Topic: Fraudulent transaction along with the correct one(Ledger Nano S + Electrum) - page 2. (Read 593 times)

I'm hoping more that it's a bug instead of a change path attack (which indeed is supposed to be fixed, so at the very least it's not exactly the same attack), but given that the Ledger is supposed to NOT show only transactions towards the change addresses, I have some hope albeit small.

Thanks for your input.

What is weird that I personally have never been alerted by MB (using the premium version) regarding the Electrum servers, which may just be a coincidence, even though I have the servers set to automatic.

I must admit I've never heard of change path attacks, and it will be really weird if this is the case here, because that's supposedly should be fixed. If I understand correctly, in this case, the attacker actually initiates a transaction that does not allow him to access to the funds, but by changing the path hides the funds and then requests a ransom for info where coins are located.

I cannot technically say how this can be done, but there may be a possibility that some of the servers you mentioned may still be guilty of this, although this is just one of the options.

I see you've taken the right steps in trying to find where the coins ended, and I really hope you can find them. I would only advise others to be careful until it is revealed exactly what happened in this case.

Hi,

These "pages" seem to be Electrum servers (you can see them in your own server list probably).
When I downloaded Electrum I didn't check the PGP signature initially.
After the incident, I looked into my browser history (the link was correct), accessed the link from history, downloaded again the installer and checked the signature which verified.
It's possible my initial install was corrupted, not very probable though.
Also, I'm running an algo on an offline machine right now with the seed to derive possible addresses.
Parameters: m/bip'[0,44,48,49,84]/0'/account'[0-100]/visibility[0,1]/index[0-5000]
Will also test indexes up to 50k on 49 afterwards (based on this github.com/LedgerHQ/ledger-app-btc/pull/90).
If you have any other ideas where to look for, shoot.

Also, it is indeed possible that It was a targeted attack, but unfortunately this doesn't get me any further in understanding how it was done

Thanks

The hardware wallet should be safe to use even on an infected computer, but it's just an assumption based on what we know, which certainly doesn't mean that some clever hacker didn't find a way to circumvent the protection that Nano S should provide.

Now that you have shown us both transactions, I can see that these are really large amounts and that you may be the victim of a very targeted attack, so you have to wonder who all knew that you owned such a significant amount of BTC.

On the other hand, when I look at the first legitimate transaction, I notice that second transaction is had fee of only 200 satoshi, compared to the first one that had a 5x higher fee. Hackers in such cases usually place a maximum fee to get confirmations as soon as possible. Considering this, it is possible that this is some kind of bug in Ledger or in Electrum, and that coins are still in your wallet, but in an address that you can't see for some reason.

I can confirm that both of the pages you cited are really blocked by MB, one because it contains exploit and the other because of phishing. If MB is blocking those sites, do you visit them or this is happening when you surf on some other site which is maybe try to redirect you to that sites?

Can you confirm that you downloaded Electrum from the official site https://electrum.org/#home , and did you maybe verify GPG signatures of downloaded files before installing?

Yes, I'm banging my head against the wall for two weeks now and can't still figure what happened (bug or exploit ?) or at least how ...
Didn't raise an issue in the github, will do.
Thanks for your reply

That is indeed a puzzle... I've honestly never seen anything like this. I would hazard a guess that it was a bug... as the UTXO generated is still unspent and given the current price of BTC, I would expect it would have been moved/sold by now if it was 'stolen'.

Quite how you can "accidentally" sign a second transaction is a complete mystery and it seems it would be incredibly difficult to replicate the issue. I've certainly not experienced anything similar.

If Ledger support are unable to assist, I doubt anyone here will be. Have you tried raising an issue on the Electrum github? https://github.com/spesmilo/electrum/issues

Yes that was me, I moved everything before posting the transaction IDs, seed still safe ...

Did you also create this transaction today?: https://www.blockchain.com/btc/tx/362b50e056ec340a8be9204885a9c8c65d333c494d8b3f791faff7d8eeb8c255

It appears that another lot of UTXOs from that address: 34Y6nb5SRxAGkozUpyKa59Qq7f87acC98s (along with UTXOs from other addresses) were consolidated into 39ycTMCUiC7yqABzR1sdaTbUhsGFi7cQ2Z. If you didn't execute this transaction, it's likely that your seed has indeed been compromised.

Thanks for your reply.
Indeed, I searched my PC trying to find traces of the address string and I didn't get anything, thus either a script injected it then deleted itself either it was derived by Ledger somehow with a wrong derivation path.

I've tried recreating the bug the same day with a different Ledger which had the keys on a much smaller account and didn't manage to recreate the behavior.

As for security, only Avast and the Windows firewall at the time when the incident happened.
Downloaded Malwarebytes after it happened and ran a scan - only some PUPs but the realtime protection detected 2 things afterwards: Malicious site "exs[dot]ignorelist[dot]com pointing to electrum-3.3.8.exe and qualified as an exploit and endthefed[dot]onthewifi[dot]com pointing to electrum-3.3.8.exe qualified as "Phishing", so this might be a lead even if I don't see what a server can do to cause this.


Greatly appreciate any help or ideas.
Thanks

I have to admit that this is the first time I've ever heard of a case like this, and it's really weird this happened to you. I see that you are not a beginner and that you understand the basics on which a hardware wallet works, so I will not doubt that everything you wrote is true.

Assuming you have legitimate software (Electrum, firmware in Nano S and legit Windows 10) I would personally assume it was some sophisticated malware that somehow bypassed the protection Ledger had and added another transaction. Another possibility is that it's some kind of internal bug that is a combination of some incredibly strange circumstances that occurred during your legitimate transaction. Still, the question remains, where did this new address come from if it wasn't some malware?

I understand your privacy concerns, but it would still be advisable to put the ID of both transactions, there are members who can conclude something from the transactions. Are you using any kind of antivirus protection, have you tried scanning your computer for possible virus/malware?

I used the Nano S in combination with Electrum a few days ago, and the transaction went pretty normal.

Hi guys,

I posted this topic 2 weeks ago in the Ledger subreddit and created a support ticket with Ledger, but they came back to me saying that they can't find an issue/replicate my problem so I'm trying again here.
I someone would be able to replicate this bug I would be extremely grateful, as i'm at a loss here ...

So, I used Electrum wallet (installed as described here: https://support.ledger.com/hc/en-us/articles/115005161925) with Ledger Nano S.
Electrum: version 3.3.8
Ledger Nano S firmware: 1.6.0
Bitcoin app 1.3.16.
OS: Windows 10 Pro 1903

I created a transaction and pressed "Send". The details of the transaction appeared on my ledger device, I checked them and then validated the transaction (first screen was Output #1 or #2, correct amount, correct destination, "Validate", then second screen with the correct fees and "Accept").

The transaction was sent correctly (2 outputs - one recipient one change).

The problem: At the same time with the correct transaction, another transaction got generated - my biggest UTXO was sent in full towards an address not controlled by me (the address had no transactions in it and the coins didn't move since).

Please note that there are still other bitcoins on my wallet which weren't moved so i doubt my seed was compromised (both on the subwallet which contained the "stolen" UTXO and other wallets derived from the same seed).

Things I noticed: one weird thing about the second transaction is that the LockTime was 1 instead of a block number close to the one when the transaction gets broadcasted, so I think it got created through the console ?
Would it be possible somehow to inject a second transaction while I was on my Ledger checking the details of the original one ? Or modify the script hash so that one validation sends two transactions ?
It is possible for my operating system to be compromised, but even then I still can't understand how I got to accept this ...
I'm at a complete loss ... Help ?