Fraudulent transaction along with the correct one(Ledger Nano S + Electrum)

[Electrum_LedgerNS_Issue]

Hi guys,

I posted this topic 2 weeks ago in the Ledger subreddit and created a support ticket with Ledger, but they came back to me saying that they can't find an issue/replicate my problem so I'm trying again here.
I someone would be able to replicate this bug I would be extremely grateful, as i'm at a loss here ...

So, I used Electrum wallet (installed as described here: https://support.ledger.com/hc/en-us/articles/115005161925) with Ledger Nano S.
Electrum: version 3.3.8
Ledger Nano S firmware: 1.6.0
Bitcoin app 1.3.16.
OS: Windows 10 Pro 1903

I created a transaction and pressed "Send". The details of the transaction appeared on my ledger device, I checked them and then validated the transaction (first screen was Output #1 or #2, correct amount, correct destination, "Validate", then second screen with the correct fees and "Accept").

The transaction was sent correctly (2 outputs - one recipient one change).

The problem: At the same time with the correct transaction, another transaction got generated - my biggest UTXO was sent in full towards an address not controlled by me (the address had no transactions in it and the coins didn't move since).

Please note that there are still other bitcoins on my wallet which weren't moved so i doubt my seed was compromised (both on the subwallet which contained the "stolen" UTXO and other wallets derived from the same seed).

Things I noticed: one weird thing about the second transaction is that the LockTime was 1 instead of a block number close to the one when the transaction gets broadcasted, so I think it got created through the console ?
Would it be possible somehow to inject a second transaction while I was on my Ledger checking the details of the original one ? Or modify the script hash so that one validation sends two transactions ?
It is possible for my operating system to be compromised, but even then I still can't understand how I got to accept this ...
I'm at a complete loss ... Help ?

[1714145969]

1714145969

[1714145969]

1714145969

[1714145969]

1714145969

[1714145969]

1714145969

[1714145969]

1714145969

[1714145969]

1714145969

[Lucius]

I have to admit that this is the first time I've ever heard of a case like this, and it's really weird this happened to you. I see that you are not a beginner and that you understand the basics on which a hardware wallet works, so I will not doubt that everything you wrote is true.

Assuming you have legitimate software (Electrum, firmware in Nano S and legit Windows 10) I would personally assume it was some sophisticated malware that somehow bypassed the protection Ledger had and added another transaction. Another possibility is that it's some kind of internal bug that is a combination of some incredibly strange circumstances that occurred during your legitimate transaction. Still, the question remains, where did this new address come from if it wasn't some malware?

I understand your privacy concerns, but it would still be advisable to put the ID of both transactions, there are members who can conclude something from the transactions. Are you using any kind of antivirus protection, have you tried scanning your computer for possible virus/malware?

I used the Nano S in combination with Electrum a few days ago, and the transaction went pretty normal.

[Electrum_LedgerNS_Issue]

I have to admit that this is the first time I've ever heard of a case like this, and it's really weird this happened to you. I see that you are not a beginner and that you understand the basics on which a hardware wallet works, so I will not doubt that everything you wrote is true.

Assuming you have legitimate software (Electrum, firmware in Nano S and legit Windows 10) I would personally assume it was some sophisticated malware that somehow bypassed the protection Ledger had and added another transaction. Another possibility is that it's some kind of internal bug that is a combination of some incredibly strange circumstances that occurred during your legitimate transaction. Still, the question remains, where did this new address come from if it wasn't some malware?

I understand your privacy concerns, but it would still be advisable to put the ID of both transactions, there are members who can conclude something from the transactions. Are you using any kind of antivirus protection, have you tried scanning your computer for possible virus/malware?

I used the Nano S in combination with Electrum a few days ago, and the transaction went pretty normal.

Thanks for your reply.
Indeed, I searched my PC trying to find traces of the address string and I didn't get anything, thus either a script injected it then deleted itself either it was derived by Ledger somehow with a wrong derivation path.

I've tried recreating the bug the same day with a different Ledger which had the keys on a much smaller account and didn't manage to recreate the behavior.

As for security, only Avast and the Windows firewall at the time when the incident happened.
Downloaded Malwarebytes after it happened and ran a scan - only some PUPs but the realtime protection detected 2 things afterwards: Malicious site "exs[dot]ignorelist[dot]com pointing to electrum-3.3.8.exe and qualified as an exploit and endthefed[dot]onthewifi[dot]com pointing to electrum-3.3.8.exe qualified as "Phishing", so this might be a lead even if I don't see what a server can do to cause this.


Greatly appreciate any help or ideas.
Thanks

[HCP]

Did you also create this transaction today?: https://www.blockchain.com/btc/tx/362b50e056ec340a8be9204885a9c8c65d333c494d8b3f791faff7d8eeb8c255

It appears that another lot of UTXOs from that address: 34Y6nb5SRxAGkozUpyKa59Qq7f87acC98s (along with UTXOs from other addresses) were consolidated into 39ycTMCUiC7yqABzR1sdaTbUhsGFi7cQ2Z. If you didn't execute this transaction, it's likely that your seed has indeed been compromised.

[Electrum_LedgerNS_Issue]

Did you also create this transaction today?: https://www.blockchain.com/btc/tx/362b50e056ec340a8be9204885a9c8c65d333c494d8b3f791faff7d8eeb8c255

It appears that another lot of UTXOs from that address: 34Y6nb5SRxAGkozUpyKa59Qq7f87acC98s (along with UTXOs from other addresses) were consolidated into 39ycTMCUiC7yqABzR1sdaTbUhsGFi7cQ2Z. If you didn't execute this transaction, it's likely that your seed has indeed been compromised.

Yes that was me, I moved everything before posting the transaction IDs, seed still safe ...

[HCP]

That is indeed a puzzle... I've honestly never seen anything like this. I would hazard a guess that it was a bug... as the UTXO generated is still unspent and given the current price of BTC, I would expect it would have been moved/sold by now if it was 'stolen'.

Quite how you can "accidentally" sign a second transaction is a complete mystery and it seems it would be incredibly difficult to replicate the issue. I've certainly not experienced anything similar.

If Ledger support are unable to assist, I doubt anyone here will be. Have you tried raising an issue on the Electrum github? https://github.com/spesmilo/electrum/issues

[Electrum_LedgerNS_Issue]

That is indeed a puzzle... I've honestly never seen anything like this. I would hazard a guess that it was a bug... as the UTXO generated is still unspent and given the current price of BTC, I would expect it would have been moved/sold by now if it was 'stolen'.

Quite how you can "accidentally" sign a second transaction is a complete mystery and it seems it would be incredibly difficult to replicate the issue. I've certainly not experienced anything similar.

If Ledger support are unable to assist, I doubt anyone here will be. Have you tried raising an issue on the Electrum github? https://github.com/spesmilo/electrum/issues

Yes, I'm banging my head against the wall for two weeks now and can't still figure what happened (bug or exploit ?) or at least how ...
Didn't raise an issue in the github, will do.
Thanks for your reply

[Lucius]

Thanks for your reply.
Indeed, I searched my PC trying to find traces of the address string and I didn't get anything, thus either a script injected it then deleted itself either it was derived by Ledger somehow with a wrong derivation path.

The hardware wallet should be safe to use even on an infected computer, but it's just an assumption based on what we know, which certainly doesn't mean that some clever hacker didn't find a way to circumvent the protection that Nano S should provide.

Now that you have shown us both transactions, I can see that these are really large amounts and that you may be the victim of a very targeted attack, so you have to wonder who all knew that you owned such a significant amount of BTC.

On the other hand, when I look at the first legitimate transaction, I notice that second transaction is had fee of only 200 satoshi, compared to the first one that had a 5x higher fee. Hackers in such cases usually place a maximum fee to get confirmations as soon as possible. Considering this, it is possible that this is some kind of bug in Ledger or in Electrum, and that coins are still in your wallet, but in an address that you can't see for some reason.

I can confirm that both of the pages you cited are really blocked by MB, one because it contains exploit and the other because of phishing. If MB is blocking those sites, do you visit them or this is happening when you surf on some other site which is maybe try to redirect you to that sites?

Can you confirm that you downloaded Electrum from the official site https://electrum.org/#home , and did you maybe verify GPG signatures of downloaded files before installing?

[Electrum_LedgerNS_Issue]

Thanks for your reply.
Indeed, I searched my PC trying to find traces of the address string and I didn't get anything, thus either a script injected it then deleted itself either it was derived by Ledger somehow with a wrong derivation path.

The hardware wallet should be safe to use even on an infected computer, but it's just an assumption based on what we know, which certainly doesn't mean that some clever hacker didn't find a way to circumvent the protection that Nano S should provide.

Now that you have shown us both transactions, I can see that these are really large amounts and that you may be the victim of a very targeted attack, so you have to wonder who all knew that you owned such a significant amount of BTC.

On the other hand, when I look at the first legitimate transaction, I notice that second transaction is had fee of only 200 satoshi, compared to the first one that had a 5x higher fee. Hackers in such cases usually place a maximum fee to get confirmations as soon as possible. Considering this, it is possible that this is some kind of bug in Ledger or in Electrum, and that coins are still in your wallet, but in an address that you can't see for some reason.

I can confirm that both of the pages you cited are really blocked by MB, one because it contains exploit and the other because of phishing. If MB is blocking those sites, do you visit them or this is happening when you surf on some other site which is maybe try to redirect you to that sites?

Can you confirm that you downloaded Electrum from the official site https://electrum.org/#home , and did you maybe verify GPG signatures of downloaded files before installing?

Hi,

These "pages" seem to be Electrum servers (you can see them in your own server list probably).
When I downloaded Electrum I didn't check the PGP signature initially.
After the incident, I looked into my browser history (the link was correct), accessed the link from history, downloaded again the installer and checked the signature which verified.
It's possible my initial install was corrupted, not very probable though.
Also, I'm running an algo on an offline machine right now with the seed to derive possible addresses.
Parameters: m/bip'[0,44,48,49,84]/0'/account'[0-100]/visibility[0,1]/index[0-5000]
Will also test indexes up to 50k on 49 afterwards (based on this github.com/LedgerHQ/ledger-app-btc/pull/90).
If you have any other ideas where to look for, shoot.

Also, it is indeed possible that It was a targeted attack, but unfortunately this doesn't get me any further in understanding how it was done

Thanks

[Lucius]

These "pages" seem to be Electrum servers (you can see them in your own server list probably).
When I downloaded Electrum I didn't check the PGP signature initially.
After the incident, I looked into my browser history (the link was correct), accessed the link from history, downloaded again the installer and checked the signature which verified.
It's possible my initial install was corrupted, not very probable though.

What is weird that I personally have never been alerted by MB (using the premium version) regarding the Electrum servers, which may just be a coincidence, even though I have the servers set to automatic.

I must admit I've never heard of change path attacks, and it will be really weird if this is the case here, because that's supposedly should be fixed. If I understand correctly, in this case, the attacker actually initiates a transaction that does not allow him to access to the funds, but by changing the path hides the funds and then requests a ransom for info where coins are located.

I cannot technically say how this can be done, but there may be a possibility that some of the servers you mentioned may still be guilty of this, although this is just one of the options.

I see you've taken the right steps in trying to find where the coins ended, and I really hope you can find them. I would only advise others to be careful until it is revealed exactly what happened in this case.

[Electrum_LedgerNS_Issue]

These "pages" seem to be Electrum servers (you can see them in your own server list probably).
When I downloaded Electrum I didn't check the PGP signature initially.
After the incident, I looked into my browser history (the link was correct), accessed the link from history, downloaded again the installer and checked the signature which verified.
It's possible my initial install was corrupted, not very probable though.

What is weird that I personally have never been alerted by MB (using the premium version) regarding the Electrum servers, which may just be a coincidence, even though I have the servers set to automatic.

I must admit I've never heard of change path attacks, and it will be really weird if this is the case here, because that's supposedly should be fixed. If I understand correctly, in this case, the attacker actually initiates a transaction that does not allow him to access to the funds, but by changing the path hides the funds and then requests a ransom for info where coins are located.

I cannot technically say how this can be done, but there may be a possibility that some of the servers you mentioned may still be guilty of this, although this is just one of the options.

I see you've taken the right steps in trying to find where the coins ended, and I really hope you can find them. I would only advise others to be careful until it is revealed exactly what happened in this case.

I'm hoping more that it's a bug instead of a change path attack (which indeed is supposed to be fixed, so at the very least it's not exactly the same attack), but given that the Ledger is supposed to NOT show only transactions towards the change addresses, I have some hope albeit small.

Thanks for your input.

[Lucius]

Electrum_LedgerNS_Issue, is there any new information regarding your case? I see that the problematic transaction is still intact/unspent which can be a good sign (if it is not in the classical hack), which means that there is still hope for a solution.

I have something similar in past when I play with change address from Ledger, and one transaction was invisible because Ledger Chrome app was set to not check all addresses. I fix that in Electrum with increasing the gap limit. If only the solution would be so easy in your case...

[Electrum_LedgerNS_Issue]

Electrum_LedgerNS_Issue, is there any new information regarding your case? I see that the problematic transaction is still intact/unspent which can be a good sign (if it is not in the classical hack), which means that there is still hope for a solution.

I have something similar in past when I play with change address from Ledger, and one transaction was invisible because Ledger Chrome app was set to not check all addresses. I fix that in Electrum with increasing the gap limit. If only the solution would be so easy in your case...

Hi Lucius,
Unfortunately nothing new for now. I've generated about 50m addresses from my mnemonic seed by now on the derivation ranges I thought probable, but no luck so far.
I'm pretty much trying to understand what happened at this point, can't do much without knowing what went wrong, generating addresses is a shot in the dark.
I guess I'll need to get the help of a digital forensic and try to find a trace of the receiving address on my machine.

[DireWolfM14]

I have something similar in past when I play with change address from Ledger, and one transaction was invisible because Ledger Chrome app was set to not check all addresses. I fix that in Electrum with increasing the gap limit. If only the solution would be so easy in your case...

This might be the solution here, one can only hope. 

It's disturbing because it seems like this points to a bug with either the Ledger or Electrum.  I don't see anything the OP could have done to cause it, so it's probably not an operator error.  I use a different hardware wallet myself, but I use Electrum, and own a Ledger.  If this an issue with Electrum it may not be limited to one brand of hardware wallet, which is quite concerning.

[Lucius]

This might be the solution here, one can only hope. 

Unfortunately, I just cited one pretty harmless example that was easily fixable because it was my recklessness and ignorance about how Ledger checks all the generated addresses. This of course could be corrected with Electrum gap limit increase, but in the case of OP, something made a transaction which he did not approve, and for which he could not determine whether it was a hack or a change path attack.

The only positive thing about this is the possibility that it is an address that is possibly part of a wallet, but as far as I understand from the description of the attack, finding that address is extremely difficult.

[bob123]

Actually it is very well imaginable that your OS is compromised.

Nothing stops malware from generating transactions and sending them to your ledger for your to accept/verify them.
A locktime of 1 could mean that the person creating the malware/transaction simply just wanted to have the tx to be confirmed as fast as possible (i.e. can be confirmed in the next block) without checking the current block etc.

The safety which comes from using a hardware wallet is, that the transaction details shown to you on the HW screen can not be manipulated and that you actively have to confirm the transactions by pressing a button.
But if your OS is compromised, he definitely can just create transactions and send them to your HW wallet in hope for you to accept them. Waiting until one is created by electrum seems a not too dumb move which might have caught some people off-guard.


And honestly i'd think that your OS is compromised, than that this is a bug from electrum and/or ledger.

[NeuroticFish]

Nothing stops malware from generating transactions and sending them to your ledger for your to accept/verify them.

I'd guess that OP would have seen on his Ledger the new transaction he has to confirm and would have rejected it...
And in such a case this whole topic would have no substance.

[Electrum_LedgerNS_Issue]

Actually it is very well imaginable that your OS is compromised.

Nothing stops malware from generating transactions and sending them to your ledger for your to accept/verify them.
A locktime of 1 could mean that the person creating the malware/transaction simply just wanted to have the tx to be confirmed as fast as possible (i.e. can be confirmed in the next block) without checking the current block etc.

The safety which comes from using a hardware wallet is, that the transaction details shown to you on the HW screen can not be manipulated and that you actively have to confirm the transactions by pressing a button.
But if your OS is compromised, he definitely can just create transactions and send them to your HW wallet in hope for you to accept them. Waiting until one is created by electrum seems a not too dumb move which might have caught some people off-guard.


And honestly i'd think that your OS is compromised, than that this is a bug from electrum and/or ledger.

Thank you for your answers.
Indeed, when I make any transaction I assume my OS is compromised so I check properly the details on my screen.
Even in this case, I did check them properly (the proof being that the first intended transaction was properly sent).
The only way for me to accidentally accept another transaction would be after pressing the "Validate transaction" for the first one, to press "accidentally" a few times the right button without looking at the new transaction details and then validate it by pressing both buttons, which, while not impossible, is very hard to believe ...

I'm still scratching my head on this btw, so if someone at least has other ideas on how it might have happened (even assuming compromised OS etc) please let me know.

[20kevin20]

Have you tried creating a wallet account on Ledger Live to see if the BTC shows up as missing there too? If it's an Electrum bug, it must show up in Ledger Live. I think Magnum Wallet (no need to download it) works as well with the Bitcoin wallet on your Nano S. Suggesting this in order to see whether it's Electrum's fault or there's a serious security risk with the hardware wallet. If the latter is the case, then I gotta put mine away for the time being. 

[Electrum_LedgerNS_Issue]

Have you tried creating a wallet account on Ledger Live to see if the BTC shows up as missing there too? If it's an Electrum bug, it must show up in Ledger Live. I think Magnum Wallet (no need to download it) works as well with the Bitcoin wallet on your Nano S. Suggesting this in order to see whether it's Electrum's fault or there's a serious security risk with the hardware wallet. If the latter is the case, then I gotta put mine away for the time being.  

Hi,
The "false" transaction appears in the Ledger Live as well, even with "Extended account search" (what does this even do precisely ? what derivation paths does it look into ?) and Custom gap limit = 999 ...
Additionally, I generated about 50m addresses from my mnemonic with the most used derivation paths and variable ranges where I thought the coins might be, but didn't manage to find this address ...

I honestly looked a lot into this and I couldn't find anything similar to this described over the internet (well, at least not recently) so I think that the conditions needed to replicate this bug/exploit are very specific, I wouldn't worry about it too much if i was you ... (hell, if you manage to replicate this, you can claim a bounty with Ledger which in most cases will be bigger than the lost amount ...).
When sending the remaining coins to a custodian afterwards, I restored my wallet from the seed to a new Ledger device and used the new one to sign on an offline machine the last transaction which went through properly, so I guess you can do this if you're worried ...