Bitcoin Forum

Hello,
sorry for my poor english. I have lost all my BTCs just after open Eletrum v.3.3.3
I will try to describe what happened.
I had on my PC with Win 10 an old version of Electrum - v. 2.5.2. So I opened it, but its status was still "Synchronizing"
So I thought I probably had an old version and I looked on webpage Electrum.org for a new one and downloaded this file: https[Suspicious link removed]
When it started, it was synchronized maybe after 30 seconds and I saw all my funds, but after a while new outgoing transaction have appeared,which sent all my BTCs to this address:  1NRzWJZHJbUbKTjYtS1xKmFF1uZq7p6rXD   
Transaction ID is:  48d5071da6d8859f69764ca951186de63b719f6067350f3abc7bc4f9566f4f35
But I realy did not make any transaction, it was made somehow automaticaly.
My first idea was - I have malware on my PC, but I have installed Comodo internet security with active realtime protection on my PC, which did not found any malware and I checked it with Eset online scanner with the same result.
Can someone explain to me, what could happened? There is no chance to get my BTCs back, am I right?
Thank you.

Your link is deleted, it seems it was detected as a suspicious link. Are you sure you download the correct one?[1] Have you verified the signature? There's a possibility that you download a malicious app.


1. You download a malicious app, which steals your private key and sends it to the creator. If you really did download the Electrum from Thomas, then something like this won't happen.
2. There's a keylogger on your PC, but it looks unlikely considering you never have any problem when you open your previous wallet (I assume you use it regularly).

Unfortunately, it's not possible to get your BTC back. I'm sorry for your loss.

---

[1] https://electrum.org/#download

You are probably right. I did not do signature check (I am stupid, I know).
I write this on latest Firefox, I also downloaded Electrum from Firefox. Now, when I downloaded it from MS Edge, it is a little bit smaller file, so I probably had something wrong with Firefox...

The browser shouldn't matter... Unless you installed malicious plugins on your browser the downloaded file should be exactly thesame.

Like joniboini already said: you should always check the signature of your wallet.

I agree with joniboini's analysis, and i'd say that you either:

• Downloaded a malicious version of electrum
• Have an infected pc (a virusscanner isn't 100% guarantee)
• Have leaked your recovery seed, xpvr or individual private keys
• Made a transfer yourself, or maybe somebody else with access to your pc made the transfer

Yes, I know I installed malicious version of electrum, but I still do not understand, how can I download different file from Firefox and different from MS Edge? When I visit electrum.org from Firefox, it looks same as on Edge, it has the same SSL certificate.
My only extension on Firefox is Adblocker.
I know, it is my fault, that I did not check the signature. I am only affraid, if I still have some malware on PC, but that is another problem.
But right now I have downloaded "clean" wallet from Firefox too, it is weird...
Once again, thank you for your help.

Get the download URL of both files and post here. At least one of them didn’t came from electrum.org.

Open your Downlods page on each browser, right click the file in the history of downlods and there should be an option to copy the url.

Yes, the fake one comes from e l e c l r u m .org not from electrum.org.
But when I type: e l e c l r u m .org (without spaces of course) it will redirect me to electrum.org, when I can download clean wallet right now.
Maybe I had some malware and now I am clean, but the redirection is weird...

It's all hindsay at the moment, nothing we tell you will help you recover your funds... However... If it was me who had had this problem, I wouldn't just assume my system was clean and install a fresh wallet after something like this happened.

I'd either keep scanning my system untill the malware was found and i was 100% sure it was removed, or (even better) i'd scratch my system and completely reinstall the OS. It's bad system hygiene to install any unknown apps, plugins,... on a system you use for managing your finances.

If you're really serious about crypto, i'd recommand to either buy a hardware wallet, start using paper wallets that have been created 100% offline or start using an airgapped machine for signing transactions.

I know,it is only my fault...
Maybe "original" site was hacked in time of my download.
But the redirection from "hackers" site eleclrum to original electrum site is still realy weird. It will redirect me like that on all my PCs, smartphone etc.

You shouldn't be to hard on yourself, and don't start victim-blaming... Sure, you made a mistake and lost some funds. I hope your losses weren't that big. If it was only a small amount, you should consider it to be a tuition fee. You're not the culprit here, you're the victim. Sure, you should have payed better attention and kept your system clean, but you're only human (like 90% of the other users on this forum), it's fair to say that mistakes will be made by about anybody from time to time (you just got unlucky).


Not impossible, but highly unlikely... It would have been reported by a lot of people instead of just one person.



I fetched the main page from the fake site and opened it in vi, i couldn't see any redirection in the sourcecode... I don't know why your browser keeps redirecting, but i would consider it to be a sign that your system isn't 100% clean and it might be a good idear to take backups of your important files and scratch the system, then wait a couple of weeks, update your virusscanner on your fresh os and scan the backups before starting to use them.

You think, that my smartphone is not clean too?
I have tried another ISP too (on my cell phone), but still when I visit eleclrum .org, it will redirect me to electrum.org
If you say, that you have no redirection, it is weird...
But let think about it - you are a hacker trying to steal some BTCs, you will have webpage with the similar address, will you redirect this webpage to the legal webpage or you will try to force people to download malicious wallet from your webpage?
Or have this two domains the same owner? I do not think so.

https://www.whois.com/whois/eleclrum.org

https://www.whois.com/whois/electrum.org

Well, i didn't open the webpage with a browser... I fetched the main page using curl, then used vi (a text editor) to read the sourcecode... It's always possible i missed the redirect script (the sourcecode is filled with references to electrum.org, so it would be easy to miss a redirect script).

I don't think the two domains are owned by ThomasV, I don't think he has more than 1 domain dedicated to electrum (altough i'm not sure), also, the two domains use different registrars... I can honestly say that i have always stuck to one registrar, and i would find it weird if ThomasV would have used 2.

Mosts times a hacker does stuff like this and end up making a victim, he tries to wipes his evidence by deleting the website or something similar. I tried the fake page and it also redirects me to electrum.org; what I think is happening is that after the hacker got your coins, he changed the domain settings to redirect the users to electrum.org so they think the fake website isn’t where the infected file came from and that they downloaded from the legit website.

Maybe mocacinno doesn’t gets redirected because his network didn’t catch up the dns changes of the website.

Also, those domains aren’t connected. The fake one is registered on NameCheap and the legit on Gandi. They are most likely not from the same owner.

Edit: if I go to eleclrum.org from my URL bar, I get redirected. But if I do from google, I don’t.

I have one theory, but will not say it, because I am now the only one with this problem. So maybe later...
But I am 100% sure I have visited electrum.org in time of download, but did not check file signature after.
My funds are gone and we probably are unable to investigate, what exactly, or better how exactly this happened, that is all.
Thanks to all for your time and help.

That domain eleclrum dot org does currently 302 temporary redirect to electrum.org.

These fake sites get most of their traffic from ads on search results pages. When you submit an ad in adwords google does some checks to make sure its all kosher so it could be an attempt to fool automated checks by google's bot.

It's not redirecting for me... I can see the fake eleclrum site... with fake versions available for download.

They actually link to the official site for the signature files tho... so, obviously, if one were to actually check it, it would fail the verification.
https://talkimg.com/images/2023/11/15/zgJa5.png

Hopefully this will act as a cautionary tale for others... ALWAYS verify the file signatures... even if you believe you have downloaded the file from electrum.org. If the OP had done this, they would not have lost their coins. :-\


EDIT: and now it is redirecting to electrum.org... either my DNS provider has just caught up, or they're doing something clever to avoid users figuring out that they downloaded from a malware site... work once, then redirect requests from the same IP? ???

I tried to access it and got redirected too (for the first time). Maybe the DNS provider has caught up, or maybe they decide to stop it to make sure they can scam another one? Who knows. At least we know that whatever happens verifying the signature is important.

So it turns out that it redirects to electrum.org unless your visiting the site via google ads. You can test via the following:


Electrum dev Sombre night suggested this on irc

That is super sneaky... :-\ A pretty effective method for covering your tracks from unsuspecting users.

Also, it isn't just google ads, any visit originating from google... I just did a search for eleclrum.org... Google autocorrected to show results for electrum.org and I clicked the "show results for elecrun.org"... clicked the first link and it didn't redirect.

*I don't see Google ads ;)