Bitcoin Forum
December 12, 2019, 11:23:41 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: I just had all my bitcoins stolen and I don't understand how it happened  (Read 405 times)
slinkybob
Newbie
*
Offline Offline

Activity: 2
Merit: 1


View Profile
July 31, 2019, 06:12:48 AM
Merited by LoyceV (1)
 #1

I just lost .73 of a bitcoin.. about £6k. I was making a small payment (about £50) through electrum and I got a message saying that I needed to apply a patch before the payment could be sent. The patch seemed to be legit and led directly to the electrum website. I downloaded Electrum 4.0. and when I started it up all my bitcoins had gone. my balance is now zero. What happened?
1576149821
Hero Member
*
Offline Offline

Posts: 1576149821

View Profile Personal Message (Offline)

Ignore
1576149821
Reply with quote  #2

1576149821
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576149821
Hero Member
*
Offline Offline

Posts: 1576149821

View Profile Personal Message (Offline)

Ignore
1576149821
Reply with quote  #2

1576149821
Report to moderator
1576149821
Hero Member
*
Offline Offline

Posts: 1576149821

View Profile Personal Message (Offline)

Ignore
1576149821
Reply with quote  #2

1576149821
Report to moderator
Abdussamad
Legendary
*
Online Online

Activity: 2310
Merit: 1220



View Profile
July 31, 2019, 06:16:03 AM
 #2

You installed malware:

https://www.reddit.com/r/Electrum/comments/brvsmv/333_danger_vulnerable_to_phishing_please_always/
slinkybob
Newbie
*
Offline Offline

Activity: 2
Merit: 1


View Profile
July 31, 2019, 06:28:10 AM
 #3

Thanks..  Cry
bob123
Legendary
*
Offline Offline

Activity: 1106
Merit: 1580



View Profile WWW
July 31, 2019, 07:44:33 AM
Merited by Foxpup (3)
 #4

The patch seemed to be legit and led directly to the electrum website.

Unfortunately not.

The one and only original electrum site is https://electrum.org/.

The message which was shown to your came from a malicious electrum server you were connected to.
And it linked to a (faked) github repository with no source code, and only a (malicious) binary available to download.


Unfortunately, you have been a victim of the phishing campaign. Your funds are gone.

Lucius
Legendary
*
Online Online

Activity: 1624
Merit: 1413


Fortis Fortuna Adiuvat


View Profile WWW
July 31, 2019, 09:44:09 AM
 #5

slinkybob, it's a shame you didn't register in the forum before or that you read just like guest, then you would see warnings about this attack which is start at the end of last year. We have dedicated board for Electrum, and there you can see many identical cases posted by victims.

I'm sorry for your loss, hope that hackers will pay one day for their crimes.

crwth
Copper Member
Hero Member
*****
Offline Offline

Activity: 1148
Merit: 733


Semper Paratus | https://gunbot.ph


View Profile WWW
July 31, 2019, 09:53:44 AM
 #6

So he is a victim of a phishing technique — installed malware, etc.

I want to understand more. Is it because his original software of the wallet is already compromised or is it anything connected with his computer or something? Do the hackers know that he holds Bitcoin? Somehow, someway, they had access? I'm just worried about any other else that could jeopardize my funds.

Royse777
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1081


Exchange Bitcoin quickly-https://blockchain.com.do


View Profile WWW
July 31, 2019, 10:09:27 AM
 #7

Is it because his original software of the wallet is already compromised
Since the code is open source, anyone can alter the code and insert something that will open a door to steal your coins. If you download Electrum from any other website than electrum.org then you are risking your coins. That Electrum client can be infected.

So, it is always advised that to down the software from official https://electrum.org/#download and not only this - before installing the file make sure you have verified the signature: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

If you can successfully verity the download file then you are sure that you have the original version.

.Have Your Ad Here!.
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
  
o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 770
Merit: 3054


Decent


View Profile
July 31, 2019, 10:12:39 AM
Merited by Foxpup (4), Jet Cash (2), ETFbitcoin (1)
 #8

Electrum versions prior to 3.3.4 had a feature which allowed servers to display a pop up box to connected users to tell them about errors. Some third party hosted a malicious server, and anyone who connected to it (which can happen automatically) would be shown a pop up box advising them their Electrum client was out of date and they needed to update to version 4.0, along with a link to the fake wallet, which many users blindly follow, download, install, and use, without checking or verifying it first.

In this case, OP didn't need to have anything already compromised or anything connected to his computer as you suggest. The hackers don't know who he is, or have any access to his machine. They exploited a (now patched) flaw in older versions of Electrum to trick OP in to downloading malware.

You can read more about this flaw here: https://github.com/spesmilo/electrum/issues/4968

UnruffledST
Member
**
Offline Offline

Activity: 235
Merit: 18


View Profile
July 31, 2019, 10:48:18 AM
 #9

Electrum versions prior to 3.3.4 had a feature which allowed servers to display a pop up box to connected users to tell them about errors. Some third party hosted a malicious server, and anyone who connected to it (which can happen automatically) would be shown a pop up box advising them their Electrum client was out of date and they needed to update to version 4.0, along with a link to the fake wallet, which many users blindly follow, download, install, and use, without checking or verifying it first.

In this case, OP didn't need to have anything already compromised or anything connected to his computer as you suggest. The hackers don't know who he is, or have any access to his machine. They exploited a (now patched) flaw in older versions of Electrum to trick OP in to downloading malware.

You can read more about this flaw here: https://github.com/spesmilo/electrum/issues/4968

Wow legit feel bad for the user, downloads a patch thinking hes doing the right thing just to find his coins gone. To be honest this technique would have even caught me off guard if presented with it. I mean not everyone usually checks the link before downloading even more when it comes from the program itself. Really man hope that you are keeping your head up even though you came out with a loss. 8k usd is not a small sum for alot.
bob123
Legendary
*
Offline Offline

Activity: 1106
Merit: 1580



View Profile WWW
July 31, 2019, 12:56:21 PM
 #10

To be honest this technique would have even caught me off guard if presented with it. I mean not everyone usually checks the link before downloading [...]

Well.. then you should reconsider your security measurements.

You should never download anything without double-checking the URL.
And additionally you also should never install sensitive software (e.g. wallet software) without verifying the signature.

There are tons of guides available how to verify the signature. It is even mentioned on electrum.org.

pereira4
Legendary
*
Offline Offline

Activity: 1568
Merit: 1157


View Profile
August 01, 2019, 12:28:18 AM
 #11

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.
TryNinja
Legendary
*
Offline Offline

Activity: 1218
Merit: 1687



View Profile
August 01, 2019, 12:40:31 AM
 #12

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.
Well, you don't actually need to get a new signature every time a new update is released. Get it now while the MIT server hasn't been compromised and use it for every new update. Also, a full client (node) is as much as of a software as any other wallet (such as Electrum). How would you confirm the full client you are running is legit if even the signature server is potentially compromised? At some point you will have to trust something/someone.

ranochigo
Legendary
*
Online Online

Activity: 1862
Merit: 1206

Back online:)


View Profile WWW
August 01, 2019, 01:32:34 AM
 #13

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.
That isn't secure either. Even running a full client isn't enough. Bitcoin Core can be compromised in that scenario too. The problem here isn't with the validation of the transaction. I don't agree with that either. The difference between SPV clients and Web wallets is huge; SPV clients still do give you full control over your private keys. IMO, SPV clients gives its user the balance between convenience and security.

If you want to protect against the scenario that you've described, you have to review and build the client from scratch. This isn't something everyone can do.

crwth
Copper Member
Hero Member
*****
Offline Offline

Activity: 1148
Merit: 733


Semper Paratus | https://gunbot.ph


View Profile WWW
August 01, 2019, 05:07:41 AM
 #14

Is it because his original software of the wallet is already compromised
Since the code is open source, anyone can alter the code and insert something that will open a door to steal your coins. If you download Electrum from any other website than electrum.org then you are risking your coins. That Electrum client can be infected.
Well, then there's no problem with that but as o_e_l_e_o said, even if you downloaded the legitimate one and it prompts an update or something, it could somehow show a pop-up box saying to update it, knowing that there is already an update, they are taking advantage of that part, if I understood correctly. It's because hackers are somehow signaling from their electrum node or something to do that? That must have happened to a lot of users. Sad to say, it's better to be skeptical about these kinds of things.

Royse777
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1081


Exchange Bitcoin quickly-https://blockchain.com.do


View Profile WWW
August 01, 2019, 01:32:00 PM
 #15

~snip~
Well, then there's no problem with that but as o_e_l_e_o said, even if you downloaded the legitimate one and it prompts an update or something, it could somehow show a pop-up box saying to update it,
Since I learnt about the hack of clicking the update button few months ago I never use auto update feature. Luckily I have never seen the update pop up as well.

This is what I recommend, if you somehow find yourself in this kind of situation that Electrum is asking for update with a pop up then just close entire Electrum and download a a fresh copy from their official website. Verify it before installing and start over again. This way, you are safe that you are using authentic Electrum and also the latest version.

Do not forget to keep your seeds safe in somewhere else. You need them to restore your wallet if you have not backed up your files in the wallet folder before uninstalling the old version.

.Have Your Ad Here!.
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
████
  
o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 770
Merit: 3054


Decent


View Profile
August 01, 2019, 02:07:00 PM
 #16

Well, you don't actually need to get a new signature every time a new update is released. Get it now while the MIT server hasn't been compromised and use it for every new update.
Thomas Voegtlin's GPG key can be found in many places online, and it is impossible for an attacker to compromise them all. If you were really paranoid, you could access it from several sources and compare them.

the people involved could have been compromised.
If you are worried about a piece of software such as Electrum becoming compromised, then probably the easiest way to mitigate against this is to pair it with a hardware wallet. Even if you were using the malicious version of Electrum we are talking about in this thread, an attacker wouldn't be able to steal your coins unless you were stupid enough/not paying attention enough to confirm their malicious transaction on your hardware device. The only way to fully mitigate against it so examine the source code yourself.

erikalui
Legendary
*
Offline Offline

Activity: 1848
Merit: 1056

Hindi Translator


View Profile WWW
August 01, 2019, 03:22:11 PM
 #17

Similar case here: https://twitter.com/gage5144/status/1149538691989135362 (They only have 3.3.8 till now so 4.0 is out of question for years. That should have been a warning sign to upgrade from 3.3.x directly to 4.).


Since I learnt about the hack of clicking the update button few months ago I never use auto update feature. Luckily I have never seen the update pop up as well.

This is what I recommend, if you somehow find yourself in this kind of situation that Electrum is asking for update with a pop up then just close entire Electrum and download a a fresh copy from their official website. Verify it before installing and start over again. This way, you are safe that you are using authentic Electrum and also the latest version.

Do not forget to keep your seeds safe in somewhere else. You need them to restore your wallet if you have not backed up your files in the wallet folder before uninstalling the old version.

But there should be an option to disable the popups as there have been so many cases where users have lost their money. Last year the same happened and they updated their wallet and now again a new hack since April. Except warning they do nothing.

o_e_l_e_o
Hero Member
*****
Offline Offline

Activity: 770
Merit: 3054


Decent


View Profile
August 01, 2019, 03:36:23 PM
Merited by Foxpup (3), bob123 (2), ETFbitcoin (1)
 #18

Except warning they do nothing.
They patched the flaw in version 3.3.3, which was released over 6 months ago. There have been 5 new versions since then. The flaw has been widely publicized (including right at the top of the electrum.org landing page), and pretty much everyone who regularly uses these forums, reddit, or reads any crypto media sites would have heard about it. The only people still falling victim to it are those who are using 6 months/6 versions out-of-date software, don't read any crypto sites or news, and don't follow the instructions on how to update and verify Electrum properly. They've done literally everything they could do. There is no way for them to remotely disable all vulnerable clients.

It's like the people who type their seed in to random websites despite constant and repeated warnings to keep your seed confidential and never reveal it to anybody or anything. Sometimes you just can't save people from themselves, regardless of how much you try. It's pretty basic security practices to not follow random links, and especially not to download and install software from random links.

ETFbitcoin
Legendary
*
Offline Offline

Activity: 1848
Merit: 2123

Use SegWit and enjoy lower fees.


View Profile WWW
August 01, 2019, 04:34:38 PM
 #19

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

The real risks are only when you need to obtain the public key for first time and getting new one when the old public key has expired.
Besides, AFAIK the public key is also mirrored at GitHub so you can download and check both of them. It's very unlikely 2 big services got hacked at same time.

This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.

To be fair, there's no difference if you download the software for full node client from malicious source.

Validate your own transaction or verify all transaction/block doesn't matter here since the malicious wallet will steal your private key.

But there should be an option to disable the popups as there have been so many cases where users have lost their money.

The pop-up which used to show message from server also used to show whether the transaction successful broadcasted and if there are any problem with the transaction (such as transaction size too big, fee too low, use input which already spent, etc.)
Would you use wallet which don't give any message at all?

bob123
Legendary
*
Offline Offline

Activity: 1106
Merit: 1580



View Profile WWW
August 02, 2019, 07:45:22 AM
 #20

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

You know.. what happens if the internals of ledger get compromised ?
What if the hardware manufacturer of your computer (e.g. Intel / AMD) intentionally builds in a backdoor in your computer ?

If you really want to go THAT far, the only option is an absolute offline computer (never went / going online) in a faraday cage inside of a highly secured (talking about physical access) room.

Everything can be compromised. But you have to look at the probabilities.



This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.

What if the github repository of core gets compromised ? Wink

Also.. there are tons of differences between a SPV desktop client and a web wallet security-wise.


ETFbitcoin and i have already discussed this topic about one week ago:

But the web wallet has a lot more points of failure.
For example, a MitM, compromised server, DNS spoofing, etc.. Those all only apply to web wallets and not to desktop wallets.

On the other hand, there is not a single attack point which could target a desktop wallet, but not a web wallet.

~snip~
Don't forget hostile takeover by government, phishing website, malicious browser extension & people in the company went rogue.


Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!