[2018-12-19] Electrum Wallet Attack May Have Stolen As Much as 245 Bitcoin!

[Lucius]

Electrum Wallet Attack May Have Stolen As Much as 245 Bitcoin

A phishing attack on the Electrum wallet network has possibly managed to steal around 245 bitcoins, worth over $880,000 at today’s prices.

Warning of the attack on Thursday, the firm tweeted: “There is an ongoing phishing attack against Electrum users. Our official website is https://electrum.org Do not download Electrum from any other source.”

The bad actor set up the attack by creating multiple fake servers on the Electrum wallet network. As a result, when wallet users that connected to those servers attempted to broadcast a bitcoin transaction, they received an error message providing a malicious link to malware disguised as an updated wallet, the firm explained on its Github page.

https://www.coindesk.com/electrum-wallet-attack-may-have-stolen-as-much-as-245-bitcoin

Now we know it is much more then 245 BTC stolen in this attack which is still in progress, and will probably eventually result with thousands of stolen BTC.

More info and the development of the situation in Electrum board : https://bitcointalk.org/index.php?board=98.0

[1714527114]

1714527114

[1714527114]

1714527114

[1714527114]

1714527114

[1714527114]

1714527114

[1714527114]

1714527114

[1714527114]

1714527114

[erickbarkley29]

this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.

[gentlemand]

this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.

If something is possible then someone somewhere is going to do it. It only takes one wrong 'un.

People need to account for that and act accordingly.

I may well have fallen for this if I was an Electrum user, but I would never use a PC-based wallet in the first place. I've never really understood why Electrum is rated when many use it on an inherently insecure platform.

[squatter]

I may well have fallen for this if I was an Electrum user, but I would never use a PC-based wallet in the first place. I've never really understood why Electrum is rated when many use it on an inherently insecure platform.

You wouldn't use a PC-based wallet -- what does that mean? The reference client is a PC-based wallet. Are you saying you'd only use a hardware wallet, or a paper wallet (generated on offline PC)?

The most important distinction to make is where your private keys are held -- online or offline. I figure any online desktop wallet is a target for theft, but I don't particularly like hardware wallets either. They have fairly large and untested attack surfaces, multiple theoretical attack vectors, centralized firmware updates, etc. Major vulnerabilities have been found (and quickly patched) as well, just like Electrum.

Electrum can be used such that private keys are kept offline on an airgapped device. That's why I use it. It's also got great UI, is lightweight, Segwit-compatible and can be used in conjunction with your own full node. Lots of selling points!

[gentlemand]

You wouldn't use a PC-based wallet -- what does that mean? The reference client is a PC-based wallet. Are you saying you'd only use a hardware wallet, or a paper wallet (generated on offline PC)?

The most important distinction to make is where your private keys are held -- online or offline. I figure any online desktop wallet is a target for theft, but I don't particularly like hardware wallets either. They have fairly large and untested attack surfaces, multiple theoretical attack vectors, centralized firmware updates, etc. Major vulnerabilities have been found (and quickly patched) as well, just like Electrum.

Electrum can be used such that private keys are kept offline on an airgapped device. That's why I use it. It's also got great UI, is lightweight, Segwit-compatible and can be used in conjunction with your own full node. Lots of selling points!

Paper and hardware indeed. Phones for piddling amounts.

Obviously any wallet is fine on an offline machine. The fact these people got ravaged means they were using it online with a PC.

I'm increasingly less enamoured with hardware wallets too. I think people have been too rapid to embrace them as the ultimate answer when that looks like it's starting to unravel a bit.

[1Referee]

As horrible as it is for those who lost funds in the process, these things need to happen in order to have people wake up and realize that they are a walking target, regardless of what client/software/mobile/desktop they use. I'm glad that I am extremely paranoid by nature, so I always ignore pop ups from whatever piece of software that I have installed.

If there is an update ready, I'll head to the main site, scan the file, sign keys (where possible) and then upgrade.

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.

[Kemarit]

this is really terrible! so inhuman. I cannot fathom such criminal minds.  how can they even sleep peacefully knowing that they stole something they did not work hard for? may God deal with them.

For God's sake they are criminals, they don't f*** care and I'm sure once they encash all Bitcoins they have stolen, they going to party and sleep like a baby.

I myself has been a Electrum user, and I thought that it's really secure but this kind of exploit is really a wake up call for everyone not everyone is vulnerable and those hackers will attack when you least expect it. So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.

[Lucius]

So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.

Electrum make quick fix very fast in a way they change how message is displayed in popup window, so it is not have direct clickable link to fake wallet but it looks like this :



And they do it same day when attack is started, so maybe they save few users who have problem with copy/paste. However the notice was officially published in Electrum site https://electrum.org/#download and version is still the same. So far there is no way to prevent that popup to be displayed if user is connect to fake server, only way is to ignore it and close that window.

[hatshepsut93]

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.

[gentlemand]

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.

I'm not sure this will be a circle that can ever be fully squared myself. The people looking to steal your crypto will always be sharper and further ahead than their placid suppliers.

If storage is taken care of in that scenario, they head back to phishing and faking addresses to divert coins and grandma doesn't get a bailout again. It's a conundrum indeed.

[BitHodler]

I myself has been a Electrum user, and I thought that it's really secure but this kind of exploit is really a wake up call for everyone not everyone is vulnerable and those hackers will attack when you least expect it. So far I haven't lost anything though, but nevertheless, I'm sorry for those who have lost their precious Bitcoin and in any case I won't upgrade unless I see some official news from the dev.

I was seriously considering to ditch Electrum and stick to Core, but the thing is that I use ChipMixer regularly and I need a light weight client to near instantly import any private key, which is what Electrum does.

If you do that with Core, it will take hours and hours to get the job done. Yes, I could use something else, but there isn't much that I trust enough to expose my private keys to it.

It's not the first time Electrum messed up, and it probably won't be the last one. The good thing is that they patch exploits quickly, but this could have been prevented by simply disabling links from the very beginning....

[cr1776]

I love Bitcoin, but it requires so much extra attention and care in terms of security, that I perfectly understand why certain parties aren't digging in yet. This isn't the banking system where you can claim that your funds have been stolen and the odds of being refunded are pretty high. In this case lost is lost.

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins. And things will get harder in the future because as adoption growth, hackers will spend more effort on finding ways to steal cryptocurrencies.

Perhaps not banks alone per se, but bitcoin financial instruments and entities and by that I mean bitcoin ETFs and similar instruments.  Anyone can go online or call their broker and say "buy $5000 of a bitcoin ETF" and not have to worry about private keys and such.  Of course this is an investment use case vs a transactional use case, but both have a place in the bitcoin ecosystem.

Right now though I wouldn't trust most of the people I know to verify signatures and be sure that they are downloading a legit client for bitcoin (or any other crypto) let along a grandmother.

[dreamhouse]

Hmm I won't use Electrum wallet, it seems too vulnerable.

[figmentofmyass]

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins.

you're right. a lot of people can't be bothered figuring out cold storage. for those with poor security practices, a bookmarked secure web site + password and 2FA can be the best option. that's just the unfortunate reality. the UI can be difficult for technophobes on top of security matters too. i've known people who have fucked up by sending to their "sent" addresses instead of their "receiving" addresses and things like that.

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

[gentlemand]

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

As banks are closing physical branches and pushing their, quite often totally unwilling, customers into online banking they're becoming far less forgiving of those who fall for online scams. I seem to remember my online banking having some sort of disclaimer about that.

Though this is unfortunate in the extreme I'm sure much more coinage is lost to user gullibility and slackness during login and sending. Bitcoin banks won't address that.

[vit05]

It was such a stupid and yet so profitable mistake. It is becoming increasingly clear that people need to separate spend wallets from pig wallets. And pig wallets need to be rarely accessed. So, if any error occurs, you would lose only a small part of what you own.

[figmentofmyass]

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

As banks are closing physical branches and pushing their, quite often totally unwilling, customers into online banking they're becoming far less forgiving of those who fall for online scams. I seem to remember my online banking having some sort of disclaimer about that.

Though this is unfortunate in the extreme I'm sure much more coinage is lost to user gullibility and slackness during login and sending. Bitcoin banks won't address that.

why not? bank applications are walled gardens---i don't see that changing. it's not like you'll login to hsbc and start making bitcoin transactions like it was a bitcoin wallet. you would do p2p transfers among intra-bank customers same as you would today (via account, not bitcoin address). i'm guessing there would be an approved network of merchants (think mastercard or the plus network) and you would interface with them through a touchless banking app. we're talking about a trusted network of verified/approved customers and merchants.

in other words, nobody would be using bitcoin at all. these would all be offchain transactions that only require a bank to manipulate its internal ledger, until and unless they had to periodically settle with other banks.

if you were to withdraw BTC from the banking system (like withdrawing cash at an ATM), obviously you're on your own and the bank won't protect you.

[gentlemand]

why not?

Because numpties respond to phone calls from fake bank fraud departments all the time and told to send their money to other accounts for 'safekeeping,'

Similarly you get man in the middle stuff where the bank details of house sales are sent through a hijacked email and off goes someone's money to a scammer.

You'd think that since it's all on their ledger banks would be able to squash moves like this flat immediately but a lot of the time they don't and tell the customer they're on their own. Crypto totally removes that ability, not that they seem to exercise it at present.

This is how it is in the UK where bank transfers are instant and free. It may well be different in countries with third world banking like the US.

[Kakmakr]

The common response from people on this forum is to check the PGP signature from the official site, before you do any updates, but most people do not even know what it is and how to look for it. They will have to find a way to prevent people from downloading any software from phishing sites, without making it too difficult to spot the phising site from the original <legit> source.

The average user have difficulty with the most basic concepts, so why would they not struggle with complex concepts like this? The developers always over engineer the software and it goes over the heads of most basic users. 

[buwaytress]

Big Electrum user here, and the increased threats we've seen to me is a compliment to Electrum's reach and popularity. I wouldn't say it's more vulnerable than other clients in its class - kind of the same argument that Chrome is more vulnerable than Vivaldi because it's got more attacks on it. But yes, it's going to be really difficult to get normies to use software if their basic behaviours regarding security aren't fixed.

Hell, you could use the toughest hardware or paper wallet, but if you fall for a message telling you to do stuff you're not supposed to...

This is why we are likely to see Bitcoin banks. People can teach their grandmas to use Bitcoin wallets, but it's impossible to teach their grandmas enough cybersecurity to prevent them from losing their coins.

you're right. a lot of people can't be bothered figuring out cold storage. for those with poor security practices, a bookmarked secure web site + password and 2FA can be the best option. that's just the unfortunate reality. the UI can be difficult for technophobes on top of security matters too. i've known people who have fucked up by sending to their "sent" addresses instead of their "receiving" addresses and things like that.

also, think about how many people used mt gox as a wallet back in the day, and how many do the same with coinbase today. as adoption continues, we'll be adding older, less tech-savvy people into the mix. that's one of the reasons i expect to see hsbc and bank of america eventually offering deposit accounts in bitcoin.

Never mind figuring out cold storage, far too many people aren't even willing to do more than remember a username and password - which is the crazy reason why so many people I know just refuse to use a proper wallet where they control their own private keys. They deliberately want to trust someone else, so yeah, Bitcoin banks? With custodian protection and deposit insurance? That idea is just going to appeal to them. Maybe soon people won't even remember what a private key is.