Allow me to bump this topic with a link to my topic in Press: [2022-09-13] Man arrested for laundering millions from malicious Electrum update. I couldn't find back this topic earlier.
I'm curious if any of the recovered funds will ever make their way to the victims. Even if the victims file a claim, their wallet was compromised so you can never be sure they're the real victims.
Topic: There has been an increased number of "fake" electrums out there, be careful. (Read 1941 times)
September 17, 2022, 03:40:19 AM
February 08, 2019, 04:41:55 AM
I just wanted to ask....how do I remove or check what's been compromised on my MAC?
The only thing that would be compromised here are your private keys.
if your funds are still accessible you should be fine.
To be sure just create a new wallet and transfer any remaining funds to it.
February 08, 2019, 04:20:37 AM
Hi all,
This is my first post.
I believe I downloaded the recent fake Electrum on Github after seeing an update for 3.4.1.
Back in December/Jan, I tried to install in on iMac, and it was giving me warnings when I tried to run it.
However, then I left it for a while, and only today I heard about the fake Electrum.
I just wanted to ask....how do I remove or check what's been compromised on my MAC?
Thanks!
sc
This is my first post.
I believe I downloaded the recent fake Electrum on Github after seeing an update for 3.4.1.
Back in December/Jan, I tried to install in on iMac, and it was giving me warnings when I tried to run it.
However, then I left it for a while, and only today I heard about the fake Electrum.
I just wanted to ask....how do I remove or check what's been compromised on my MAC?
Thanks!
sc
January 01, 2019, 12:30:40 AM
I have no affiliation with Electrum developers!
I can't understand why you are so worked up about a comparison though, even if it was a bad one.
I can't understand why you are so worked up about a comparison though, even if it was a bad one.
December 31, 2018, 07:08:45 PM
Just out of curiosity what was the intended use for it in Electrum?
AFAIK this is the way the servers communicate with the clients that connect to them. For example when you send a transaction with low fee you receive a message telling you why your transaction was rejected with a "low fee" message, or if you broadcast a message with wrong signature,... you'll receive another message, and so on.
The problem is that these messages (which are normally bitcoind responds) could be anything instead of being hard coded in the client and being predefined.
As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.
Of course the core alerts required a key (which also was compromised at some point prior to the system's retirement) while Electrum messages can be sent by anyone. And I do realize that it wasn't a good example but there is a good similarity there, which is why I mentioned it in first place.
For starters both cases are following a similar not-predefined message structure which the sender decides what to send. So the message could display anything including a link.
And your argument is also hiding the facts.
The 'compromise' in security was not certainly know, and was not due to the secure method they used, but certainly assumed to be correct when MtGox was taken control by 'authorities' in Japan.
The assumption was that since Mark also had a key, the key was probably in the possession of 'the authorities'
Your example given is pointless at best, since there's really no comparison.
... are you gonna give up this pointless argument that anyone with any understanding of security would not argue? or continue digging your own grave with it?
December 30, 2018, 10:01:29 AM
Just out of curiosity what was the intended use for it in Electrum?
AFAIK this is the way the servers communicate with the clients that connect to them. For example when you send a transaction with low fee you receive a message telling you why your transaction was rejected with a "low fee" message, or if you broadcast a message with wrong signature,... you'll receive another message, and so on.
The problem is that these messages (which are normally bitcoind responds) could be anything instead of being hard coded in the client and being predefined.
As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.
Of course the core alerts required a key (which also was compromised at some point prior to the system's retirement) while Electrum messages can be sent by anyone. And I do realize that it wasn't a good example but there is a good similarity there, which is why I mentioned it in first place.
For starters both cases are following a similar not-predefined message structure which the sender decides what to send. So the message could display anything including a link.
December 30, 2018, 08:44:13 AM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...
have to agree with kano on this one this is a serious flaw in the official software that allowed attackers to perform this.
The fact is there was no protection on for users to stop the messages being shown all be it in a somewhat official looking manner.
As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.
Just out of curiosity what was the intended use for it in Electrum?
December 30, 2018, 07:57:35 AM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...
December 30, 2018, 07:42:56 AM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
December 30, 2018, 03:14:34 AM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
December 30, 2018, 03:13:07 AM
They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.
This IS what this attacker was using! The feature to send a warning message from the server.
The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.
December 29, 2018, 11:31:35 PM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore.
it has never been hard and it will never be hard only if you know what you are doing!
in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!
understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
December 29, 2018, 05:45:17 PM
This latest hack is particularly disturbing and it scared the crap out of me. Hard to trust anything you download anymore. These types of disasters can destroy crypto if left unchecked.
What's going to be next? Online wallets safer than software wallets?
What's going to be next? Online wallets safer than software wallets?
December 29, 2018, 10:12:16 AM
That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?
What do you mean by 'by default'? By default, the user uses software from Ledger (Ledger Live) - in this case the Ledger's servers are used. But if user connects HW wallet (Ledger, Trezor, Keepkey) to Electrum then transactions go through Electrum servers. December 29, 2018, 09:41:45 AM
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? 
.
Do you have any sources on that? i find that hard to believe.
<..>. Do you have any sources on that? i find that hard to believe.
That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?
December 29, 2018, 09:12:58 AM
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? .
Do you have any sources on that? i find that hard to believe.
. Do you have any sources on that? i find that hard to believe.
December 29, 2018, 07:35:17 AM
I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.
(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
. Do you have any sources on that? i find that hard to believe.
Everything source i find points towards Ledger Nano S having specific servers ran only by the company behind the nano S.
I don't think any of the popular hardware wallets connect to Electrum servers?
December 29, 2018, 05:25:20 AM
They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.
This IS what this attacker was using! The feature to send a warning message from the server.
The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.
December 29, 2018, 03:55:00 AM
I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.
(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
December 29, 2018, 03:01:18 AM
You not going to stop social engineered attacks like this with messages on a forum. They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.
They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.
They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.
No, they shouldn't, things like that can also be a security risk, and it also gives more power to developers, which isn't a good thing. This would require all Electrum clients to connect to some trusted server that can relay messages, and this would be against Electrum's philosophy of decentralization.
They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.
I guess you don't understand how Electrum works. There are no official servers, anyone can run a server. The hacker has spawned many servers to make as many people as possible to connect to them. The problem here is that malicious servers could display a popup when people sent transactions. This was a flaw in the software, it wasn't clear that that was just an error message that came from a server, and attackers had the ability to write arbitrary text there.
Jump to: