So I gave a Google search of the two servers you've mentioned in the third post of this thread. A Google search of
"exs.ignorelist.com phishing" resulted in
a report from MalwareBytes, and I don't believe it's a coincidence.
Something smells fishy to me here. I've taken a look over all the posts on this thread and, according to #4, the address 34Y6nb5SRxAGkozUpyKa59Qq7f87acC98s, which OP confirmed was one of the addresses he used as an input in one of his transactions, is listed right next to its private key on https://bitkeys.work/?page=725.
I'm confused, to be honest.Edit: apparently the website generates a
random private key for the richest wallets, hoping to collide with the address.. I thought it was one of these "all BTC private keys" websites.
Still, the Google search I've done linked me to the report above. Hence, OP might've downloaded an infected Electrum wallet..
Edit 2: I've done another search for the second server MalwareBytes categorized as a "Phishing". According to
this link I found,
# As of Dec 2018 criminals carry out phishing attacks against vulnerable versions of Electrum asking them to download malware versions of Electrum.
# For abuse desks around the world it is hard to determine whether or not a certain domain name or IP address participates in this scam.
# Perpetrators have also used faked messages with manipulated screenshots to claim legit server domains would take part in sending phishing links, when this is not the case.
# For more information about the issue please see https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
#
# This is a list of electrum servers scanned for whether they distribute malware links or not
# If you work at an abuse desk and have questions or would like to reproduce these results yourself please get in touch with Electrum Technologies at electrumdev@gmail.com
#
# Fri 21 Feb 00:44:02 CET 2020
#
# Valid servers which are working as expected (no scam):
# There are still some false-positives of scam servers detected as legitimate:
#
0.btc.dev
104.244.222.228
104.248.139.211
109.248.206.13
142.93.6.38
148.251.22.104
157.245.172.236
167.172.226.175
167.172.42.31
178.62.80.20
185.64.116.15
198.27.70.66
213.109.162.82
2AZZARITA.hopto.org
2a01
2a02
2a03
2ex.digitaleveryware.com
52.1.56.181
68.183.188.105
VPS.hsmiths.com
bitcoin.alephnullptr.net
bitcoin.lukechilds.co
blkhub.net
btc.electroncash.dk
btc.groftware.com
btc.litepay.ch
btc.skynetcloud.site
caleb.vegas
crypto.no-ip.eu
currentlane.lovebitco.in
dxm.no-ip.biz
e2.keff.org
ecdsa.net
electrum.aantonop.com
electrum.bitblog.io
electrum.bitkoins.nl
electrum.dnshome.de
electrum.emzy.de
electrum.fedaykin.eu
electrum.hodlister.co
electrum.hsmiths.com
electrum.networkingfanatic.com
electrum.nute.net
electrum.papabyte.com
electrum.poiuty.com
electrum.srvmin.network
electrum.vom-stausee.de
electrum2.hodlister.co
electrum3.hodlister.co
electrum5.hodlister.co
electrumx-core.1209k.com
electrumx.alexridevski.net
electrumx.electricnewyear.net
electrumx.kenrufe.com
electrumx.schulzemic.net
electrumx3.nmdps.net
electrumx50102.aspinall.io
endthefed.onthewifi.com
esx.geekhosters.com
exs.ignorelist.com
fortress.qtornado.com
gall.pro
hodlers.beer
kirsche.emzy.de
ndnd.selfhost.eu
noveltybobble.coinjoined.com
ns3079938.ip-217-182-196.eu
ns3079942.ip-217-182-196.eu
ns3079943.ip-217-182-196.eu
ns3079944.ip-217-182-196.eu
satoshi.fan
shogoth.no-ip.info
thanos.xskyx.net
v22019051929289916.bestsrv.de
xtrum.com
}
#
#
#IP-Addresses of servers in DNS-records identified to be phishing (with number of occurences in first column):
#
10 91.211.88.104
9 91.211.88.115
10 91.211.88.132
10 91.211.88.239
12 91.211.88.249
11 91.211.88.66
12 91.211.89.12
12 91.211.89.37
14 91.211.89.39
12 91.211.89.84
9 91.211.89.85
10 91.211.89.91
#
#
#IP-Addresses of servers in DNS-records which have been shut down (Port 50002 closed) but are still listed in DNS:
#
#
#Scam servers which are sending a phishing URL (under certain conditions):
#The list is reliable with no false-positives:
#Abuse desks: Please block these domains
#
ELEX01.blackpole.online
antumbra.se
arihanc.com
asis.io
aspinall.io
btc.asis.io
btc.smsys.me
cryptohead.de
electrum.antumbra.se
electrum.be
electrum.cutie.ga
electrum.meltingice.net
electrum.online
electrum.poorcoding.com
electrumx.antumbra.se
electrumx.arihanc.com
electrumx.asis.io
electrumx.aspinall.io
electrumx.cryptohead.de
electrumx.electrum.be
electrumx.electrum.online
electrumx.ga
electrumx.luggs.co
electrumx.meltingice.net
electrumx.ml
electrumx.nmdps.net
electrumx.poorcoding.com
electrumx.smsys.me
[Suspicious link removed]
electrumx1.antumbra.se
electrumx1.arihanc.com
electrumx1.asis.io
electrumx1.aspinall.io
electrumx1.cryptohead.de
electrumx1.electrum.be
electrumx1.electrum.online
electrumx1.luggs.co
electrumx1.meltingice.net
electrumx1.nmdps.net
electrumx1.poorcoding.com
electrumx1.smsys.me
electrumx2.antumbra.se
electrumx2.arihanc.com
electrumx2.asis.io
electrumx2.aspinall.io
electrumx2.cryptohead.de
electrumx2.electrum.be
electrumx2.electrum.online
electrumx2.luggs.co
electrumx2.meltingice.net
electrumx2.nmdps.net
electrumx2.poorcoding.com
electrumx2.smsys.me
electrumx3.antumbra.se
electrumx3.arihanc.com
electrumx3.asis.io
electrumx3.aspinall.io
electrumx3.cryptohead.de
electrumx3.electrum.be
electrumx3.electrum.online
electrumx3.luggs.co
electrumx3.meltingice.net
electrumx3.poorcoding.com
electrumx4.antumbra.se
electrumx4.arihanc.com
electrumx4.asis.io
electrumx4.aspinall.io
electrumx4.cryptohead.de
electrumx4.electrum.be
electrumx4.electrum.online
electrumx4.luggs.co
electrumx4.meltingice.net
electrumx4.nmdps.net
electrumx4.poorcoding.com
electrumx5.antumbra.se
electrumx5.arihanc.com
electrumx5.asis.io
electrumx5.aspinall.io
electrumx5.cryptohead.de
electrumx5.electrum.be
electrumx5.electrum.online
electrumx5.luggs.co
electrumx5.meltingice.net
electrumx5.nmdps.net
electrumx5.poorcoding.com
electrumx50102.antumbra.se
electrumx50102.arihanc.com
electrumx50102.asis.io
electrumx50102.cryptohead.de
electrumx50102.electrum.be
electrumx50102.electrum.online
electrumx50102.luggs.co
electrumx50102.meltingice.net
electrumx50102.nmdps.net
electrumx50102.poorcoding.com
electrumx50102.smsys.me
electrumx50105.antumbra.se
electrumx50105.arihanc.com
electrumx50105.asis.io
electrumx50105.aspinall.io
electrumx50105.cryptohead.de
electrumx50105.electrum.be
electrumx50105.electrum.online
electrumx50105.luggs.co
electrumx50105.meltingice.net
electrumx50105.nmdps.net
electrumx50105.poorcoding.com
electrumx50105.smsys.me
electrumx995.antumbra.se
electrumx995.arihanc.com
electrumx995.asis.io
electrumx995.aspinall.io
electrumx995.cryptohead.de
electrumx995.electrum.be
electrumx995.electrum.online
electrumx995.luggs.co
electrumx995.meltingice.net
electrumx995.nmdps.net
electrumx995.poorcoding.com
electrumx995.smsys.me
icarus.tetradrachm.net
luggs.co
meltingice.net
nmdps.net
node.arihanc.com
oneweek.duckdns.org
poorcoding.com
s2.noip.pl
s5.noip.pl
smsys.me
us.electrum.be
In other words, OP has fallen victim to a phishing attack... Press CTRL + F and look for "exs.ignorelist.com" and "endthefed.onthewifi.com", you can find them in the code above. I'm sorry, OP.
Please take measures ASAP to secure all your funds before they'll steal more out of your wallets..
Considering your wallet is compromised, I can assume you might also have other compromised softwares installed on your computer. Therefore, I'd suggest switching the internet off on the computer you've got Electrum on (or plugging out the Ethernet cable), backing up everything important (don't forget to backup the wallet.dat files!!!!) and doing a fresh, SECURE complete wipe out and reinstall of the operating system.
If you connect your computer to the internet again after reinstalling the OS,
please make sure the software you install is legit.
We're talking about very large amounts at stake, so taking appropriate measures against phishing might save you from another disaster. I really wish I could've helped with the recovery of your funds..
Hi,
Thank you for looking into this.
I don't think it's that simple unfortunately - I didn't download a different version than the 3.3.8 which I installed initially from the official website, and besides showing me a message in a previous version of Electrum, a server can't really do much as far as I know ...
Also, dont think the private keys were exposed, as the attacker would've transferred out all the funds, which wasn't the case.
Can't help but think that it's somehow related to the fact that when validating a transaction with multiple outputs you have two "screens" in Ledger but when validating a single output transaction there is only one.