UNKNOWN

DECEMBER 2018

GLOBAL

ELECTRON CASH

DESCRIPTION OF EVENTS

"Electron Cash is a Bitcoin Cash (BCH) cryptocurrency wallet that was created to protect users’ funds. This Bitcoin Cash wallet offers support only to Bitcoin Cash and it has some of the best security standards for a BCH wallet." "Electron Cash is one of the most used Bitcoin Cash wallets. This open-source project released two different wallets: one for desktop users and another one for smartphone crypto holders. The main characteristic of this wallet is that it only offers support to Bitcoin Cash." "Control your own private keys. Easily back up your wallet with a mnemonic seed phrase. Enjoy high security without downloading the blockchain or running a full node."

 

"SPV stands for Simplified Payment Verification. It was first described by Satoshi Nakamoto in the original Bitcoin whitepaper. This method allows a wallet to provide strong security without the need for downloading the blockchain or running a full node. SPV lets you validate your own transactions by ensuring they are confirmed in the blockchain. It uses the best header chain with the most cumulative proof of work and the correct hashing difficulty level. Electron Cash relies on a distributed network of servers which handle the heaviest part of blockchain operations. Your private keys sign transactions locally. They are never sent to the servers."

 

Electron Cash "is a light client, which means it must connect to the blockchain through a server, which by default is chosen from a list of public [ElectrumX] servers. Anyone can operate such a public server and some users will be randomly connected to it."

 

"You can specify a specific server to connect to, but by default, it connects to a random peer. There are no "authorized servers". By design, they cannot interfere with bitcoin transactions made by clients except: 1) lie about account balances and 2) not relay a valid transaction to the rest of the network. The problem here is it's messaging capability that communicates directly with it's connected clients. There is no authenticity of any messages created by any statum servers - only what the manager of that server wants to say."

 

"The hacker setup a whole bunch of malicious servers. If someone's [Electron Cash] Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their [Electron Cash] Wallet, along with a scam URL."

 

"Same is happening with Electron Cash with malicious ElectrumX servers." "Several Electron Cash nodes were spun up recently and these will output [a convincing] error when you attempt to send a transaction."

 

"Technically speaking, even though the term 'hacked' is broad, what happened was an attacker utilized the server response/messaging capability to phish users (it was more convincing because rich text was allowed to display in the electrum client). The message provided a link to "upgrade", but was actually installing a malicious clone." "This has nothing to do with SPV scheme, more like social engeneering, phishing."

 

"I fell for this.. i was in a hurry and half paying attention(i know) but i didn't even think about getting phished at first since it was a pop up in the real electrum. i should have know better though." "When you download the fake client they must get your seed/password somehow. I wiped electrum files then restore the wallet from seed and put a very small amount in there an let it sit. They just emptied the wallet again about 30 [minutes] ago."

 

"For the curious, the fraudulent client you download from the fake site (real site has no hyphen) steals your privkey and uploads to their server at gbdfcppl dot site. Do not download the fake client!" The change "grabs your private keys and uploads them to the guy's server."

 

"There is no "broadcast message" functionality. The exploit is that when the user broadcasts a transaction to the connected server, the server can send back an error message. And we actually did use this functionality to warn users; but this only works if you happen to connect to an honest server."

 

Gregory Maxwell said "In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here."

 

"The client (since 3.3.3) only displays error messages from a hardcoded-in-client set. The server still sends arbitrary messages (see referenced links as to why) and then the client matches them with a long list of regexes, to one of the hardcoded error messages (or "unknown error")." "3.3.4 also catches errors for other lower risk methods."

 

"Fortunately having read the procedure several times I had the presence of mind not to consider downloading v3.4.1 so I'll be sure to select a different server and try again, viewing the list of attacker servers indeed the one I had selected from that list was 'wlseuser12.bitcoinplug.website:50002:s',"

 

"Half an hour ago I sent out multiple abuse report e-mails to Amazon, Choopa, DigitalOcean, Linode, Lunanode (OVH), Vultr, as well as REG.RU (reg.com), which is the registrar responsible for the malicious electron-cash.org domain. Linode just now replied that they have removed the user from their platform. Amazon finally identified the operator and removed them from their services as well. The remaining cloud providers haven't replied."

Electron Cash iss a highly popular wallet software for bitcoin cash. Since Electron Cash operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.

 

Users of the Electron Cash wallet came under an elaborate phishing attack. Malicious operators set up a large number of Electron Cash nodes across a diverse range of IP addresses. When users would connect to these nodes and attempt to send a transaction, they would receive back an error message that informed them of the need to upgrade their Electron Cash wallet to "v3.4.1", which had an "important security update" that "provides a fix for a transaction deserialization vulnerability". The update was available from a similar domain to the official electron cash website.

 

The message was grammatically correct and the link went to a very similar URL. Users who failed to carefully check the exact URL of the link would have been convinced they were installing a legitimate update to their Electron Cash wallet. It appears that the update made the private key of any wallets available to the attackers, who could then spend freely from their new-found coins.

 

It is unknown how much bitcoin cash was taken. A similar attack at the same time on Electrum netted the attackers almost $1m worth of bitcoin.

HOW COULD THIS HAVE BEEN PREVENTED?

Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.

 

Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.

 

Check Our Framework For Safe Secure Exchange Platforms

British Financial Watchdog Sounds Warning on Phony Blockchain.com Website - InsideBitcoins.com (Dec 11)
Electrum Bitcoin Wallet (Jun 7)
Flathub—An app store and build service for Linux (Jul 7)
Electrum Reviews and Pricing 2022 (Jul 7)
Electrum - Free download and software reviews - CNET Download (Jul 7)
Bitcoin User Losses $16.2 Million in BTC After Using an Old Electrum Wallet - TheCoinsPost (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
Address: 14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5 | Blockchain Explorer (Jul 7)
Address: 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj | Blockchain Explorer (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
UPDATE: Bitcoin, Ripple (XRP), And Ethereum Rebound In Fast-Moving Market (Jul 7)
@ElectrumWallet Twitter (Jul 7)
when broadcasting transaction, error message from server is displayed as is · Issue #4968 · spesmilo/electrum · GitHub (Jul 7)
Electrum Wallet Hacked, 200 BTC Stolen over Christmas (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
stolen bitcoin from Electrum · Issue #5452 · spesmilo/electrum · GitHub (Jul 7)
network: catch untrusted exceptions from server in public methods · spesmilo/electrum@38ab7ee · GitHub (Jul 7)
@RichardHeartWin Twitter (Jul 7)
Phishing Attack on Electrum Wallet Nets Hacker Almost $1 Million in Hours: Report (Jul 7)
Hackers Steal 250 BTC from Electrum Bitcoin Wallets | Finance Magnates (Jul 7)
https://user-images.githubusercontent.com/29142493/50359293-8780b500-055c-11e9-8cfd-83b342edeffb.png (Jul 7)
MY ELECTRUM JUST GOT HACKED : Electrum (Jul 7)
Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7)
PSA Electron Cash Users (SCAM WARNING): If prompted to update, do not do it : btc (Oct 15)
Wayback Machine (Oct 15)
Electron Cash users: beware the error message phishing scam happening right now! : btc (Oct 15)
https://i.imgur.com/R1C2wz6.png (Oct 15)
Electron Cash (Oct 15)
https://i.imgur.com/EuxuEug.png (Oct 15)
What Is Electron Cash? | UseTheBitcoin (Oct 15)
normal_rc comments on PSA Electron Cash Users (SCAM WARNING): If prompted to update, do not do it (Oct 17)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.