Bitcoin Forum

hello friends just to let the bitcoin community know that to my best knowledge I have figured out that
on 10th may 2018 I lost BTC0.00564505 bitcoin worth $50 at rate $8900 due to a hacking issue and unauthorized transaction
caused inside my electrium-2.9.3-portable version which was encrypted with 24 digits complex password.

here I want to mention that it is my 3rd created electrium account for safety reason where I used new unique
seed to create my wallet and put password on it. and that my pc is never shared with anyone, not given
for repairmen and I have up to date windows 8.1 platform with avast antivirus and up to date router
which is not easily be hacked. so hope it will be a good notification to record for inquiry.

the transaction id is : https://blockchain.info/tx/af59d8a4cf4a7f0582055b6edf0d0ffecd4072974fc8c2631e3cd3de8d3152a5 (https://blockchain.info/tx/af59d8a4cf4a7f0582055b6edf0d0ffecd4072974fc8c2631e3cd3de8d3152a5)

its to be noted that the hacker took all my balance at once causing my account to be turned out to be 0.

Vulnerabilities in older versions of Electrum have been known since January this year, see Vulnerability discovered in Electrum 2.6 to 3.0.4: please upgrade (https://bitcointalk.org/index.php?topic=2721388.0).
You may want to move (see left-bottom of this page) this thread to the Electrum (https://bitcointalk.org/index.php?board=98.0) board.

Electrum versions between 2.6 and 3.0.4 are known to be vulnerable (https://github.com/spesmilo/electrum-docs/blob/master/cve.rst) and you should upgrade immediately.

Unfortunately there is nothing that can be done to recover your Bitcoin.

hey yes just surfed a bit and found electrium 2.6 to 3.0.4 was vulnerable by jsonrpc command for 2 years already.
so nothing new , my bad actually, just updated elctrium to 3.1.3 latest version as of toady. thanks

The vulnerability shouldn't be too much of an issue if the electrum wallet is encrypted. Unless it gets decrypted while the user if on another page/has an established connection with a server untrustworthy.

Unless the payto field gets edited also via jsonrpc calls.

@op, I'd suggest a full virus scan on your computer before putting the new software on in case it's a virus. There's free software like malware bytes and free trials of other services like McAfee.

Well, like they said mistake made and lesson learn. i believe the OP was the one who don't the issue that electrum 2.9.3 is facing because the electrum wallet owner have announced the wallet to be vulnerable and they advice people to use the updated one.

I even advise to burn a bootable CD and scan from it. Kaspersky (https://support.kaspersky.com/viruses/krd2018#downloads) or Avira (https://www.avira.com/en/download/product/avira-rescue-system) are 2 pretty good options.
The idea is at the chance the Electrum vulnerability was used is smaller than the chance you have some surprise on your system. Afaik for the vulnerability to be exploited Electrum should have been kept running.
(And yes, I've read that you have Avast on, but no antivirus is perfect).

A single av software on its own is good, but it can be hijacked by the virus in some circumstances, no doubt the theif has tried that to get more money. It also needs for you to be sending a transaction while simultaneously on a website for that call to work if the wallet is password protected. (I'd suggest using preview before the send part and sign and broadcast it so you can verify that anything is acting normally).

terrible title because it is wrong. even with the JSONRPC vulnerability it is highly unlikely to lose any coins because first of all you have to have your Electrum wallet open and a malicious website that uses this vulnerability at the same time and that steals your coins. not to mention that the wallet has to have no password for this to work otherwise having the simplest passwords will prevent this.
there is a 99% chance that this is a human error that led to leakage of password or private keys or seed and then loss of funds.

This is just the perfect explanation on what could have happened because by default, the software gives you the option of creating a password before proceeding to launching and even ask you for passwords before showing any sensitive information or transferring fund out of the wallet. If you then choose to ignore the opportunity to keep you safe at the minimum, then its your fault entirely and no one else. I am happy for him that he didn't lose more than that amount because the same reception of not upgrading and being out of date would still be the same and there is nothing anybody would be able to do about it.