Pages:
Author

Topic: Unable to use the seed from a wallet file to make any transaction (Read 340 times)

legendary
Activity: 1624
Merit: 2481
But I can't find any information regarding Electrum wallet modification malware exists on the internet.

I never said that it does exist.. but it would be a possibility.

In case it would exist, it probably wouldn't be that known. A single developer / group of developers could try to spread the malware themselves.
This wouldn't attract attention until a lot of users face that problem/malware.



If there is, someone should try to improve Electrum and prevent this from happening again.

This scenario is not that easy to circumvent.
You'd need to built electrum to NOT trust the system it is installed on.

And if you can't trust the system you are trying to install the software on, .. you shouldn't keep any private-/sensitive- information or cryptocurrencies on that machine at all..

Preventing injection is definitely possible, but not that necessary.
It is way easier for an attacker to simply gain access to the private keys once you open electrum. Injecting dll's into electrum just to counterfeit the wallet creation process seems to be a bit of an overkill to me.


And as i have already mentioned.. this is just ONE approach to modify the address you see. There are way more.
If electrum should be secured against each of these.. Thomas would need a few more developers who only focus on the security. This isn't feasible (and unnecessary since you have to trust the host machine when storing private keys, no need to try to defend against each possible attack when your own machine is compromised..).



Edit:
To clarify potential misconceptions regarding the safety/security of electrum:

What i have mentioned above is applicable to EVERY software. This is nothing specific to electrum (or any other specific application).

The branch which probably suffers the most from injections is the gaming industry.
They have teams of engineers and developers only working on anti-cheat mechanisms. There is no solution or technology which prevents this happening.
This is a cat-and-mouse game.
full member
Activity: 490
Merit: 102
I have verified the exe I downloaded, so it is basically impossible for me to use an infected client

Well, that's not completely true..

There are several possibilities how an malicious actor can modify your electrum wallet even tho you have verified the signature before and the .exe itself being the correct one.

These techniques include (and are not limited to) malware which is nested into your system and waits for you to open electrum.
Once electrum is opened, it hooks itself into the process and injects dll's to maliciously modify the creation process of your wallet.

This is just one example on how someone COULD foist one an 'infected client' without the client itself being infected.


I am not saying that this has happened. But it is definitely not impossible. And also definitely more probable on a windows machine than on Linux/macOS.

Thank you, I agree with you, that's definitely a possibility.

But I can't find any information regarding Electrum wallet modification malware exists on the internet. If there is, someone should try to improve Electrum and prevent this from happening again.
legendary
Activity: 1624
Merit: 2481
I have verified the exe I downloaded, so it is basically impossible for me to use an infected client

Well, that's not completely true..

There are several possibilities how an malicious actor can modify your electrum wallet even tho you have verified the signature before and the .exe itself being the correct one.

These techniques include (and are not limited to) malware which is nested into your system and waits for you to open electrum.
Once electrum is opened, it hooks itself into the process and injects dll's to maliciously modify the creation process of your wallet.

This is just one example on how someone COULD foist one an 'infected client' without the client itself being infected.


I am not saying that this has happened. But it is definitely not impossible. And also definitely more probable on a windows machine than on Linux/macOS.
full member
Activity: 490
Merit: 102
Where did you downloaded that portable Electrum?
From electrum.org, double checked from my browsing history.

Do the original wallet's bitcoin addresses starts with "3", "1" or "bc1"?
It starts with 1

Do the newly restored wallet's addresses start with the same character?
Yes, all of the addresses start with 1

Also, double check on any blockexplorer if the addresses with balance reflect the same transactions as your "inbound" transactions.
I have only used the address for receiving fund, never tried to send before. Also the address with fund is the only address I used from that wallet.
There is no weird transaction as far as I am concern.

Works just fine, definitely not a bug of Electrum Version 3.1.3 Portable.
If there was such a big issue with that version of client it would have already known by many, but I am thinking there might be some specific condition of my computer which triggered this problem.
I have verified the exe I downloaded, so it is basically impossible for me to use an infected client, it is also hard to interpret wallet creation process.
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
Yeah I have accepted the fact that the wallet file has been tampered, and understand that there is close to zero chance for it to be recovered, just not sure how that happened.

When I am creating wallet, I am very careful with the process, and that wallet is not my first time so I am fully aware of the process. So it's either my computer has been compromised or simply human error.
Before showing the white flag, can you tell us some (non-sensitive) information regarding the wallet,
For more efficient deductions:
  • Where did you downloaded that portable Electrum?
  • Do the original wallet's bitcoin addresses starts with "3", "1" or "bc1"?
  • Do the newly restored wallet's addresses start with the same character?

Also, double check on any blockexplorer if the addresses with balance reflect the same transactions as your "inbound" transactions.

I'm currently downloading Electrum Portable v3.1.3 to try to reproduce this.
-edit-
Works just fine, definitely not a bug of Electrum Version 3.1.3 Portable.
full member
Activity: 490
Merit: 102
If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.
If you don't see ANY plain text when you open the wallet file in a text editor... and it's all just random chars, you have full encryption.

However, reading through all the symptoms, I think Abdussamad is correct. If the wallet file is using the same seed etc, but showing different addresses, then it would appear that the wallet file was tampered with somehow Sad

Yeah I have accepted the fact that the wallet file has been tampered, and understand that there is close to zero chance for it to be recovered, just not sure how that happened.

When I am creating wallet, I am very careful with the process, and that wallet is not my first time so I am fully aware of the process. So it's either my computer has been compromised or simply human error.
HCP
legendary
Activity: 2086
Merit: 4363
If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.
If you don't see ANY plain text when you open the wallet file in a text editor... and it's all just random chars, you have full encryption.

However, reading through all the symptoms, I think Abdussamad is correct. If the wallet file is using the same seed etc, but showing different addresses, then it would appear that the wallet file was tampered with somehow Sad
legendary
Activity: 3710
Merit: 1586
Well you have malware on that PC. It modified the wallet file and replaced the addresses with the malware author's. Your bitcoins are gone and nothing can be done to get them back. The only thing you can do now is to format the hard drive and reinstall the operating system. This is the only way to ensure that the malware doesn't cause you problems in future.

Sorry for your loss.
full member
Activity: 490
Merit: 102
Just to clarify... there are THREE states for an Electrum wallet with regards to encryption and password:

1. Unencrypted - Wallet file is in Plain Text, private keys are in plain text. No password required for opening or doing "sensitive actions"
2. Password Protected - Wallet file is in Plaint Text, but private keys are encrypted with password. No password is required for opening, but you need the password when doing "sensitive actions"
3. Fully Encrypted - Wallet files is completed encrypted, private keys are also encrypted. Password is required when opening the wallet... and also when doing "sensitive actions".

These is on a WALLET level... so different wallets can have different levels of password protection/encryption.

I am not sure what is the type of my wallet, when creating wallet, I simply input the password following the Electrum instruction, so I am thinking it should be password protected.
When I open Electrum application, it sometimes pop out an install wizard, telling me to provide password for a wallet I previously opened.
Not sure if my understanding is correct or not, afaik, opening wallet in a single session does not require password, but if I restart my computer, it will starts asking me for password.
If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.
HCP
legendary
Activity: 2086
Merit: 4363
Just to clarify... there are THREE states for an Electrum wallet with regards to encryption and password:

1. Unencrypted - Wallet file is in Plain Text, private keys are in plain text. No password required for opening or doing "sensitive actions"
2. Password Protected - Wallet file is in Plaint Text, but private keys are encrypted with password. No password is required for opening, but you need the password when doing "sensitive actions"
3. Fully Encrypted - Wallet files is completed encrypted, private keys are also encrypted. Password is required when opening the wallet... and also when doing "sensitive actions".

These is on a WALLET level... so different wallets can have different levels of password protection/encryption.
full member
Activity: 490
Merit: 102
You said before that you get asked the password at the very start when opening the old wallet file. Was this always the case or was it possible in the past for you to open the wallet file and view transactions without having to enter a password? The password would only have been required when sending bitcoins.

Opening a previously opened wallet does not require password, only when I am doing sensitive action, or when opening another wallet from disk, then Electrum will asks me for password.
legendary
Activity: 3710
Merit: 1586
You said before that you get asked the password at the very start when opening the old wallet file. Was this always the case or was it possible in the past for you to open the wallet file and view transactions without having to enter a password? The password would only have been required when sending bitcoins.
full member
Activity: 490
Merit: 102
Decrypting the file is very easy. Go to wallet > password and enter your password in the first field only and click save. Then go to file > save copy to save a copy of the file somewhere convenient and then open it up in a  plain text editor like notepad



Thanks for your tip, upon decrypted the file, the content is just what has shown on the Electrum client, with same addresses, same transactions record, but wrong keystore.

Some info:
seed_version: 17
seed_type: standard
Keystore type: bip32
legendary
Activity: 3710
Merit: 1586
Decrypting the file is very easy. Go to wallet > password and enter your password in the first field only and click save. Then go to file > save copy to save a copy of the file somewhere convenient and then open it up in a  plain text editor like notepad

full member
Activity: 490
Merit: 102
    • Someone somehow was able to put malware on my one month old computer, and somehow intervened the wallet creation process and modified the wallet before I encrypt it.
    • Electrum has bug.

    Maybe the seller put something on it?
    Was the computer on offer from a corner shop somewhere that sells computers and electronics...
    The bug thing is potentiallly likely.

    I just had an idea, can you try going to the concole and type "getmasterprivate" and try importing that into a new electrum wallet. .

    No, it is a custom PC I built, all with brand new components, and using Windows ISO directly downloaded and installed from Microsoft.

    Tried to import the master private key instead, but the result is the same as importing seed. It shows me a different list of address.

    Here's the thread you created there. You've since deleted the contents.

    Re your electrum problem then it's likely malware that alters the wallet's contents and adds its own address to your wallet file. An example of an altered file is given here.  When you open the original wallet do you get asked for the password at the very start or only when you go to spend from the wallet?

    Just fyi according to some Reddit archive search, the post is made by a user named Na297 and I have been using the same username for year, I am not sure what the content was, but I believe it is only a few sentences with no point unlike my post which describe the details.

    Thank you for that GitHub issue, at least someone is experiencing a similar situation as mine, I can't find any on the internet. The only different I can see is, the error code he received is '-1', while mine is '1', not sure if there is any difference.

    In his case, the address is gone, and no fund left in the wallet. But I am not, I still have the balance, just unable to sent it. Also, he seems to have the same addresses after restoring it using seed, while I am having a completely different list of addresses.

    I get asked for password every time I need to use the wallet, given it on startup or showing seed. The wallet is encrypted since it is created.



    This is what I got from signature verification, should be fine.





    So far, I can think of two ways to identify the current issue.

    • Decrypt the problematic wallet file and see what is wrong with the file, and perhaps found the actual private keys for the address.
    • Use the 3.1.2 Electrum to generate a new seed, and import that seed to a 3.2.2 Electrum wallet to see if it is giving a wrong list of addresses.

    I have done the second method, nothing seems off, all addresses matched perfectly.
    I am not sure how should I decrypt the file safely yet.[/list]
    legendary
    Activity: 3710
    Merit: 1586
    I told you to create one post on a community forum and you went and created 3. 2 here and one on reddit. You know the same people frequent all community sites? Making multiple posts doesn't help anyone.

    I have never created any post on Reddit... Bitcointalk forum is the second community sites I have posted, after StackExchange.


    Here's the thread you created there. You've since deleted the contents.

    Re your electrum problem then it's likely malware that alters the wallet's contents and adds its own address to your wallet file. An example of an altered file is given here.  When you open the original wallet do you get asked for the password at the very start or only when you go to spend from the wallet?
    copper member
    Activity: 2856
    Merit: 3071
    https://bit.ly/387FXHi lightning theory
    • Someone somehow was able to put malware on my one month old computer, and somehow intervened the wallet creation process and modified the wallet before I encrypt it.
    • Electrum has bug.

    Maybe the seller put something on it?
    Was the computer on offer from a corner shop somewhere that sells computers and electronics...
    The bug thing is potentiallly likely.

    I just had an idea, can you try going to the concole and type "getmasterprivate" and try importing that into a new electrum wallet. .
    full member
    Activity: 490
    Merit: 102
    Not sure what can you see in a decrypted wallet file, for me it is just a bunch of Bitcoin addresses and some keys. If this works, I can simply send you the texts, then only remove the important private key out of the text, no need of encryption.
    I am not a pro in this area so forgive me for my ignorance.

    Yes you can do that if you want, but then I'm probably quite limited in what I can help with...

    Do you have any idea what might be happening from the look of it? I am considering two possibilities:

    • Someone somehow was able to put malware on my one month old computer, and somehow intervened the wallet creation process and modified the wallet before I encrypt it.
    • Electrum has bug.



    I will be off for the next few hours, and I appreciate all of your inputs.
    copper member
    Activity: 2856
    Merit: 3071
    https://bit.ly/387FXHi lightning theory
    Not sure what can you see in a decrypted wallet file, for me it is just a bunch of Bitcoin addresses and some keys. If this works, I can simply send you the texts, then only remove the important private key out of the text, no need of encryption.
    I am not a pro in this area so forgive me for my ignorance.

    Yes you can do that if you want, but then I'm probably quite limited in what I can help with...
    full member
    Activity: 490
    Merit: 102
    If I am sending you a wallet file and left it unencrypted that means my private key is also at risk, so I am not going to do that. But even the file is encrypted, you can still get some idea from it? Also there is no point in giving you free money just to damage your reputation.

    Nah. You wouldn't send it decrypted, I'd get you to decrypt it and then use the encrypt function in your electrum wallet to encrypt the wallet with my bitcoin address assymetrically (then I can use my private key to decrypt it)...

    The second bit was my point entirely. If I get access to your wallet, then I can not be held liable to anything that happens to the coins once it is transmitted just in case a hacker does get hold of the stuff from your computer.

    If you can assymetrically encrypt a decrypted version of the wallet file with bc1qdj5v2q8p398rdy6sexc0fapk4hcq0p54xz56ez or 1JRmjyGo3kpdXcQeAeTBmGtgkC1AomHKED then I can take a look at it but make sure you can't decrypt it with the same private key.

    If instead you want to decrypt the main wallet file but keep the private keys encrypted (which is honestly what I'd suggest) then still encrypt the wallet file with one of those public keys/addresses...

    (the encrypt function is just below the sign function under tools)

    Once the wallet file is decrypted, even if the private keys are encrypted, the file should have plain english in it with {} separating individual parts (as far as I can remember).

    Not sure what can you see in a decrypted wallet file, for me it is just a bunch of Bitcoin addresses and some keys. If this works, I can simply send you the texts, then only remove the important private key out of the text, no need of encryption.
    I am not a pro in this area so forgive me for my ignorance.
    Pages:
    Jump to: