Electrum Mass Phishing Attacks: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/electrummassphishingattacks.php}}
{{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/electrummassphishingattacks.php}}
{{Unattributed Citations}}
{{Unattributed Sources}}


[[File:Electrum.jpg|thumb|Electrum]]Electrum was a highly popular wallet software for bitcoin. Since Electrum operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.
[[File:Electrum.jpg|thumb|Electrum]]Electrum was a highly popular wallet software for bitcoin. Since Electrum operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.
Line 10: Line 10:
Overall, approxmately $800,000 USD worth of bitcoin was successfully taken from wallet users. There is no evidence that any of these funds were ever recovered.
Overall, approxmately $800,000 USD worth of bitcoin was successfully taken from wallet users. There is no evidence that any of these funds were ever recovered.


This is a global/international case not involving a specific country.
This is a global/international case not involving a specific country.<ref name="insidebitcoins-7912" /><ref name="electrum-7965" /><ref name="flathub-8372" /><ref name="sourceforge-8373" /><ref name="download-8374" /><ref name="thecoinspost-8375" /><ref name="reddit-8376" /><ref name="blockchaindotcom-8377" /><ref name="blockchaindotcom-8378" /><ref name="reddit-8379" /><ref name="reddit-8380" /><ref name="forbes-8381" /><ref name="electrumwallettwitter-8382" /><ref name="spesmilogithub-8383" /><ref name="blockchainreporterarchive-8384" /><ref name="reddit-8385" /><ref name="spesmilogithub-8386" /><ref name="spesmilogithub-8387" /><ref name="richardheartwintwitter-8388" /><ref name="cointelegraph-8389" /><ref name="financemagnates-8390" /><ref name="userimages-8391" /><ref name="reddit-8392" />
<ref name="insidebitcoins-7912" /><ref name="electrum-7965" /><ref name="flathub-8372" /><ref name="sourceforge-8373" /><ref name="download-8374" /><ref name="thecoinspost-8375" /><ref name="reddit-8376" /><ref name="blockchaindotcom-8377" /><ref name="blockchaindotcom-8378" /><ref name="reddit-8379" /><ref name="reddit-8380" /><ref name="forbes-8381" /><ref name="electrumwallettwitter-8382" /><ref name="spesmilogithub-8383" /><ref name="blockchainreporterarchive-8384" /><ref name="reddit-8385" /><ref name="spesmilogithub-8386" /><ref name="spesmilogithub-8387" /><ref name="richardheartwintwitter-8388" /><ref name="cointelegraph-8389" /><ref name="financemagnates-8390" /><ref name="userimages-8391" /><ref name="reddit-8392" />


== About Electrum ==
== About Electrum ==
Line 93: Line 92:
!Description
!Description
|-
|-
|December 27th, 2018 12:22:28 AM
|December 27th, 2018 12:22:28 AM MST
|Main Event
|Main Event
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.
Line 101: Line 100:
|
|
|}
|}
== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?


== Total Amount Lost ==
== Total Amount Lost ==
Line 120: Line 122:
== Ongoing Developments ==
== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
What parts of this case are still remaining to be concluded?
 
== General Prevention Policies ==
== Prevention Policies ==
Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.
Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.


Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.
Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}
{{Prevention:Individuals:End}}
== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}
{{Prevention:Platforms:End}}
== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}
{{Prevention:Regulators:End}}


== References ==
== References ==

Revision as of 12:57, 1 May 2023

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Electrum

Electrum was a highly popular wallet software for bitcoin. Since Electrum operates in a decentralized manner, anyone can set up a node. If a user connects to a node and tries to make a transaction, the node may report an error, typically a string which is passed through from the bitcoind software. To assist with usability, formatted text is allowed as output.

Users of the Electrum wallet came under an elaborate phishing attack. Malicious operators set up a large number of Electrum nodes across a diverse range of IP addresses. When users would connect to these nodes and attempt to send a transaction, they would receive back an error message that informed them of the need to upgrade their Electrum wallet to "v3.4.1", which had an "important security update" that "provides a fix for a transaction deserialization vulnerability". The update was available from the open source "electrum-project" Github repository, which beared a striking resemblance to the official Electrum Github repository.

The message was grammatically correct and the link went to a legitimate Github repository on the Github website. Users who failed to carefully check the exact URL of the Github repository or carefully review the repository ownership would have been convinced they were installing a legitimate update to their Electrum wallet. It appears that the update made the private key of any wallets available to the attackers, who could then spend freely from their new-found coins.

Overall, approxmately $800,000 USD worth of bitcoin was successfully taken from wallet users. There is no evidence that any of these funds were ever recovered.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]

About Electrum

"Securing Bitcoin payments since 2011, Electrum is one of the most popular Bitcoin wallets. Electrum is fast, secure and easy to use. It suits the needs of a wide spectrum of users." "Electrum verifies that your transactions are in the Bitcoin blockchain. Because Bitcoin is not about trust, It is about freedom and independence." "Sign transactions from a computer that is always offline. Broadcast them from a machine that does not have your keys" "Be safe from malware. Use two-factor authentication by Electrum and Trustedcoin."

"Electrum is free software. Released under the MIT License. Anyone can run an Electrum server. No single entity controls the network." "Electrum has various user interfaces. It can be used on mobile, desktop or with the command line interface." "Electrum supports hardware wallets: Ledger, Trezor, Keepkey" "Split the permission to spend your bitcoins between several wallets."

"Electrum is a light client, which means it must connect to the blockchain through a server, which by default is chosen from a list of public Electrum servers. Anyone can operate such a public server and some users will be randomly connected to it."

"You can specify a specific server to connect to, but by default, it connects to a random peer. There are no "authorized servers". By design, they cannot interfere with bitcoin transactions made by clients except: 1) lie about account balances and 2) not relay a valid transaction to the rest of the network. The problem here is it's messaging capability that communicates directly with it's connected clients. There is no authenticity of any messages created by any statum servers - only what the manager of that server wants to say."

"Electrum, a wallet service like Blockchain.com, has been plagued with several phishing attacks. The issues have dated back to 2018, with accounts confirming that hackers had stolen almost $1 million in cryptocurrencies from users."

"The hacker setup a whole bunch of malicious servers. If someone's Electrum Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL."

The attack was picked up by Reddit user u/normal_rc, who posted that "the hacker setup a whole bunch of malicious servers."

"If someone's Electrum wallet connected to one of those servers, and tried to send a BTC (bitcoin) transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL," u/normal_rc wrote.

"There is an ongoing phishing attack against Electrum users. Our official website is https://electrum.org Do not download Electrum from any other source."

"At the time of reports, the wallet address linked with the scam reportedly held 243 BTC. Since then, over 500 BTC tokens have moved in and out of it. The wallet is also empty."

"Technically speaking, even though the term 'hacked' is broad, what happened was an attacker utilized the server response/messaging capability to phish users (it was more convincing because rich text was allowed to display in the electrum client). The message provided a link to "upgrade electrum", but was actually installing a malicious clone."

"I fell for this.. i was in a hurry and half paying attention(i know) but i didn't even think about getting phished at first since it was a pop up in the real electrum. i should have know better though." "When you download the fake client they must get your seed/password somehow. I wiped electrum files then restore the wallet from seed and put a very small amount in there an let it sit. They just emptied the wallet again about 30 [minutes] ago."

"Perhaps. But the fact that the official client sent me to a phishing website is absurd. The client itself told me to go to electrumpal and update. I sent a not insubstantial amount of money to some rando without my knowledge."

"It has just happened to me, and while I understand that any software can have security holes, the Electrum website barely mentions this problem. They could have used the broadcasting message to let all users know about this problem and urge them to update. It might have saved me $270. If the next security issue is also going to be swept under the rug like this, I rather migrate to another client."

"There is no "broadcast message" functionality. The exploit is that when the user broadcasts a transaction to the connected server, the server can send back an error message. And we actually did use this functionality to warn users; but this only works if you happen to connect to an honest server."

Gregory Maxwell said "In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here."

"The attack on wallet users began on Friday last week, December 21, and appears to have been halted after GitHub admins acted, according to Electrum developers."

"The client (since 3.3.3) only displays error messages from a hardcoded-in-client set. The server still sends arbitrary messages (see referenced links as to why) and then the client matches them with a long list of regexes, to one of the hardcoded error messages (or "unknown error")." "3.3.4 also catches errors for other lower risk methods."

"The bitcoin market appears to have been spooked by reports last night the Electrum cryptocurrency wallet has had almost 250 bitcoin, worth almost $1 million, stolen—however, movements on the cryptocurrency market are famously hard to explain. What caused today's sudden rebound was not immediately clear."

"Even after the news broke, Electrum continued to suffer several security issues. There was a distributed denial of service (DDoS) attack that had significant similarities to the 2018 phishing scam as it also misled victims using fake software updates."

"And years later people are still being [a]ffected by this bug to the tune of millions of dollars. This is insane, and you should be liable for the damages here. Rendering arbitrary html on an error update page for a financial tool is not ok. I'll be send this to my local authorities."

"ADVICE: Ignore any "update" notifications in Electrum. I'm not 100% certain, but if you never downloaded the "update", your wallet & funds should be ok."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Electrum Mass Phishing Attacks
Date Event Description
December 27th, 2018 12:22:28 AM MST Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $937,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Always bookmark the official links of every service which you use. Never download an update from any other location, even if prompted within the software. If you suspect that the official website of a service has changed, check with friends or post online to see if the link is moved.

Whenever you complete a wallet upgrade or install a new wallet software, always try the new setup first with a smaller wallet and amount. It is recommended to keep the vast majority of funds fully offline in a cold storage wallet with no keys ever stored online.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. British Financial Watchdog Sounds Warning on Phony Blockchain.com Website - InsideBitcoins.com (Dec 11, 2022)
  2. Electrum Bitcoin Wallet (Jun 7, 2022)
  3. Flathub—An app store and build service for Linux (Jul 7, 2022)
  4. Electrum Reviews and Pricing 2022 (Jul 7, 2022)
  5. Electrum - Free download and software reviews - CNET Download (Jul 7, 2022)
  6. Bitcoin User Losses $16.2 Million in BTC After Using an Old Electrum Wallet - TheCoinsPost (Jul 7, 2022)
  7. Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7, 2022)
  8. Address: 14MVEf1X4Qmrpxx6oASqzYzJQZUwwG7Fb5 | Blockchain Explorer (Jul 7, 2022)
  9. Address: 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj | Blockchain Explorer (Jul 7, 2022)
  10. Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7, 2022)
  11. Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7, 2022)
  12. UPDATE: Bitcoin, Ripple (XRP), And Ethereum Rebound In Fast-Moving Market (Jul 7, 2022)
  13. @ElectrumWallet Twitter (Jul 7, 2022)
  14. when broadcasting transaction, error message from server is displayed as is · Issue #4968 · spesmilo/electrum · GitHub (Jul 7, 2022)
  15. Electrum Wallet Hacked, 200 BTC Stolen over Christmas (Jul 7, 2022)
  16. Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside... : CryptoCurrency (Jul 7, 2022)
  17. stolen bitcoin from Electrum · Issue #5452 · spesmilo/electrum · GitHub (Jul 7, 2022)
  18. network: catch untrusted exceptions from server in public methods · spesmilo/electrum@38ab7ee · GitHub (Jul 7, 2022)
  19. @RichardHeartWin Twitter (Jul 7, 2022)
  20. Phishing Attack on Electrum Wallet Nets Hacker Almost $1 Million in Hours: Report (Jul 7, 2022)
  21. Hackers Steal 250 BTC from Electrum Bitcoin Wallets | Finance Magnates (Jul 7, 2022)
  22. https://user-images.githubusercontent.com/29142493/50359293-8780b500-055c-11e9-8cfd-83b342edeffb.png (Jul 7, 2022)
  23. MY ELECTRUM JUST GOT HACKED : Electrum (Jul 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Electrum_Mass_Phishing_Attacks&oldid=3618"