Electrum Wallet sends btc to another address without withdrawal from my side

[simel]

Hi everyone,

I got a problem regarding my electrum wallet.
I use this wallet since 2 years now on my Mac. There were no problems until the last update of the wallet. I updated the version from 2.3.7 (I think it was this one) to 4.0.

Now the problems start. I had a wallet value of 0.048 btc. I wanted to do a transaction of like 0.02 btc which send ALL my btc to another wallet address I didn’t typed in. (I can post the Transaction ID if required) I believed in a mistake from my side so I didn’t do anything at that time.

Now I did deposit another 0.105 btc on this wallet. As soon as the wallet had internet access it opened a transaction with ALL the btc of my wallet to the same wallet address as above. Same with the second deposit of 0.055 btc. Now I have no btc on my wallet and I don’t know where they went.


17N3BYAqgFFQLFMBWtcY975edUmGKkGqur Is the adress where the btc went.

Walletexplorer says that this adress is part of a bigger wallet. But I can’t see anything more to get the btc back.

Would be great if anyone could help in this case. If you need more data like all the transaction IDs  I’ll post it.

Greets simel

[1715291222]

1715291222

[1715291222]

1715291222

[1715291222]

1715291222

[Rath_]

I use this wallet since 2 years now on my Mac. There were no problems until the last update of the wallet. I updated the version from 2.3.7 (I think it was this one) to 4.0.

You fell for a phishing attack. Unfortunately, you won't be able to get your coins back. You should always download updates from the official website and verify the installation file. The latest version of Electrum is 3.3.8. Versions older than 3.3.4 are vulnerable to this attack.

[simel]

Fuck me...
ok thx for the help. It’s hard to see that amount of money go down the river though...

[AB de Royse777]

I had a wallet value of 0.048 btc.

Now I did deposit another 0.105 btc on this wallet

Same with the second deposit of 0.055 btc

So, basically three times you stepped on the same trap. That's very unfortunate. Sorry for your lose. Consider this a very expensive lesson you paid and next time always download Electrum from their official website and do not install it before verifying the signature of the installed file.

[logfiles]

17N3BYAqgFFQLFMBWtcY975edUmGKkGqur Is the adress where the btc went.

Walletexplorer says that this adress is part of a bigger wallet. But I can’t see anything more to get the btc back.

Would be great if anyone could help in this case. If you need more data like all the transaction IDs  I’ll post it.

Greets simel

You surely can't get your BTC back from the thief and sorry about losing such a big amount.

Always ensure to download, update and verify your wallet from the official source.
Sometimes i also check the web for any news updates before i use a wallet just in case i missed something such as news about Domain seizures, Phishing attacks etc.

[Lucius]

simel, simple question for you - why you are doing something what you are not familiar with?

Version 2.0 is released in 2015, but there is not 2.3.7, same as there is not version 4.0.0. I understand that you are tricked to download the new version via official Electrum app, but when you see 0 balance after that why you deposit more in the same wallet? Hackers played you, no doubt in that - but you should post here after that, and you would save 0.105 BTC.

You need to remove that wallet from your device, that includes deleting all Electrum files. In Mac open Finder -> Go to folder (shift+cmd+G) type ~/.electrum

[simel]

Like I said I believed first in a mistake on my side cause the first transaction was transferred with my first try of a transaction and not as soon as I installed the new wallet. Which tricked me into believing on a mistake from my side.. And the other two transactions were shortly after each other.

This is the most sophisticated attack I’ve ever seen. The exploit they used is huge. The pop up comes from a clean app which directs you to a side that looks 100% like the real one. I’m mad right now but it could be worse cause I have another 1 btc on another wallet which I was to transfer to the bad one too.

I’m really not a beginner but I did take it too light hearted that’s for sure. If there are these kind of exploits around I really have to look out for everything. Expensive lesson for me but that’s life I guess...

[o_e_l_e_o]

I’m mad right now but it could be worse cause I have another 1 btc on another wallet which I was to transfer to the bad one too.

As others have said above, you should only be downloading from the official site and making sure to verify the file's GPG signature before installing.

More generally though, I wouldn't be storing 1 BTC on a software wallet. They are too susceptible to attack. This malicious software you were victim to is just one such attack. There is countless malware out there which could infect your clipboard and change your sending address, attempt to access your mnemonic phrase, or even send your entire wallet file to an attacker. If 1 BTC is a lot of money to you (and it sounds like it is since you called 0.1 BTC an expensive lesson), then you should take some time to learn about storing your coins more securely. If you have an old laptop which you could turn in to an airgapped machine, that would be ideal. If not, then maybe look at getting a hardware wallet.

[simel]

If 2500$ is not expensive for you then I don’t know what is
I will prepare better for sure now.

[o_e_l_e_o]

If 2500$ is not expensive for you then I don’t know what is

You never know when dealing with bitcoin. You used to be able to mine 50 BTC with minimal effort. $10 would buy you thousands of BTC. Faucets gave out 5 BTC at a time for free. There are a fair few users who were active during these early years still kicking about. If you own 10,000 BTC, then you probably aren't too concerned about losing 0.1 BTC. Having said that, anyone with this much bitcoin would (I sincerely hope) not be storing it in a software wallet on a live machine, though.

[bob123]

This is the most sophisticated attack I’ve ever seen.

Then you didn't see much attacks.

The exploit they used is huge.

It wasn't.

They abused a vulnerability which allowed the server to display a message to the client. That's all.
The content of this message could be chosen by the server. But this still isn't a severe vulnerability. Not even a medium (CVSS) one.

OP, i highly recommend you to get a hardware wallet if you continue storing BTC's.
Storing them on an online machine is risky. Especially if you don't know what you are doing.
A hardware wallet secures you against quite a lot of attack vectors.

[Lucius]

Then you didn't see much attacks.
But this still isn't a severe vulnerability. Not even a medium (CVSS) one.

What kind of attacks are you talking about, crypto-related or in general? Electrum phishing attack is certainly one of the most devastating for individual users, and it is difficult to estimate at all how many users are lost coins until today. It is also a fact that this attack will continue for a long time, there are very likely a large number of users who have outdated versions.

It is very strange that you think this is not "even medium vulnerability", given how much damage has caused so far. I wonder what would be in your definition "severe vulnerability" when it comes to desktop wallets?

[lightningmelo]

Then you didn't see much attacks.
But this still isn't a severe vulnerability. Not even a medium (CVSS) one.

What kind of attacks are you talking about, crypto-related or in general? Electrum phishing attack is certainly one of the most devastating for individual users, and it is difficult to estimate at all how many users are lost coins until today. It is also a fact that this attack will continue for a long time, there are very likely a large number of users who have outdated versions.

It is very strange that you think this is not "even medium vulnerability", given how much damage has caused so far. I wonder what would be in your definition "severe vulnerability" when it comes to desktop wallets?

I get where the OP is coming from. A phishing attack would also never be categorized as "severe" in my book. It sucks, and for the end user it's devastating, but it could be easily mitigated by just making sure you're downloading from electrum.org.

A severe vulnerability could be some flaw in the seed generation process, e.g. using weak RNG, that allowed anyone to just get everyone's private keys.

[bob123]

What kind of attacks are you talking about, crypto-related or in general?

Doesn't really matter, both.

Electrum phishing attack is certainly one of the most devastating for individual users, and it is difficult to estimate at all how many users are lost coins until today. It is also a fact that this attack will continue for a long time, there are very likely a large number of users who have outdated versions.

I never contested that fact.

It is very strange that you think this is not "even medium vulnerability", given how much damage has caused so far. I wonder what would be in your definition "severe vulnerability" when it comes to desktop wallets?

That is not just my opinion, but is being supported by CVSS (Common Vulnerability Scoring System).
The severity of a vulnerability is defined through multiple characteristics.

The base metrics consists of the attack vector, the complexity, privileges required, user interaction required, scope, confidentiality/integrity/availability affected.

According to CVSS, the vulnerability has a score of 2.5 - 3.5, which is defined as a low severity vulnerability.
You can play around with the factors and calculate it yourself: https://www.first.org/cvss/calculator/3.0


The damage caused doesn't matter at all.
Just because people do multiple mistakes in a row, it doesn't mean that this makes the vulnerability more severe.
The majority of people who lost funds through this would have also fallen to a simple phishing email.

The RPC vulnerability for example (found sometime last year) was definitely a high severity vulnerability.
But displaying a message.. that is definitely just a low severity vulnerability.

[DireWolfM14]

Despite the vulnerability score of this phishing attack, the severity can't really be calculated by anyone but the victims.  The loss of 0.1 BTC might be a slight irritant to some while it may represent another's annual savings.

One thing the CVSS may not take into account is how trusting people are.  Here's software that they've been using and trusting for years telling them they need an update.  It's not surprising that many fell for it.

Most of us who hang out here on Bitcointalk understand the risks when dealing with crypto and tend to be very diligent when it comes to our own security.  But, those who are only passively involved with crypto may not be as scrutinous.  I think that makes a lot of people who use Electrum vulnerable.

As for the use of Electrum, I use it for just about everything; Desktop wallet, off-line to create or access cold storage, and to interface with my hardware wallets.  When using electrum as a desktop wallet I treat it like I would my actual physical wallet, as in I would never keep more than a few hundred bucks in there.  It is the most vulnerable, and the funds you keep in there suffer from the greatest risk, respectively.

[bob123]

Despite the vulnerability score of this phishing attack, the severity can't really be calculated by anyone but the victims. 

If you ask victims about the severity of a vulnerability which caused them a financial loss, they will always say that it is a high severity vulnerability.
They will most likely also blame other people (e.g. developers of electrum).

The attack itself definitely resulted in a ton of damage to innocent people.
But the vulnerability itself can not be exploited to steal money/information or to compromise the CIA triad (confidentiality, integrity, availability).
It has been used to distribute phishing messages. The real attack the victims fall for was phishing.

Here's software that they've been using and trusting for years telling them they need an update.  It's not surprising that many fell for it.

IMO there is a difference between seeing that there is a newer version and to download it from an unknown website and installing it without verifying the signature.

The loss of 0.1 BTC might be a slight irritant to some while it may represent another's annual savings.

But particullary those people who lost annual savings, did use it (desktop wallet) the wrong way.
The damage wouldn't bee too large if they would have used it how it is supposed to be used - as mentioned by you:

When using electrum as a desktop wallet I treat it like I would my actual physical wallet, as in I would never keep more than a few hundred bucks in there.

That's exactly also my point of view.

[Saint-loup]

I’m really not a beginner

WOW It's really sad for Bitcoin to read that. Just few weeks after the LN hack  
It will be very difficult for Bitcoin to be adopted by the average people, with these kind of hacks. Beginners are really at risk.

Edit: BTW Simel are you able to share a picture of this phishing message by chance?

[Lucius]

WOW It's really sad for Bitcoin to read that. Just few weeks after the LN hack  
It will be very difficult for Bitcoin to be adopted by the average people, with these kind of hacks. Beginners are really at risk.

Edit: BTW Simel are you able to share a picture of this phishing message by chance?

Few weeks you say? This attack has been going on since the end of last year, and there is dozens of thread posted with the same story as OP. The picture is not important, it is just displayed in the old version of wallets, and it can show you any version of fake Electrum wallet (3.4.1 or 4.0.0).

But if you want to see how it looks there is one posted by admin in Important Announcements, too bad that many members never visit it.

https://bitcointalk.org/index.php?topic=5090097.0