stop

“Due to false accusations from electrum.org, they have ruined our reputation and brand of Electrum Pro. They managed to trick several news outlets to slander us. We decided to go our seperate ways to work on different projects.“

Following the proof released and verified on may 9th, the site hosting the malware Electrum Pro seems to have been voluntarily shut down. A message on the site states Electrum Pro’s reputation has been ruined due to false accusations from electrum.org. The message further states that the domain is up for sale for 25BTC, and provides a contact email.

Claims of ‘False accusations’ by electrum.org

The Electrum Pro team states that they have been falsely accused by electrum.org. This statement is false, as electrum.org provided proof that can be externally verified. BlockExplorer verified this proof itself in its earlier article, in which the malicious wallet was decompiled and the code to steal keys proven to exist. The malicious code even goes so far as to hide its network activity in what looks like normal version analytics. Meaning that a quick glance over the network activity of the wallet could miss the malicious activity.

Further verification that the wallet steals seeds was found by Twitter user Gergely Eberhardt, who in a tweet showed the original code found in the Android app version of the malicious wallet.

It would seem that yes, there are false accusations here. But they are not from electrum.org. Instead, they are from the Electrum Pro team itself.

coin renders

Use our news to inform cryptocurrency trading decisions, stay up-to-date on happenings in the industry, and more!

Electrum Publishes Proof “Electrum Pro” is Bitcoin Stealing Malware
Via Twitter yesterday, Electrum promised to publish proof that “Electrum Pro” is bitcoin stealing malware. This morning they published their proof on Github. Members of the community are advising if you used this software to move your coins now. BlockExplorer writer Armin Davis independently verified these claims.

ICO Competition With The Highest Prize Ever
This year ICO Engine is hosting an ICO Race 7 June, 2018 in Palazzo dei Congressi, Lugano. “Each ICO will have a 10-minute pitch in front of a qualified panel of judges who will make their evaluation based on: Solution of the problem, Business and Token sale model, Token Sale terms, Team, Pitch.” They go on to say, “ICOs will be ranked based on the evaluation given by the judges. Prizes are intended as purchase of the company’s tokens at the private sale price.” ICOs can register to be a part of the competition here.

Microsoft is Serious About Blockchain With Major Announcements and PRs
Despite the recent negative statements made by Bill Gates about Bitcoin, Microsoft’s interest in blockchain has been growing. Take this Microsoft Azure press release for example, “Simplifying blockchain app development with Azure Blockchain Workbench“. Microsoft’s Azure team is also now participating in NY Blockchain Week, according to WeTalkCoins.com.

Facebook’s New Blockchain Team Will Be Led by Coinbase Board Member David Marcus
Social media conglomerate Facebook has announced that it is establishing a new blockchain research team, according to BlockExplorer’s David Murray, and it will be led by a member of the Coinbase board of directors: David Marcus.

Image courtesy of Carty Sewill, http://cartyisme.com/

hack

“We now have proof that “Electrum Pro” is bitcoin-stealing malware. The sha256sum of ElectrumPro-4.0.2-Standalone.zip  is f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99. This hash can be confirmed independently using http://archive.org .”

On May 8th, @ElectrumWallet sent a tweet indicating that ‘ElectrumPro’ was malware, and that proof of this claim would follow. Another tweet that contained the proof referenced was sent by @ElectrumWallet a few hours later.

“Here is a verifiable proof that “Electrum Pro”, a fake version of @ElectrumWallet, is in fact Bitcoin-stealing malware: [ https://github.com/spesmilo/electrum-docs/blob/master/decompiling_guide.md ]”

Link changed to a direct GitHub link

The Proof

The proof given is a step by step guide to decompiling the python based binary. The proof claims that within the binary, where the seeds are created, an additional step exists which uploads the seed to electrum(dot)com. The official website for the Electrum wallet is electrum.org, which we can be sure of due to its link on the external site bitcoin.org.

In order to verify the claims, I followed the steps outlined. To begin I downloaded the zip file for Electrum Pro, and verified the hash of my file matched the one referenced in the proof:

Mine:   f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99
Theirs: f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99

The files are identical, meaning that I should see the same data further on that is stated in the proof, so long as it is true.

Following the steps, I extracted the zip file (in my case with unzip, rather than 7za), and extracted the pyc files from the .exe inside the zip. Once I extracted the pyc files, I decompiled them using uncompyle6 and found the following python 3 code:

The above code is the same as what is shown in the proof provide by @ElectrumWallet. And as such, I can externally verify that Electrum Pro contains the lines referenced in the proof.

What does this mean?

It is now proven that Electrum Pro steals wallet seeds on creation. Meaning that any coins stored in a wallet created with this tool are accessible to anyone with access to electrum(dot)com. If you mistakenly used this wallet, you should move your coins to a secure wallet as soon as possible.

How to avoid malware like this in future

When installing wallets, verify on every step that what you’re doing is correct. Make sure that URLs are correct, confirm said URLs with external sources if possible, and always verify hashes and signatures. In Electrum’s case, for signatures, all official binaries are signed with ThomasV’s PGP key. To verify other wallets, you should be able to use the keys and hashes provided on the wallet’s home page. This may seem like a lot of work, but it’s worth it to keep your coins secure.

Verify everything.

Electrum’s developers released a new version of their bitcoin wallet client after a security researcher at Google Project Zero discovered a critical vulnerability that allowed hackers to use malicious websites to steal bitcoins from unencrypted Electrum wallets. If you haven’t already, update to Electrum 3.05

Tavis Ormandy, a white hat hacker who has identified a number of high-profile vulnerabilities in software products, discovered a critical bug in Electrum’s JSON-RPC protocol, which is used to transfer data between clients and servers.

The interface was not secured properly, which made any unencrypted Electrum wallet immediately vulnerable to having its balance drained by thieves if both the wallet and a web browser were open at the same time.

Here is an example of how the vulnerability can be exploited to steal the wallet seed from a wallet that is either unencrypted or encrypted with a poor password:

However, Ormandy said that users with encrypted wallets also face potential risks.

“I think just scanning for people in the background of a website is really easy, and seems likely someone will try that. Even with encrypted wallets, you can still change options, change destination addresses, deanonymize users via listaddresses and so on,” Ormandy wrote on Github.

The vulnerability, which affects wallet versions 2.6 to 3.0.3, was initially reported on Nov. 24, 2017, the same day that Bleeping Computer reported that hackers have been scanning the web for Ethereum wallet clients vulnerable to an insecure JSON-RPC interface. However, Electrum developers apparently did not recognize the gravity of the issue, as it went unaddressed until Ormandy discovered it on Jan. 6.

Apparently, the vulnerability was more than two years old, as the affected code was merged on Nov. 30, 2015. Amazingly, there are no known cases of it being successfully exploited, although this will almost certainly change now that the bug has been revealed.

Electrum quickly released an update, version 3.0.4, which addressed part of the issue but may still be vulnerable to some attacks.

Developers are now urging users to update their wallets to version 3.0.5, although they should probably exercise caution while using the wallet until it is clear that the release is stable.

Notably, the vulnerability also affects Electron Cash — a bitcoin cash-based fork of Electrum — so this wallet’s users should update their software clients to version 3.1.1.

Featured Image from Pixabay