  What if you downloaded the program but never opened it?  Does anyone know if you are still safe if that was the case?   Also didn't these electrum attacks started happening in late 2017?  I remember in early 2018 it was huge but i thought it started in late 2017?  When did those fake electrum wallets started happening?  That was 2017 right?  But it was this complicated and tricky hacking that happened in early 2018?
HCP
legendary
Activity: 2086
Merit: 4363
i understand how Tails Uses Linux but do you mean using Electrum on a Portable Version on a Hard-Drive with Tails Installed on it would that work?
Tails actually has a version of Electrum pre-installed... However, I am not sure if it is has been updated to Electrum 3.3+ as yet tho (so you may get Sync issues). Having said that, there are ways to manually update it yourself: https://blog.thestever.net/2019/02/26/upgrading-electrum-on-tails-to-3-3-4/
member
Activity: 100
Merit: 33
You cannot call it "hack" because it implies Electrum is at fault when it isn't.

While i do agree showing server messages and rendering url inks was a design mistake from the earlier than the 3.3 versions.

Electrum cannot police and control fake websites 24/7 and or browser/os exploits (all it takes is some dns manipulating to make electrum.org resolve to a fake phishing site)...

While not discussed here, the same attacks have been done to people using Electrum fork's such as Litecoin's; and the amount stolen is not negligible.

But for most of them it was simple user mistake/ignorance, or social engineering. Do not be surprised if they escalate and combine with dns manipulation done via malware (probably done already).

Good habits and secure OS are a must. If you want to make or manipulate a cold wallet, you should boot from a secure live OS (such as Linux Tails OS).


  i understand how Tails Uses Linux but do you mean using Electrum on a Portable Version on a Hard-Drive with Tails Installed on it would that work?
legendary
Activity: 3472
Merit: 10611
You cannot call it "hack" because it implies Electrum is at fault when it isn't.

technically Electrum is never at fault no matter what the incident is, because it is open source and released under MIT license which means the program is released as is without any guarantees and they are not liable.
but this case was an exploitable bug that existed in the application and like any other application out there that is normal.
legendary
Activity: 2030
Merit: 1573
CLEAN non GPL infringing code made in Rust lang
You cannot call it "hack" because it implies Electrum is at fault when it isn't.

While i do agree showing server messages and rendering url inks was a design mistake from the earlier than the 3.3 versions.

Electrum cannot police and control fake websites 24/7 and or browser/os exploits (all it takes is some dns manipulating to make electrum.org resolve to a fake phishing site)...

While not discussed here, the same attacks have been done to people using Electrum fork's such as Litecoin's; and the amount stolen is not negligible.

But for most of them it was simple user mistake/ignorance, or social engineering. Do not be surprised if they escalate and combine with dns manipulation done via malware (probably done already).

Good habits and secure OS are a must. If you want to make or manipulate a cold wallet, you should boot from a secure live OS (such as Linux Tails OS).
legendary
Activity: 2730
Merit: 7065
Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks
Cold storage means that your wallets private details such as seed/private keys have never been sent or viewed online and have never left the safety of the device, like in the case of hardware wallets. A paper wallet is another good way of storing your keys.

You can read more about that here:
https://en.bitcoin.it/wiki/Cold_storage

Also have a look at this thread:
https://bitcointalksearch.org/topic/cold-storage-best-practices-2865766
newbie
Activity: 14
Merit: 2
I keep everything in a cold storage wallet device where it is safe!

Can you explain or send me to a link so I can learn more about this and to store my coin. Thanks
HCP
legendary
Activity: 2086
Merit: 4363
It doesn't change the fact that it wasn't a "hack" and was "Social Engineering".

If a user did absolutely nothing at all, their funds would be safe. The thieves could not steal any funds using the richtext vulnerability. All they could do was show messages and clickable links. The attack required that the user download a piece of malware, install it and then run it. That could not be done remotely or automatically.

Granted, it was a very clever use of a non-obvious vulnerability... and, by all accounts, quite an effective one. Sure, you're more likely to trust a message in your "official" app... But one of the golden rules of crypto is "don't trust, verify!". So, if a user stopped to ask "Is that the official download repository?" and/or they followed recommended procedure and checked the digital signature of the downloaded file... the attack would fail.

It is a harsh (and expensive) lesson to learn... but the crypto call to arms of "Be your own bank"... also implies "Be your own bank's security department". Undecided

I don't blame the users and I don't blame the devs... I blame the "bad people"™  Angry
legendary
Activity: 2450
Merit: 1472
I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault
So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster? Roll Eyes

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".

They are totally different aplications, you are comparing web browsers to wallets, it's nonsense
It's allowed in web browsers, you can block if you want
But imagine you downloaded an specific app, and a message is displaying on app, you will think it's official, commom, it's not hard to know the differences


HCP
legendary
Activity: 2086
Merit: 4363
I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault
So, by that logic... Chrome/Firefox/IE have all been "hacked"... which explains all the popups from "Microsoft Support" telling me that my computer has a virus and I need to call 1-800-123-4567 to get help? or the browser on my phone telling me that I need to install some "ram cleaner" to make my phone run faster? Roll Eyes

It isn't/wasn't a "hack". It is simply "bad people"™ abusing functionality to trick users into doing something they shouldn't... aka "Social Engineering".
legendary
Activity: 2730
Merit: 7065
If the message is displayed on app, it's not the user's fault
I agree with this statement. And that is the reason that so many members trusted the messages displayed by their Electrum wallet. Any other software we use on our computers shows notifications about new updates and features and we install these.
Electrum's fault here was that they were not aware that something like that was possible or that it could be abused.
But, they also suggest that users check what they download and verify the signatures and the users who got phished didn't do that.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault

I feel sorry for people who lost coins this way, but it was at least partially their fault for using terrible security practices. Always go to the original source to download updates and verify the release signature -- this is a basic precaution.

If you click on a link simply because a pop-up told you to and then download and run executable applications, you are bound to lose any coins that are stored on your machine.
legendary
Activity: 2450
Merit: 1472
I totally agree that was a hack
You can say it's only a message, but imagine what can you do to any software, or any bank aplication?
If the message is displayed on app, it's not the user's fault
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
We can name this problem by any name, some will say it is hack, other will use social engineering attack, but in the end it is only important that there is a large number of ordinary users affected by this attack. Although responsibility is largely shifted to users who have become victims of their ignorance, part of the responsibility is also on Electrum developers. They were supposed to detect this vulnerability and fix it, before it is used by hackers.

In this example we also see why KYC is important, and why DEX is in such cases an ideal money laundering machine in combination with Monero. We can call this a perfect crime which still continues, there is too many users with outdated Electrum who are not aware of the dangers.
legendary
Activity: 2730
Merit: 7065
I have thought that electrum is really a safe wallet. I realized now that everything online is hackable.
Electrum itself wasn't hacked. The wallet is not compromised. It is the users who clicked on phishing links and downloaded fake and/or infected wallets.
The biggest problem is that these messages came from the servers within Electrum itself and the users trusted and clicked on the links leading them to the fake wallets. Once that was discovered, Electrum prevented the possibility to send messages in this way.

That is why it is imperative to check the download links for Electrum and verify the signatures of the downloaded apps before using them.
hero member
Activity: 1274
Merit: 519
Coindragon.com 30% Cash Back
At least they have sent an alert. However, it's just a sign that no wallet is now 100% secured. There will always be lapses. We have to keep our funds safer in a cold wallet now. I'm using a nano ledger or our local wallet to keep everything safe and away from phishing.
sr. member
Activity: 1596
Merit: 335
It's the first time that I have heard about this attack. I was surprised because that's really a huge amount of Bitcoin.
I have thought that electrum is really a safe wallet. I realized now that everything online is hackable. It's a good thing that I have transferred my funds in my hard wallet.
legendary
Activity: 2828
Merit: 1497
Join the world-leading crypto sportsbook NOW!
^^
Yes. Your correct when I receive the alert it would be too late in that case. But atleast it will allow me to be aware not to send anymore coins to it or they would be in jeopardy too. The bitcoin wallet on my mobile is used for small transactions on the road.
Good advice with having it in cold storage with offline key storage like a usb stick for alot of bitcoins.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin.

They weren't really "hacks." They were social engineering attacks. Attackers were setting up malicious Electrum servers and sending out in-app messages that convinced some people to download a malicious "update" that stole their coins.

I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet. Wink

What good is that alert going to do when a hacker empties out your wallet in one move?

You should use cold storage. Offline key storage allows me to sleep at night.
member
Activity: 210
Merit: 13
I keep everything in a cold storage wallet device where it is safe!
legendary
Activity: 2828
Merit: 1497
Join the world-leading crypto sportsbook NOW!
I have heard of these electrum hacks being performed but didnt know it has accumulated to this amount in bitcoin. Shocked
I havent touched my electrum wallet in over two years and have never left funds on it being scared to leave any amount of such significant on a wallet I dont have installed on my phone where I can keep an eye on it while not at home and receive a notification in a form of an alert beep when funds are being moved from my bitcoin wallet. Wink
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
Interesting reading, thanks for posting.

I hope these schemes aren't used as fodder to pass more stringent AML/KYC regulations on crypto-to-crypto exchanges, but they probably will be. I'm not sure how governments will address decentralized exchanges like Bisq, but I think there will be more clamping down on centralized services like MorphToken, who are offering high value exchanges with no account registration. Shapeshift obviously couldn't retain that model for long, ostensibly because of pressure from regulators.
newbie
Activity: 1
Merit: 2
Hello,

Clain investigated Electrum wallet attacks and concluded at least two groups of hackers succeeded  in stealing 810 BTC and laundering them via decentralised crypto exchange such as Bisq and MorphToken.

https://blog.clain.io/electrum-phishing-attack/
Jump to: