Pages:
Author

Topic: There has been an increased number of "fake" electrums out there, be careful. (Read 2000 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Allow me to bump this topic with a link to my topic in Press: [2022-09-13] Man arrested for laundering millions from malicious Electrum update. I couldn't find back this topic earlier.

I'm curious if any of the recovered funds will ever make their way to the victims. Even if the victims file a claim, their wallet was compromised so you can never be sure they're the real victims.
legendary
Activity: 1484
Merit: 1491
I forgot more than you will ever know.
I just wanted to ask....how do I remove or check what's been compromised on my MAC?

The only thing that would be compromised here are your private keys.

if your funds are still accessible you should be fine.
To be sure just create a new wallet and transfer any remaining funds to it.
newbie
Activity: 5
Merit: 7
Hi all,

This is my first post.

I believe I downloaded the recent fake Electrum on Github after seeing an update for 3.4.1.

Back in December/Jan, I tried to install in on iMac, and it was giving me warnings when I tried to run it.

However, then I left it for a while, and only today I heard about the fake Electrum.

I just wanted to ask....how do I remove or check what's been compromised on my MAC?

Thanks!
sc
legendary
Activity: 1040
Merit: 2785
Bitcoin and C♯ Enthusiast
I have no affiliation with Electrum developers!
I can't understand why you are so worked up about a comparison though, even if it was a bad one.
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
Just out of curiosity what was the intended use for it in Electrum?

AFAIK this is the way the servers communicate with the clients that connect to them. For example when you send a transaction with low fee you receive a message telling you why your transaction was rejected with a "low fee" message, or if you broadcast a message with wrong signature,... you'll receive another message, and so on.
The problem is that these messages (which are normally bitcoind responds) could be anything instead of being hard coded in the client and being predefined.

As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.

Of course the core alerts required a key (which also was compromised at some point prior to the system's retirement) while Electrum messages can be sent by anyone. And I do realize that it wasn't a good example but there is a good similarity there, which is why I mentioned it in first place.
For starters both cases are following a similar not-predefined message structure which the sender decides what to send. So the message could display anything including a link.
So that's your excuse for not doing anything about it when core started dealing with, quite a while ago, their WAY more secure method than yours?

And your argument is also hiding the facts.
The 'compromise' in security was not certainly know, and was not due to the secure method they used, but certainly assumed to be correct when MtGox was taken control by 'authorities' in Japan.
The assumption was that since Mark also had a key, the key was probably in the possession of 'the authorities'

Your example given is pointless at best, since there's really no comparison.
... are you gonna give up this pointless argument that anyone with any understanding of security would not argue? or continue digging your own grave with it?
legendary
Activity: 1040
Merit: 2785
Bitcoin and C♯ Enthusiast
Just out of curiosity what was the intended use for it in Electrum?

AFAIK this is the way the servers communicate with the clients that connect to them. For example when you send a transaction with low fee you receive a message telling you why your transaction was rejected with a "low fee" message, or if you broadcast a message with wrong signature,... you'll receive another message, and so on.
The problem is that these messages (which are normally bitcoind responds) could be anything instead of being hard coded in the client and being predefined.

As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.

Of course the core alerts required a key (which also was compromised at some point prior to the system's retirement) while Electrum messages can be sent by anyone. And I do realize that it wasn't a good example but there is a good similarity there, which is why I mentioned it in first place.
For starters both cases are following a similar not-predefined message structure which the sender decides what to send. So the message could display anything including a link.
hero member
Activity: 1220
Merit: 612
OGRaccoon
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Yes we all know this - it has been stated a number of times before.

Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...

have to agree with kano on this one this is a serious flaw in the official software that allowed attackers to perform this.
The fact is there was no protection on for users to stop the messages being shown all be it in a somewhat official looking manner.

As kano stated the feature is not like the old alert system in core that required keys before alert messages could be sent to the network.

Just out of curiosity what was the intended use for it in Electrum?
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
Yes we all know this - it has been stated a number of times before.

Indeed the Official Electrum displayed an update notice and link, to a verified github, that when installed, meant you lost your Bitcoins
... and literally millions of dollars of Bitcoins have been lost due to people trusting that messages posted by the official Electrum wallet would be valid ...
legendary
Activity: 3682
Merit: 1580
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.

The message appeared on the legit wallet but it was just text. It was harmless. Only people who reacted to it by downloading the software linked in the text and not verifying that software suffered losses. So the real electrum didn't steal from them. It was the fake software that people went out of their way to download and use.
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
It didn't require a fake wallet - it happened with the official PGP signed wallet.
legendary
Activity: 4592
Merit: 1851
Linux since 1997 RedHat 4
They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

This IS what this attacker was using! The feature to send a warning message from the server.

The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.
Yet no one seems to note the blatantly obvious point to notify people about the problem, with a simple message, using this method that has allowed hackers to trick people into losing millions of dollars (as has happened) ...
legendary
Activity: 3472
Merit: 10611
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore.

it has never been hard and it will never be hard only if you know what you are doing!

in this case it is a very simple matter of understanding what PGP means and how it works. so even if you by any chance download a fake wallet, knowing how PGP works you try verifying its signature and when it fails you simply don't trust or install it!

understanding PGP means knowing how to verify signatures and more importantly understanding the concept of https://en.wikipedia.org/wiki/Web_of_trust so that you don't naively trust any public key you see.
legendary
Activity: 1090
Merit: 1000
This latest hack is particularly disturbing and it scared the crap out of me.  Hard to trust anything you download anymore. These types of disasters can destroy crypto if left unchecked.

What's going to be next? Online wallets safer than software wallets?
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange
That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?
What do you mean by 'by default'? By default, the user uses software from Ledger (Ledger Live) - in this case the Ledger's servers are used. But if user connects HW wallet (Ledger, Trezor, Keepkey) to Electrum then transactions go through Electrum servers.
legendary
Activity: 1946
Merit: 1427
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.
<..>

That isn't by default though? if you use their chrome app, (which most people do i'm pretty sure) you obviously won't use electrum servers? and instead use their centralized servers?
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.


legendary
Activity: 1946
Merit: 1427

I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.

(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
No, transactions made on a hardware wallet paired with Electrum are done through Electrum servers.
So what you're saying is that Ledger Nano is paired with electrum/using the same servers? Huh.

Do you have any sources on that? i find that hard to believe.

Everything source i find points towards Ledger Nano S having specific servers ran only by the company behind the nano S.


I don't think any of the popular hardware wallets connect to Electrum servers?
legendary
Activity: 1040
Merit: 2785
Bitcoin and C♯ Enthusiast
They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

This IS what this attacker was using! The feature to send a warning message from the server.

The only way it can be prevented is if the servers can only send predefined messages. For example they can send a "code number" like sending 1 means you need to update, sending 2 means there is a fork going on,... so that it is not arbitrary.
legendary
Activity: 1848
Merit: 2033
Crypto Swap Exchange

I believe (someone should correct me if i'm wrong, since i am far from an expert on hardware wallets.) all transactions made on a Ledger Nano S are done through their own servers, which are owned by no one but the corporation behind Ledger Nano S, so chances that this will happen on their devices/chrome app seems rather slim.

(They'd have to be the ones sabotaging their own servers, which wouldn't make any sense..?)
No, transactions made on a hardware wallet paired with Electrum are done through Electrum servers.
legendary
Activity: 3024
Merit: 2148
You not going to stop social engineered attacks like this with messages on a forum. They will need to build a warning system or a popup notice into the wallet application to warn people who are not reading forums.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 

No, they shouldn't, things like that can also be a security risk, and it also gives more power to developers, which isn't a good thing. This would require all Electrum clients to connect to some trusted server that can relay messages, and this would be against Electrum's philosophy of decentralization.

They will also have to work on a system for people to validate servers that are owned and operated by the Electrum team. This is the problem when you work through centralized organizations to access your coins.  Angry 

I guess you don't understand how Electrum works. There are no official servers, anyone can run a server. The hacker has spawned many servers to make as many people as possible to connect to them. The problem here is that malicious servers could display a popup when people sent transactions. This was a flaw in the software, it wasn't clear that that was just an error message that came from a server, and attackers had the ability to write arbitrary text there.
Pages:
Jump to: