Electrum Phishing

[Rayser]

I would recommend format your HD and install a new Linux.

[1715079739]

1715079739

[1715079739]

1715079739

[1715079739]

1715079739

[stomachgrowls]

Removed it, did a malware scan and did a search for all the files that were created/last accessed in the last 20 minutes and I didn't find any new or suspicious files or any extra running processes or msconfig service/startup entries so now I'm wondering if it had any persistent elements to it as I don't think so but I'm curious about others. Did it also target other wallets?

Never heard yet that they are also targeted other wallets. If you want to make sure that your PC is safe, scan the whole PC with Malwarebytes and deep scan on kaspersky might find some suspicious activity in your PC. Also, I recommend you to use IObit advance uninstaller to fully remove all traces from your PC including Regedit before you install the legit Electrum wallet.

So far my other wallet are safe, I was able to do a successful transaction after I got phish with a small amount.
I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left, hopefully I'm be safe and I would regret if my funds will be stolen again since I don't follow other's suggestion to have my PC fresh.

Just take an observation but if things goes well then there's no need to re-install a fresh OS which it is really a very hassle thing to do when wiping out your 3rd party programs that are being
commonly used.
There are some files that cant really be removed nor detected by some AV thats why im a little bit paranoid when i do experienced malware attacks which i do always have the doubts.

[HCP]

I don't need to reinstall my OS as I believe my antivirus would detect if there's some traces left,

Given that your antivirus failed to actually inform you about the malware wallet in the first place, resulting in monetary loss, are you sure that your faith in your antivirus is correctly warranted?

It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).

Chances are simply deleting the wallet will be "OK", as it seems like the malware wallet, in this instance, was only used to immediately send out a transaction emptying the wallet and/or sending the users seed to the attackers... it doesn't look like it installed any additional malware... BUT if you want to be completely certain the threat is gone... reformat your PC and reinstall the OS.

[bathrobehero]

Let me be honest here, I was (gullible enough to get) hacked a couple of times over the years crypto became my hobby. I've dealt with well over 200 different wallets over the years and probably like 2 dozen different miner softwares (still have most of them) and it took a while before I started I got slapped with a dose of reality and losing many coins. Then I started using Sandboxie and quickly learned that it has to be used with custom settings (default settings are no good at all, that still have read rights of everything important, like wallet.dat or browser user data) and then moved over to using multiple separate PCs.

You always think it won't be you and when you do lose some coins you tighten up your security and given time you start to feel safer than you actually are as you drop your previous security routines. At least most people do.

As I, and many others have said before, antivirus software doesn't help at all. Malware can be sophisticated enough to fly under it (encryption) or disable it or have its payload trigger without it detecting it. Just don't ever fully trust them on an important machine. Just think about how many times you trusted something with "false positives". Great malware mostly doesn't even give false positives.


Anyway, I'm 90% sure the phising wallet had no persistent parts and that my PC was fine but after I safely moved my coins to an offline machine I reinstalled it completely. Why risk that 10%? It's not a 10% tax, it's 0 or 100%.
It's a hassle and it takes days to get everything back to the way it was and it is a pain in the ass to deal with many transactions through a separate machine, it sure beats even just having to worry about one day waking up being emptied.

And you can always store some coins in a hot wallet. Risk and reward, or in this case risk versus lack of annoyance. Don't be lazy people.

[pooya87]

Given that your antivirus failed to actually inform you about the malware wallet in the first place,

why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far. it is simply an addition of a couple of lines of code that spends your coins to a specific hardcoded address. that is not malware, that is simple wallet functionality like the functionality of the real wallet!
as soon as you enter your password, so that the fake wallet has access to the decrypted keys, it runs a simple code which looks like this:

Code:

TakeAllSpendableCoins();
CreateNewTransactionInBackground(SendTo(Hardcoded_Address_Of_Atacker));
Sign();
Broadcast();

you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!

[HCP]

why does "malware" keep coming up here? there is NO malware to be detected at least not in the alternate (fake) Electrums that i have seen so far.

Most likely because it is technically malware aka "malicious software"... as it does "Bad Things"™ that are not authorised/wanted by the user. It is software disguised to look like an Electrum wallet that sends out all your coins and/or your wallet seed/private keys/wallet file.

you can't detect this with an antivirus! if your AV detected this then it should have also warned you every time you opened your real electrum!

You'll note that is pretty much what I said...

It has been stated multiple times that antivirus/malware software are generally only good at detecting known threats that have identified signatures. There are certain things they cannot really protect you from... like a piece of software that contains "normal" functionality (ie. software sends/receives "data" over the internet) but abuse/use this functionality in a malicious manner (ie. software sends "wallet seed/private key" information over the internet).

[whotookmycrypto]

Hi All,

So I fell foul to the Electrum phishing scam (it had been awhile since i used it and I'm not on form atm,, don't say it   ) and downloaded and installed "version 4.0.0", and to no surprise within a jiffy lost about £100 in btc (all that was in the wallet) when trying to send it.
I've come to terms with my stupidity now and have consigned that wallet to the grave. I have removed Electrum from my laptop (Add/Removed programs) and deleted all files with electrum in the name I can find to try and be sure. I've run a Bitdefender scan of the whole computer which has turned up nothing, but I still feel a little worried I might have left something nasty on my machine.
I'm also a bit nervous about installing and setting up a new Electrum wallet (from the correct .org site!) just because like anyone I don't want to chuck my money away.

Any advise would be welcome.

Thanks

Hey BugBasher82, we wrote about a method that could help you avoid such scams in the future.

https://bitcointalk.org/index.php?topic=5118417.0

Sorry for your lost and hope this helps you.