Electrum hacked. Unauthorized transfer. 2.9.3

[inspectaclueso]

Today I went to make a BTC payment via Electrum version 2.9.3.  The wallet is the standard type and password protected.

After launching Electrum I noticed it said it was Synchronizing in the lower left corner.  I left it for several minutes, came back and it was still synchronizing.  I attempted to send the transfer however after clicking send and entering my password I received an error.  Unfortunately, I do not recall the error as it did not make sense to me at the time.

I decided to search if there was a new version of Electrum.  I downloaded 3.2.3 from electrum.org and installed.

Version 3.2.3 installed fine and after launching I discovered my balance was 0.  In my history is a transfer made a couple of hours earlier that I did not make and it transferred my entire remaining balance.  Fortunately, I did not have a lot of funds in my wallet.

https://ibb.co/g6nBph0

Full disclosure, my seed was stored in a text file on a networked drive.  However, my wallet was password protected.

The destination address appears to be bc1qh2elrf0zg0np0fj6pzme9xn4w8l00kwv4zxss2 however I can't seem to search that on any of the blockchain sites.

I know that I should not have stored my seed digitally but how is this breach likely to have occurred and how best to prevent it happening again?

Thanks

[jackg]

https://btc.com/bc1qh2elrf0zg0np0fj6pzme9xn4w8l00kwv4zxss2 - block explorer can be found here.

I'm guessing you potentially either:
1. Inputted the wrong thing and forgot to check (I always click preview before sending transactions -mainly because I like the delay of having to click three buttons in order to make a mistake and not just one).
2. A trojan or virus decided to change the address stored in your clipboard or the address you entered into electrum (I check the first and last three characters after the 1 or 3 at the start just to be safe)
3. Electrum 2.9.3 is known for having a vulnerability with it's JSON RPC, this could be part of that.

My old wallet seed was kept on a text file on my laptop and it was very happy there. Good ole seed.txt .
I thenk just learnt my seed but now I have a new segwit one and I'm trying...

[jackg]

3. Electrum 2.9.3 is known for having a vulnerability with it's JSON RPC, this could be part of that.

I'm sure it's not the reason since pinned thread on this section/child-board mention only wallet without password protection at risk, unless the hacker/thief also know OP's wallet password.

I thought they could Json rpc to fill in the tab with send data too?

And if it’s a password that’s easy to guess then they could still get into it.

[pooya87]

~
I thought they could Json rpc to fill in the tab with send data too?

that is true.

And if it’s a password that’s easy to guess then they could still get into it.

brute forcing a password through JSON-RPC is a lot harder than doing it by having the encrypted seed/keys and brute forcing them directly. you are basically sending requests then  the wallet tries them and rejects if it is wrong password so it takes longer.

there is a code on github and website created to test this. i won't post the link here but if you are interested in testing it at your own risk you can find it.

[inspectaclueso]

Thanks for the replies.

It is likely that the funds had already been taken BEFORE I tried to do a transfer.  I just didn't notice as Electrum was saying syncing where your balance is shown.  I do not recall if the transfer in question was shown in the transaction history as it was unlabeled.

What is odd is that when I tried to make the transfer Electrum didn't say 'insufficient funds' it seemed normal until it threw up the error.

I copied and pasted the address so #2 is a possibility I guess but I can't replicate that behavior.

#3 also seems unlikely as I thought you had to have a infringing webpage open at the time you have Electrum open?  I could have misunderstood the vulnerability.

That my PC has been compromised seems the most likely but I've not observed any other strange or unusual activity and then not sure how they bypassed the password unless they used brute force?

I am grateful I didn't have much in the wallet but I'm trying to use this as a learning opportunity and definitely don't want it to happen again.

[Abdussamad]

Did the hack happen after you updated electrum or before? If it happened after then check your browser history to find out the real URL you downloaded electrum from. You may have downloaded a malware version.

[inspectaclueso]

Did the hack happen after you updated electrum or before? If it happened after then check your browser history to find out the real URL you downloaded electrum from. You may have downloaded a malware version.

I only noticed it after installing the latest version which I downloaded from electrum.org

However, going by the time the rogue transaction took place it seems to have happened either just before I tried to use 2.9.3 or maybe when I first launched it.  I've done an online virus scan on the 2.9.3 file and it seems legit.

[jackg]

Can you not try to gnash it or check the signature.

Some free software like 7zip will be able to generate an sha256 hash of the data stream in the application.

[bob123]

I've done an online virus scan on the 2.9.3 file and it seems legit.

Virus scans are worthless. They only check for signatures and maybe some behavior analysis.

Anyone who has invested more than a few hours into reading how AV's work, knows how to code malware which will not be recognized as such by an AV.


Do what jackg and check the signature of the file. If it is a valid file, either your system is compromised or you were on a malicious website which made use of the known electrum vulnerability (of old versions).

[Lucius]

Full disclosure, my seed was stored in a text file on a networked drive.  However, my wallet was password protected.
I know that I should not have stored my seed digitally but how is this breach likely to have occurred and how best to prevent it happening again?
Thanks

It seems to me that this is the main cause why you lost your coins, seed is all that's needed for someone to access your coins. In your case probably your PC was infected with some type of RAT. The fact that you did not see any balance in your old 2.9.3 wallet since such old wallets have known problems with sync, only delayed the actual moment when you found out that your balance is 0, and this is after update to latest version.

How to prevent such a thing from happening again? You have to start thinking and acting in another way, you are your own bank and you need best possible protection. A few tips for the start :

- format your hard drive (make backup of important things) and install clean OS.
- start using top security software (antivirus, firewall, antimalware).
- regularly update your OS with critical and security updates.
- stop using desktop/online wallets and switch to to hardware wallet.
- pay attention to what you download from internet.

Virus scans are worthless. They only check for signatures and maybe some behavior analysis.
Anyone who has invested more than a few hours into reading how AV's work, knows how to code malware which will not be recognized as such by an AV.

I agree with your statement, but only if AV is not updated with latest definition and if such AV not use behavioral analysis. In case something is suspicious good AV will put such file in quarantine or delete it. I personally tested a few fake Electrum wallets, every attempt to download them is stopped even before download actually began.

According to your statement AV is actually useless, if it takes only few hours to code malware which would infected any computer, then almost every device which would come into contact with such malware should be infected regardless of the protection it possesses.

[jackg]

Virus scans are worthless. They only check for signatures and maybe some behavior analysis.
Anyone who has invested more than a few hours into reading how AV's work, knows how to code malware which will not be recognized as such by an AV.

I agree with your statement, but only if AV is not updated with latest definition and if such AV not use behavioral analysis. In case something is suspicious good AV will put such file in quarantine or delete it. I personally tested a few fake Electrum wallets, every attempt to download them is stopped even before download actually began.

According to your statement AV is actually useless, if it takes only few hours to code malware which would infected any computer, then almost every device which would come into contact with such malware should be infected regardless of the protection it possesses.

If it’s a new virus, there’s a chance it’ll be able to get past the av but the chance is small...
In actuality, regular electrum should get blocked by antjvirises other than the fact that it has a signature from ThomasV. Heuristic algorithms make up a part of the software in order to find the wallet file (or at least that’s what my av tells me anyway). After a signature failure generally comes an inspection of the code, it can be run in its own quarenteened VM by your av if it’s powerful enough...

Regardless of signature, sometimes my av won’t let me install new electrum software unless there have been at least 5 installs and it has been going for longer than 30 days (I actually like that feature).

Hardware is probably what he’s got also. A small daily amount in his wallet that got stolen gives that away...

[bob123]

If it’s a new virus, there’s a chance it’ll be able to get past the av but the chance is small...

This fully depends on the quality of the code.

There are multiple approaches to have malware function harmless when being analyzed (in a sandbox, VM, by AV etc.. ), but functioning harmful when being executed on a real system.

There are also multiple approaches to have malware being regarded as some harmless program by AV's (e.g. using a packer will only reveal the real functionality when being run, not in a static code analysis).


If anyone is up to pay for it, i will gladly demonstrate it by creating some kind of software which will harm your machine while not being detected by any kind of AV.
I would of course not recommend to run such a software on main system.

[cellard]

It seems it hasn't been mentioned if OP is using Windows or Linux. I think that he is using Windows and I think he is using his wallet in an offline computer (he has the coins in there). I would consider these coins compromised by default.

In order to properly use Electrum (or any Bitcoin wallet) you should generate the wallet in a clean offline computer, then install Electrum in a separate online computer. When you want to transact you send the raw tx into the online wallet and broadcast it. This way the private keys never touch the internet. Only way to go about things.