Fake Electrum version 4.0 and hardware wallets

[mpufatzis]

I'm just wondering if someone downloaded the fake version and tried to use it with his hardware wallet.
Is someone here who did it accidentally (or on purpose) to tell us if his hardware wallet protected (or not) his coins?

[o_e_l_e_o]

Is someone here who did it accidentally (or on purpose) to tell us if his hardware wallet protected (or not) his coins?

The hardware wallet will indeed protect your coins.

All the fake version of Electrum does is attempt to generate, sign, and broadcast a transaction which sends the entire contents of your wallet to the attacker's address. If you are using Electrum as an interface for a hardware wallet, then that transaction cannot be signed with you manually approving it on the hardware wallet. Provided you don't just blindly accept everything the hardware device displays and actually pay attention to what it is doing, then you can reject the transaction which will prevent it from being signed and broadcast.

[BitMaxz]

Provided you don't just blindly accept everything the hardware device displays and actually pay attention to what it is doing, then you can reject the transaction which will prevent it from being signed and broadcast.

I agree with this bold part because if you do not check it carefully it will end up sending to an unknown address.

So always make sure to check the transaction and the hardware wallet carefully before you sign the transaction and I suggest you if you have the fake Electrum wallet installed much better uninstall and clean the PC/Laptop and install the original Electrum to keep your wallet safe.

[sheenshane]

Is someone here who did it accidentally (or on purpose) to tell us if his hardware wallet protected (or not) his coins?

The hardware wallet will indeed protect your coins.

I tend to agree with this, and this was explained on the blog of the Trezor wallet. " Fight Phishing with Trezor "

But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code. When you make a transaction it will automatically send to their Bitcoin address and the reason for losing your fund.

In this case, to avoid that matter. Study of how to verify the authenticity every time you have to download and install any version of the wallet. Learn the PGP stuff.

[NotATether]

So always make sure to check the transaction and the hardware wallet carefully before you sign the transaction and I suggest you if you have the fake Electrum wallet installed much better uninstall and clean the PC/Laptop and install the original Electrum to keep your wallet safe.

If the fake Electrum clients indeed only generate one large transaction, then uninstalling the fake client should be enough. I haven't seen any reports of the fake clients changing OS settings or running trojans, trying to install other malware or similar behavior. If those things were done then it would certainly require an operating system reinstall, and you'd skip the uninstall because in that case it's not guaranteed the uninstaller will be honest and clean up itself. It could leave a backdoor behind.

[pooya87]

let's just say that it is a lot harder to steal your coins if you were using a hardware wallet but it is in no way impossible. one way is what was mentioned (blindly accept everything) but there are sometimes exploits in these hardware wallets that the attacker could take advantage of and steal your coins. for instance recently there was a bug that involved the way they sign SegWit transactions and compute fees which could end up spending your entire balance by sending it to an arbitrary address.

[ranochigo]

But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code. When you make a transaction it will automatically send to their Bitcoin address and the reason for losing your fund.

In this case, to avoid that matter. Study of how to verify the authenticity every time you have to download and install any version of the wallet. Learn the PGP stuff.

Hardware wallets works by only protecting your private keys. It doesn't protect against phishing attacks by misleading you to send to a different address. It's possible for a malware to be included with the fake Electrum software to change the Bitcoin addresses that you see on webpages and key in.

If the fake Electrum software only changes the addresses that your transaction is being sent to, the hardware wallet displays the transaction details and you should be able to see for yourself and decide if it's correct. If you don't sign the wrong transaction, you won't lose the funds.

[Abdussamad]

the change address is not verified by some hardware wallets so you could still lose money. ledger doesn't verify it for example.

[NeuroticFish]

the change address is not verified by some hardware wallets so you could still lose money. ledger doesn't verify it for example.

Maybe I'm wrong since I cannot check now, but why doesn't Electrum "report" then the change address like another output in pay to many?
Electrum knows the user has Ledger and can easily handle that.

[Lucius]

the change address is not verified by some hardware wallets so you could still lose money. ledger doesn't verify it for example.

I am almost certain that this was the case before, the user had to confirm both addresses before confirming the transaction. But Ledger has completely removed this feature in Ledger Live (it is not possible to see the change address at all) most likely because of those (including me) who played with those addresses in the Chrome Bitcoin App - and those addresses used to be far below the gap limit and Ledger didn't detect them at all (meaning not even the coins that were on them).

Only way to check change address in Electrum as UI for Ledger would be to click on Preview button where change address is displayed - and then go to console/type

Code:

ismine("YOUR_ADDRESS_HERE")

[Coin-Keeper]

Call me old fashioned but I like to keep it simple if I can.  One suggestion for the many of us that ONLY use BTC; make sure to use bitcoin-only firmware if your hardware wallet offers it.  Almost all of the time software crap happens because firmware coders are attempting to use every coin out there, when many users only have BTC.  Any Trezor I have that contains only BTC is loaded with bitcoin-only firmware, which was verifed using trezorctl and signatures.

[Abdussamad]

the change address is not verified by some hardware wallets so you could still lose money. ledger doesn't verify it for example.

I am almost certain that this was the case before, the user had to confirm both addresses before confirming the transaction. But Ledger has completely removed this feature in Ledger Live (it is not possible to see the change address at all) most likely because of those (including me) who played with those addresses in the Chrome Bitcoin App - and those addresses used to be far below the gap limit and Ledger didn't detect them at all (meaning not even the coins that were on them).

Only way to check change address in Electrum as UI for Ledger would be to click on Preview button where change address is displayed - and then go to console/type

Code:

ismine("YOUR_ADDRESS_HERE")

yeah but the thread is about malware versions of electrum. you can't trust what they report.

[Pmalek]

But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code.

The hackers are probably not interested in attaching easy to detect malware with their fake Electrum wallets. The majority of users have some sort of anti-virus software installed. As the time passes, the fake wallets would be recognized as malware and that is not something they want. They want a similar code to the original Electrum, with one difference: Your coins get sent to an address controlled by them.   

[DaveF]

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

[sheenshane]

But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code.

The hackers are probably not interested in attaching easy to detect malware with their fake Electrum wallets. The majority of users have some sort of anti-virus software installed. As the time passes, the fake wallets would be recognized as malware and that is not something they want. They want a similar code to the original Electrum, with one difference: Your coins get sent to an address controlled by them.   

Just wonder how the attacker connects into the server of the Electrum and increases the chances that the possible a victim will connect to the attacker and the attacker can able to manipulate the wallet and send it to their own wallet. And they called it a Sybil attack, how genius the attackers these days because they had the ability to hack like this even how many times they had an update.

Just like what happened to this recent victim, the attacker stole 1400 Bitcoin from Electrum installing old version of the wallet.

[BitMaxz]

If someone could point me in the direction of the fake version I will try it with a coldcard and a laptop I have to wipe over the coming week.
It's an older gen1 coldcard so it will not be an ideal test since that hardware is no longer current / supported but still something to try.

-Dave

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

Click the link and it will lead you to fake Electrum 4.0 but I think most of the link right now are all dead. So I don't think you can find the Electrum 4.0 right away just keep changing the server until you find the alive one.

[HCP]

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

You only receive the "update" message when you attempt to send a transaction... So, it could get quite expensive and you could end up wasting a bit of BTC in transaction fees trying to find a infected "bad" server (they're not "infected", they're just "bad")

[DaveF]

Why not install an old version of Electrum below Electrum 3.3 and connect it to any infected server. It will ask to update the Electrum to Electrum 4.0.

You only receive the "update" message when you attempt to send a transaction... So, it could get quite expensive and you could end up wasting a bit of BTC in transaction fees trying to find a infected "bad" server (they're not "infected", they're just "bad")

And that explains why I have opened and closed Electrum about 20 times, rebooted, and still never got the update message.
Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

-Dave

[nc50lc]

Guess I'll have to hunt it down another way.
Geez, how tough is it to get robbed around here :-)

Some google search results for "Electrum download" look suspiciously the malware version,
especially those from random sources like 'softonic' and 'softpedia'. (if not, they come with a virus)

[HCP]

Guess I'll have to hunt it down another way.

There was another unfortunate user who recently posted in another thread who handily noted down the malware URL in a screenshot: https://imgur.com/a/mvSIn9T

You could see if it is still live...