New Electrum vulnerability? Unknown transaction (Fraud, Theft) 4.3.4 AppImage

[btcfreak123]

I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?

[goldkingcoiner]

I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?

Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?

[BitMaxz]

I don't think Electrum servers can able to do that since Electrum only request for these data like address history and balances, block headers, UTXOs, etc.
There's no way that they can do or control your wallet.

How exactly did you create your wallet? Did you create your wallet somewhere else? I mean outside the Electrum wallet from that PC/Laptop?

If not, and you created your wallet on the same device, there's a possibility there's something in your PC that you don't know leaks your wallet private keys.

I'd like to know how you installed this Linux and where you downloaded it. Are you sure that you downloaded the Linux OS from a legit source?
Because if you downloaded it from somewhere other than the trusted source, there's a possibility it's already infected with malware. Scanning it with any antivirus won't work; that's why I don't download an OS randomly.

There are lots of free OS mods out there, but all of them are already infected with malware that can't be easily scanned by any antivirus.

If I want to use a wallet on a Linux-based OS, I am more comfortable using Tails, which has built-in Electrum. Electrum already provided a guide for this. If you are interested in the future, check their guide below.

- https://github.com/spesmilo/electrum-docs/blob/master/tails.rst

[btcfreak123]

Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?

Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?

I don't think Electrum servers can able to do that since Electrum only request for these data like address history and balances, block headers, UTXOs, etc.
There's no way that they can do or control your wallet.

How exactly did you create your wallet? Did you create your wallet somewhere else? I mean outside the Electrum wallet from that PC/Laptop?

If not, and you created your wallet on the same device, there's a possibility there's something in your PC that you don't know leaks your wallet private keys.

I'd like to know how you installed this Linux and where you downloaded it. Are you sure that you downloaded the Linux OS from a legit source?
Because if you downloaded it from somewhere other than the trusted source, there's a possibility it's already infected with malware. Scanning it with any antivirus won't work; that's why I don't download an OS randomly.

There are lots of free OS mods out there, but all of them are already infected with malware that can't be easily scanned by any antivirus.

If I want to use a wallet on a Linux-based OS, I am more comfortable using Tails, which has built-in Electrum. Electrum already provided a guide for this. If you are interested in the future, check their guide below.

- https://github.com/spesmilo/electrum-docs/blob/master/tails.rst

I have created the wallet on a Windows system years ago - see my post above.

The Debian OS (iso install. file) I have downloaded of course from the original Debian developer site debian.org - also signature-verified.
I now use offline signing with Electrum (cold wallet) and only one wallet per address - so fuck the seed :-) Tails is also a good option, I agree, but only when using it as read-only / non-persistent storage and if you do offline signing, otherwise you still have a hot wallet.

But what really is driving me nuts is that I don't know how the hack worked and why only once at this time and coincidentally with a TX of myself? My old wallet seed and BTC addresses and even the Electrum password never changed in 5 years and any attacker could have stolen much more if he had known the seed/keys/password. I really think it is a combination of a glitch / vulnerability in Electrum together with a malicious server... Any server can send wrong confirmations, tricking you into downloading an update, but I am pretty sure I didn't fall for that. Maybe anything else? There was this JSON-RPC hack, you remember, not so long ago...

B.t.w. I have contacted Binance - where my stolen BTC ended up on one of their addresses - and after proving (with screenshots, videos from wallet opening and wallet/TX history) that I am the owner of the address from which the BTC got stolen, they offered to refund me - but only if I open a Binance account (they will send it to my Binance address)! They said the owner of this Binance BTC address (obviously their customer=the hacker!) agreed to send it back!!! WTF Has anyone had this experience? The don't want to give me his identity nor the type of attack how the BTCs got removed! This looks very dodgy and supports my theory of a malicious server attack / vulnerability in Electrum which they maybe want to hide... Also I think a criminal/police investigation over several jurisdictions (me, Binance HQ, Binance server locations, TX server locations / mining pool, location of Binance customer) would lead to nothing.

[nc50lc]

B.t.w. I have contacted Binance - where my stolen BTC ended up on one of their addresses - and after proving (with screenshots, videos from wallet opening and wallet/TX history) that I am the owner of the address from which the BTC got stolen, they offered to refund me - but only if I open a Binance account (they will send it to my Binance address)! They said the owner of this Binance BTC address (obviously their customer=the hacker!) agreed to send it back!!! WTF Has anyone had this experience?

This doesn't sound like a reputable Customer service, are you certain that you're talking to Binance?

If you can confirm it, then that's one good news already but it's certain that they'll ask for KYC data before returning the funds to you.

Has anyone had this experience? The don't want to give me his identity nor the type of attack how the BTCs got removed! This looks very dodgy and supports my theory of a malicious server attack / vulnerability in Electrum which they maybe want to hide...

Normally, they wont provide you anything about the hacker without the police/authorities' intervention.

For the attack vector, it's impossible for them to know which Electrum/PC vulnerability the hacker utilized to steal your bitcoins.
They aren't the developers of Electrum and auditing the code for unnoticed bugs is hard even for its developer.

Here's the list of vulnerabilities, click each for the affected versions: github.com/spesmilo/electrum/security
(of course, unnoticed/unreported bugs aren't included)

[pooya87]

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?

These are Electrum server certificates that are used to encrypt your communication with them using SSL (somewhat similar to how you communicate with a website using https). All servers must have them and they send it to you so that you can encrypt/decrypt the messages with that server.

There are no known vulnerability that a "malicious" server can exploit to gain access to your keys though.

[BitMaxz]

I have created the wallet on a Windows system years ago - see my post above.

If it was created from Windows, then I guess your wallet was already compromised at that time using Windows. Because it's a rare case that your current Linux is infected if it was newly installed. Linux is considered more secure than the other OS, but it's not completely immune. If you don't randomly access any website with that OS, it should be clean, and I believe someone already has full control of your wallet since you created it from Windows OS.

For now, there's no way to recover those stolen BTC, but maybe since you already contacted Binance and they said they are going to refund stolen funds, it's worth trying.
However, I'm sure Binance will demand some data, including a sign message and your identity.

[goldkingcoiner]

B.t.w. I have contacted Binance - where my stolen BTC ended up on one of their addresses - and after proving (with screenshots, videos from wallet opening and wallet/TX history) that I am the owner of the address from which the BTC got stolen, they offered to refund me - but only if I open a Binance account (they will send it to my Binance address)! They said the owner of this Binance BTC address (obviously their customer=the hacker!) agreed to send it back!!! WTF Has anyone had this experience? The don't want to give me his identity nor the type of attack how the BTCs got removed! This looks very dodgy and supports my theory of a malicious server attack / vulnerability in Electrum which they maybe want to hide... Also I think a criminal/police investigation over several jurisdictions (me, Binance HQ, Binance server locations, TX server locations / mining pool, location of Binance customer) would lead to nothing.

Gotta be honest, that is the strangest thing I have ever heard of. Maybe the hacker is not actually a hacker and there was some sort of mix-up? Or maybe it was a hacker and he just got scared because he got tracked down to a centralized exchange where his KYC data is known.

And you are right to say something is dodgy, I would investigate further, if I were you and I would not hesitate to get the authorities involved, if you truly think that you caught a really dumb hacker...

Something is definitely fishy here....

But I am glad that you are getting your coins back.

[Cricktor]

Linux is mostly more secure because it's less on the radar of malware writers due to it's lower market share than Windows. This is oversimplified for sure, but imagine you're a malware developer: for which platform would you craft your malware, one with large user base or one with significantly smaller user base?

@OP: do you mind posting the transactions, I understand you that there should be two of them? How did you determine that your presumably stolen funds went to Binance?

~~~

I'm sorry but this sounds like fairy tales and I hardly believe anything of this.

[BitBastard]

Could it be someone physically in your immediate surrounding area, who is capturing your network traffic and modifying packets mid-stream?

[pooya87]

Could it be someone physically in your immediate surrounding area, who is capturing your network traffic and modifying packets mid-stream?

Performing Man In The Middle attack is not possible for your communication with Electrum servers because they are encrypted using SSL. Somewhat similar to your communication with this very forum that is encrypted with SSL.

And even if they could, the "packets" don't contain any sensitive information that could lead to any kind of losses. They are all public information (your balance, transactions, addresses, etc. all of which found on the blockchain already).

[btcfreak123]

Hi everybody!

Here is an update on this strange matter:

After Binance support forced me to open and verify an account (via a KYC process incl. ID upload and video conference) in order to get back my stolen BTC but the verification didn't work because of their crappy outsourced KYC service where nobody entered the video conference for hours and after 2 weeks of endless / useless chats with the support team and at least 10 different support agents, fraud specialists, supervisors and managers etc. whom I all insulted and wished the plague upon, I suddenly received the following email:

Subject: FW: Binance Security Fund Recovery - Funds Credited - 2025-07-29 16:16:55 (UTC)
From: Binance <do_not_reply@mgdirectmail.binance.com>
To: <xxxxx@mailfence.com>
Date: Jul 29, 2025, 4:16:57 PM

Binance Security Fund Recovery - Funds Credited

Dear Binancian,

We are pleased to inform you that our Security team has successfully resolved the dispute related to your previously reported transaction.
Upon further investigation, we learned that the transaction was related to potential fraudulent activities and, in the interest of security and user protection, we performed an in-depth security investigation. As a result of this investigation, we have managed to retrieve your funds from the receiver.

We have already distributed the following amount to your Spot Wallet: 0.01702049 BTC. To check the distribution, please follow these steps:

1. Log in to your Binance account.
2. Navigate to Wallets > Spot.
3. Click on "Transaction History"
4. Select the "Distribution" tab to view the credited amount.

Although we have managed to retrieve your funds on this occasion, please be reminded that this is a rare occurrence and it is usually impossible to cancel or return funds once the transaction has been completed. However due to these exceptional circumstances, and as we managed to identify the fraud transaction in a timely manner, we have been able to retrieve your funds.
Please be extra careful and vigilant and always do your own due diligence before sending or receiving funds. See the following general guide on how to avoid common scams: https://academy.binance.com/en/articles/8-common-bitcoin-scams-and-how-to-avoid-them

Your support and cooperation are much appreciated as we strive to maintain the security and integrity of our platform.

Yours sincerely,

Binance

Then - without completing the verification process - all of a sudden I received the BTCs on my Binance account and could transfer it immediately to a new self-hosted wallet! :-)
Strangely enough all the chat history has been deleted by Binance meanwhile!

This is the strangest shit I've ever seen!

For anyone who is interested: my initial BTC address where the funds got stolen is 1Th4E53SNrNLVGn9CgT8h3BJKuAKjqdWv and the funds were moved from the direct attacker's address 1GrvEughk4fqnGsvtaApZ8BtxRTtTWxmLc 1h later to this Binance address: bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h which has a balance of about 1.8 billion USD !

I have my BTCs back (minus fees) so I am somewhat relieved, but I still don't know (and Binance refuses to tell me) how the hell the BTCs got removed from my original address! In my opinion the only realistic possibility is an unknown/undiscovered vulnerability in Electrum (I have contacted the developers b.t.w. but didn't get any reaction - some days ago a new version 4.6.1 got released!) together with a fraudulent Electrum server where obviously a big Binance customer or Binance itself was involved!

Maybe somebody had a similar experience ?

Cheers!


Also, this Binance address has been used for a lot of scams:

https://www.bitcoinwhoswho.com/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h/urlid/14789007

[mcdouglasx]

I think it's more likely that there's an information leak than an Electrum vulnerability, since if it is a vulnerability, there would be direct attacks on wallets with more coins, or you'd be left blank.

Perhaps you have a friend, neighbor, or family member with access to your device, since stealing it and sending it to Binance makes no sense to an experienced attacker.

[nc50lc]

-snip- and the funds were moved from the direct attacker's address 1GrvEughk4fqnGsvtaApZ8BtxRTtTWxmLc 1h later to this Binance address: bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h which has a balance of about 1.8 billion USD !

That was just Binance consolidating their users' deposits into their "hot wallet".

Also, this Binance address has been used for a lot of scams:

That website's rating is based from user inputs so it's not too reliable.

For example: The users wouldn't know if the address belongs the the hacker,
And when the hacker sent it to Binance, they'll think that it belongs to the hacker once Binance consolidate.

To find the reason, you should investigate the device/machine that you're using and audit Electrum's code,
You'll get nowhere following the addresses involved, it ends with finding who owns 1GrvEughk4fqnGsvtaApZ8BtxRTtTWxmLc.
But that's easier said than done.

Alternatively, if you can get the authorities involved, Binance will provide you the information about the hacker's KYC data.
But you'll most likely get a phishing victim's profile instead since most hackers that use Binance use stolen data to pass KYC.

-edit- fix typo

[btcfreak123]

I also wonder why only Windows versions of Electrum have a high malware detection rate (Linux=0%) which are all false positives according to Electrum!? This file here I used years ago but is signature verified from electrum.org:

https://www.virustotal.com/gui/file/4afe9fe07318f7ed804ab2ccb6e6b7e65971ffeaad97c612e0d364d05b196f79/detection

...

I think it's more likely that there's an information leak than an Electrum vulnerability, since if it is a vulnerability, there would be direct attacks on wallets with more coins, or you'd be left blank.

Perhaps you have a friend, neighbor, or family member with access to your device, since stealing it and sending it to Binance makes no sense to an experienced attacker.

No, definitely only I had access to this PC with the Electrum wallet and I also think an experienced attacker would have used a self-hosted wallet, independent from crypto exchanges with KYC procedures like Binance. But either the first Binance wallet was also hacked and not owned by the attacker or it was a bug in Electrum together with a malicious server. Everything else I can rule out with 99% certainty (no malware, phishing etc.) and I don't think it was a coincidence that in the same second I entered my Electrum wallet password and hit "broadcast", the "fraudulent" (second) TX (UTXO of these coins marked as "frozen" with right-click) initiated simultaneously next to my TX (marked as "spend" with right-click and coin control). It might also be a bug with the UTXO coin control and coins accidentally got sent to the miners!?

[mcdouglasx]

I think it's more likely that there's an information leak than an Electrum vulnerability, since if it is a vulnerability, there would be direct attacks on wallets with more coins, or you'd be left blank.

Perhaps you have a friend, neighbor, or family member with access to your device, since stealing it and sending it to Binance makes no sense to an experienced attacker.

No, definitely only I had access to this PC with the Electrum wallet and I also think an experienced attacker would have used a self-hosted wallet, independent from crypto exchanges with KYC procedures like Binance. But either the first Binance wallet was also hacked and not owned by the attacker or it was a bug in Electrum together with a malicious server. Everything else I can rule out with 99% certainty (no malware, phishing etc.) and I don't think it was a coincidence that in the same second I entered my Electrum wallet password and hit "broadcast", the "fraudulent" (second) TX (UTXO of these coins marked as "frozen" with right-click) initiated simultaneously next to my TX (marked as "spend" with right-click and coin control). It might also be a bug with the UTXO coin control and coins accidentally got sent to the miners!?

I still think it's most likely that your seed or private keys were compromised, either by a third party or some type of malware. You could never be 99% sure you don't have malware on your system. I repeat what I said two years ago: you can't trust antivirus. The threats that antivirus protect against are known ones, but there are still unknown threats that go undetected by antivirus.

As for the malicious server, it could be if you were ever phished to install a supposed update that would be an infected version. It's not as if the malicious server could spend your coins remotely.
Something very strange that could happen is that every time you sign a TX on your infected system, another one is signed, taking advantage of the momentary permissions gap when you execute a TX. But that still means you're compromised.

[nc50lc]

I also wonder why only Windows versions of Electrum have a high malware detection rate (Linux=0%) which are all false positives according to Electrum!?

That behavior is not limited to Electrum.
Almost all executables (.exe) that are built with "pyinstaller3" are being mistakenly flagged by some AVs.
And if you notice the virustotal result, those with detection aren't famous AVs but some least-desirable ones so there's a chance that no one have reported that their result is false positive.
(yes, a report is all it takes to remove something from an antivirus' detection as long as as it's actually not a malware)

https://www.virustotal.com/gui/file/4afe9fe07318f7ed804ab2ccb6e6b7e65971ffeaad97c612e0d364d05b196f79/detection

At least I can confirm that its hash matches electrum installer v3.3.4, so it can't be a malware.

[picklerickbrah]

This sounds like you got incredibly lucky that whoever was able to drain your wallet chose to send it to a Binance account that Binance knew was in use by someone that had been illegally stealing bitcoin and trying to sell it through them. I'm sure you were not the only person they hacked and deposited the stolen coins to the same account.

So they just wait for complainants to show up and claim a blockchain transaction that was fradulent, then wait a certain amount of time before determining this is probably a legitimate complaint.

I am highly skeptical there is an Electrum vulnerability, though. You wouldn't be the sole person reporting the issue.