Bitcoin Forum

Hi All,

So I fell foul to the Electrum phishing scam (it had been awhile since i used it and I'm not on form atm,, don't say it  :'( ) and downloaded and installed "version 4.0.0", and to no surprise within a jiffy lost about £100 in btc (all that was in the wallet) when trying to send it.
I've come to terms with my stupidity now and have consigned that wallet to the grave. I have removed Electrum from my laptop (Add/Removed programs) and deleted all files with electrum in the name I can find to try and be sure. I've run a Bitdefender scan of the whole computer which has turned up nothing, but I still feel a little worried I might have left something nasty on my machine.
I'm also a bit nervous about installing and setting up a new Electrum wallet (from the correct .org site!) just because like anyone I don't want to chuck my money away.

Any advise would be welcome.

Thanks

I would buy a hardware wallet. They're not that expensive.

Simply deleting/uninstalling is not an assurance. I would recommend a fresh install of OS ? And wipe everything on that drive , or just use another PC for crypto purposes . I mean buying a new pc for a specific purpose like in your this case , Cryptocurrency. Scammers/hackers has a lot of ways to deceive users. Make sure to install antivirus/anti-malware softwares. Feels bad for your loss , thats a quite big money. Well, that would be a charge to experience. Sometimes we learn the hard way. Take extra care next time folks.

Always check the domain and just make sure you are getting it from the correct repository (electrum.org). The phishing incident has been going on for a couple while now and the Electrum team had already done things to negate the said issue so you'll be golden for a reinstall. However, if you are still afraid of any unwanted malware that the phishing software has left on your machine, a fresh install would be nice, though not really necessary as most antivirus software will see if something's wrong with your machine. Just run a deep scan of your PC if you're really that paranoid and you'll be fine.

There shouldn't be any risks at all in installing a fresh one from the correct site:

https://electrum.org/#home

If it makes you feel better, transfer a small amount and let it sit for a while. AFAIK though, there's still a vulnerability where attackers can send you erroneous notices asking you to update, linking to phishing websites. I don't know if that issue has been fixed, but it shouldn't be too dangerous if you know about it.

Also, here's a way to check if your Electrum copy is legit (https://bitcointalk.org/index.php?topic=4183993.0).

Always a good choice to store our coins. But I think you have nothing to worry about if you downloaded it from the legit site, so you must double check the link or what before you click the download sign. Its always better to be safe so do your best for this one, don't trust any link aside from the real one.

as far as i can tell about the malicious versions that i have seen, they don't install any malware (like viruses or keylogger,...) on your computer. it is a simple modification of the code so that it spends your funds automatically as soon as you open the wallet and sends them to the hardcoded hacker's address.
so your Bitdefender or any other AV is never going to detect it.

familiarize yourself with digital signatures (PGP) and Web of trust concepts and learn how to use them to verify the authenticity of everything you download to install.

Downloading from the official website is a must because then security will be guaranteed, there are currently many services that provide this.
So please note that there are a lot of phishing sites and that our assets are not guaranteed.

This is electrum related topic so it must be on Development & Technical Discussion > Wallet software > Electrum  (https://bitcointalk.org/index.php?board=98.0).

As they suggested, just download to the main site and don't go with any other websites which isn't owned by electrum and you're going to be fine with what you are downloading especially with desktop wallets like electrum.

I feel you man, I was a victim of this today and I loss my money as well, luckily that was only BTC0.0075.

This is what happen to me which I posted in this thread https://bitcointalk.org/index.php?topic=5113056.msg49936408#msg49936408




Thanks, I just read your comment and I guess I would not reformat my PC anymore, I had already run my antivirus and no detection of any malware.

The idea to put a few bucks onto the wallet and wait for a couple of days is not bad at all.

The only thing I'd do would be a thorough scan. I don't know if you ran the AV scan from an installed Bitdefender or from a bootable DVD/USB. I would download 1-2 reputed "recovery" antivirus images (at least one different from Bitdefender), burn them, boot and scan from them. May be a bit of overkill, but if you want to be 100% sure, this is a possible direction.

Some say that it's just enough to remove fake version, and then install original from official site, but I would not feel safe to do only that. A safer option would be to format the disc and install fresh OS, and if you do not want to do it be sure to delete all traces of fake Electrum, and to do that go just paste %appdata%\Electrum in your C:/ and delete Electrum folder.

Good AV would probably stop you to even download such fake file, so consider some better option than you have now, or even better invest in hardware wallet.

Thank you for all the info good people.

I think I am going to go with a format C: and reinstall just to be on the safe side.

Goodness knows what could have been done by me running a malicious .exe on my machine.

Serious stupidity on my part but very cleverly implemented by the hackers, they really tricked me good but have to say, I'm astounded Electrum left themselves open to this type of vulnerability. I mean the hackers actually manage to block initial outgoing transactions in order to fool you into thinking you need an update.

Bastards.

hey OP, pooya87 made a very good point about verifying your downloads. It could have helped prevent what happened to you. This is a good site that covers it. Link (https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/). Sorry for what happened to you.

I'm late but I just got tricked into the fake, 4.0.0 version in a hurry and the moment I knew it was fake when it asked for my 2FA when I launched it. So I didn't give it to them.

Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller (https://www.iobit.com/en/advanceduninstaller.php) to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.

I have a hard time trusting third party virus and malware removers when it comes to crypto wallets.  A scammer can take measures to mitigate the chances of their malware being found, or you could get false positives.

To be on the safe side, I would reinstall the OS.  That's likely overkill, but my financial security deserves overkill.

@OP and bathrobehero, learn to use PGP and verify the signature when you download Electrum.  It's a great desktop wallet, and is worth the extra security steps to make sure you're using it safely.  Otherwise, hardware wallets are a great alternative.

@DireWolfM14 Yep, the payload could be encrypted or otherwise hidden so scanners are never a 100% reliable, we know that. I got used to verifying my download sources but I've never seen an Electrum broadcast message so it took my guard down. And after seeing how many people got fooled by it, in many waves and since how long ago since the first, I'm feeling pretty annoyed with how the Electrum devteam is handling it.

I moved my funds to an offline computer and will be formating this PC.

It's just people tend to become lazy with security until they get caught. Didn't lose anything but easily could have. Anyway, thank your for your help.

So far my other wallet are safe, I was able to do a successful transaction after I got phish with a small amount.
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.

I wouldn't risk it if I were you. If you have a lot of assets worth protecting on that PC just reinstall it to be perfectly safe. If you had a fake software installed who knows what else it could have done to your system that your AV hasn't yet picked up! 

I would recommend format your HD and install a new Linux.

Just take an observation but if things goes well then there's no need to re-install a fresh OS which it is really a very hassle thing to do when wiping out your 3rd party programs that are being
commonly used.
There are some files that cant really be removed nor detected by some AV thats why im a little bit paranoid when i do experienced malware attacks which i do always have the doubts.

Given that your antivirus failed to actually inform you about the malware wallet in the first place, resulting in monetary loss, are you sure that your faith in your antivirus is correctly warranted? ???

It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).

Chances are simply deleting the wallet will be "OK", as it seems like the malware wallet, in this instance, was only used to immediately send out a transaction emptying the wallet and/or sending the users seed to the attackers... it doesn't look like it installed any additional malware... BUT if you want to be completely certain the threat is gone... reformat your PC and reinstall the OS.

Let me be honest here, I was (gullible enough to get) hacked a couple of times over the years crypto became my hobby. I've dealt with well over 200 different wallets over the years and probably like 2 dozen different miner softwares (still have most of them) and it took a while before I started I got slapped with a dose of reality and losing many coins. Then I started using Sandboxie and quickly learned that it has to be used with custom settings (default settings are no good at all, that still have read rights of everything important, like wallet.dat or browser user data) and then moved over to using multiple separate PCs.

You always think it won't be you and when you do lose some coins you tighten up your security and given time you start to feel safer than you actually are as you drop your previous security routines. At least most people do.

As I, and many others have said before, antivirus software doesn't help at all. Malware can be sophisticated enough to fly under it (encryption) or disable it or have its payload trigger without it detecting it. Just don't ever fully trust them on an important machine. Just think about how many times you trusted something with "false positives". Great malware mostly doesn't even give false positives.


Anyway, I'm 90% sure the phising wallet had no persistent parts and that my PC was fine but after I safely moved my coins to an offline machine I reinstalled it completely. Why risk that 10%? It's not a 10% tax, it's 0 or 100%.
It's a hassle and it takes days to get everything back to the way it was and it is a pain in the ass to deal with many transactions through a separate machine, it sure beats even just having to worry about one day waking up being emptied.

And you can always store some coins in a hot wallet. Risk and reward, or in this case risk versus lack of annoyance. Don't be lazy people.

why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far. it is simply an addition of a couple of lines of code that spends your coins to a specific hardcoded address. that is not malware, that is simple wallet functionality like the functionality of the real wallet!
as soon as you enter your password, so that the fake wallet has access to the decrypted keys, it runs a simple code which looks like this:
you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!

Most likely because it is technically malware aka "malicious software"... as it does "Bad Things"™ that are not authorised/wanted by the user. It is software disguised to look like an Electrum wallet that sends out all your coins and/or your wallet seed/private keys/wallet file.


You'll note that is pretty much what I said...

Hey BugBasher82, we wrote about a method that could help you avoid such scams in the future.

https://bitcointalk.org/index.php?topic=5118417.0
 (https://bitcointalk.org/index.php?topic=5118417.0)
Sorry for your lost and hope this helps you.