Think I've been Phished

[Aeonium]

Think it's too late now, but hoping that someone out here can understand what needs to be done or reported to stop this scam. Am a newbie, had a 2 year old version of Electrum, opened it up to transfer 0.099 BTC to an exchange wallet, then before the txn completes, a pop up insists on installation of so-called version 4. it updates and completes the transaction (id# ccc3f772dad44e406441c835872fe1b444bee5498e13b7aa102fd99bc8643c6c) with an address (1MbomqWZxDts164kL9cdcinbhWZ7U6F9m5) that was definitely not mine.
https://blockstream.info/tx/ccc3f772dad44e406441c835872fe1b444bee5498e13b7aa102fd99bc8643c6c
The antivirus lights up saying I have a JTI/Suspect. Uninstall Electrum, download from the proper .org address, and try installing it and still the AV software insists the .exe is infected. I understand I've lost the BTC for good, but is it possible to report the offending transaction details anywhere? Thanks in advance. Will likely never use Electrum again after this.

[pooya87]

sorry for your loss but this is already an old phishing attack that was using a vulnerability in older versions of Electrum to show users a message directing them to a fake website and telling them to download a fake Electrum version. if you ignore that message or if you followed the basic security protocols and tried verifying signatures before installing anything, you wouldn't have lost any coins.

as for your AV, most of them are recognizing Electrum as having malware. it is a false positive. if you want to feel safer then download the source code and compile it yourself after reviewing it.

[Aeonium]

Thank you, learned an expensive lesson. just wanted to log my loss.

[bones261]

You may want to invest in a hardware wallet such as Trezor or Nano. (Don't buy from a second hand vendor.) Even if your system is infected with malware, there are safeguards in place in both wallets to ensure it doesn't change a transaction and send without you having to manually confirm.

[Abdussamad]

You can report the transaction to cops in your local area.

[Aeonium]

Was honestly leaning to just using the exchange's wallet now on. Doubt our local cybercrime division has the time/resources for this, but will try anyway.

[bones261]

Was honestly leaning to just using the exchange's wallet now on. Doubt our local cybercrime division has the time/resources for this, but will try anyway.

Too many exchanges have gotten "hacked" or have done exit scam. Plus, there is nothing stopping hackers from trying to access your account through social engineering and making away with your bitcoin. 2FA is nice. But not if a hacker can convince the support team to reset it. Furthermore, an exchange can determine they do not care for your activity and put you through a bunch of KYC/AML red tape to get access to your funds.

[Aeonium]

Agree to your points, will look up the hardware wallets.

[Carl_Lundstrom]

Think it's too late now, but hoping that someone out here can understand what needs to be done or reported to stop this scam. Am a newbie, had a 2 year old version of Electrum, opened it up to transfer 0.099 BTC to an exchange wallet, then before the txn completes, a pop up insists on installation of so-called version 4. it updates and completes the transaction (id# ccc3f772dad44e406441c835872fe1b444bee5498e13b7aa102fd99bc8643c6c) with an address (1MbomqWZxDts164kL9cdcinbhWZ7U6F9m5) that was definitely not mine.
https://blockstream.info/tx/ccc3f772dad44e406441c835872fe1b444bee5498e13b7aa102fd99bc8643c6c
The antivirus lights up saying I have a JTI/Suspect. Uninstall Electrum, download from the proper .org address, and try installing it and still the AV software insists the .exe is infected. I understand I've lost the BTC for good, but is it possible to report the offending transaction details anywhere? Thanks in advance. Will likely never use Electrum again after this.

A friend in Sweden got the same. "Upgrade to Electrum 4.0" (and let us steal all your money). electrum.org should maybe have a warning for this but they have no adress where I can contact them...

[porkandbeansboy]

OUCH! That sucks! I am planning to look into Hardware Wallets myself for this exact specific reason. I am very sorry that this happened to you... at least you know to be more vigilant now am I right? Lol 

[HCP]

A friend in Sweden got the same. "Upgrade to Electrum 4.0" (and let us steal all your money). electrum.org should maybe have a warning for this but they have no adress where I can contact them...

The webpage says right at the top:

Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

The "phishing" link goes to the github issue discussing the prolem... and the fact that it was fixed.

The website also has links to github: https://github.com/spesmilo/electrum where you can use the issues register to contact the devs
and also a link to their twitter: https://twitter.com/ElectrumWallet

Failing that, PM ThomasV here:

[jerry0]

This is a huge concern for electrum users.  If someone were to open electrum after not using it a long time, aren't most ppl going to be tricked like this?  I mean most ppl who are not tech savy would probably just update it right?  More than 1/2 ppl would probably do this right without checking it out first?  Thats what im thinking.


Also when you had that update message, did you click on the link and it updated?  Thus it opened your chrome browser?  Or you had to copy and paste it to chrome to download it?  Also you can reject the update right?  If you reject it, how do you do it?  Can you ignore it?  Or is there an X to click to close that message?

[TryNinja]

This is a huge concern for electrum users.  If someone were to open electrum after not using it a long time, aren't most ppl going to be tricked like this?  I mean most ppl who are not tech savy would probably just update it right?  More than 1/2 ppl would probably do this right without checking it out first?  Thats what im thinking.

That's right. That's why so many people fell for this.

Also when you had that update message, did you click on the link and it updated?  Thus it opened your chrome browser?  Or you had to copy and paste it to chrome to download it?  Also you can reject the update right?  If you reject it, how do you do it?  Can you ignore it?  Or is there an X to click to close that message?

All this exploit did was show a fake update message. You had to open your browser, go to the URL in the message, download, and then run the executable to get phished. It never downloaded automatically or did anything else.

You could have just ignored the message and moved on. Obviously, they now stop appearing if you update your Electrum (which fixed the exploit), but again, all it did was show a message (which could easily be closed, ignored). That's why it was 80% a social engineering attack.