2,399 LTC stolen seconds after Electrum-ltc was installed #176
Comments
Do you still have this file by any chance? If so, could you post its full name (assuming you didn't rename it), its exact size in bytes and, if you know how to compute it, a hash? |
|
I deleted the file since it wasn't working and emptied my recycle bin a while after. |
|
The standalone executable that you have is the official one (hashes match), so I don't think this is what caused your issue. (This file is built deterministically, so anybody can verify that it corresponds to the code in this repo by using the official build scripts.) What does seem suspect to me is the error message that you got from the installer right after you entered your seed, the one about "not being able to connect to the server". Did you verify the signature of the installer before running it? Did you notice anything strange when you ran this file? Did it actually start an installer, or did it start the Electrum wizard directly? |
|
This sounds like you might have some malware that was proxying your connection and packet sniffing. |
|
To Pooler,
|
|
@danbel79 you obviously know your way around PC's. From my profile can you please make contact with me as there are some issues regarding your plight that I would like to discuss. |
|
@danbel79 after the Windows 10 install did you install any antivirus software? |
|
"To Fiat2LTC, |
|
@danbel79 published an article about your lost coins https://cryptodisrupt.com/how-did-litecoin-owner-lose-350000-worth-of-coins/ @pooler maybe software developers should put a fixed limit of say $10K on software wallets unless 2FA is included and a total maximum of $100K. Who really needs to walk around with a wallet with more than $10K in it? |
|
Hi @danbel79 and @Fiat2LTC - Litecoin Cash dev here. Firstly, I just want to say how horrible this sounds, and I really empathise with your plight - we are planning on shortly releasing our own electrum fork (thanks to @pooler for his great work) so will be watching the development of this issue closely. I'll keep this short as it's kind of OT and I don't want to mess up this ticket or get in the way of any potential resolution. Just to say that I think the characterisation of our fork as a known scam is a little unfair and might muddy the water a bit. The specific issue you are referring to (extra .jar files) was reported by a single reddit user, and was never able to be reproduced by any of us in the dev team, or any of our community members. I suspect that may be a red herring. Nevertheless, there were people out there trying to take advantage of the confusion and releasing malware wallets - we have taken every precaution possible to warn about these on our twitter and website, and our advice remains to check the checksums of any downloads with those on our website, and only use official software linked from there. @danbel79 if by any chance you still have your original (Litecoin Cash) download file hanging around, perhaps you could provide or check the checksums, just to confirm what we are dealing with. |
|
@l0x have you thought about limits on the wallet you are developing? I know individuals have to take responsibility for their own actions but as a developer I would feel really bad if someone lost a small fortune by using some of my code. |
|
@pieman64 It's something we've thought about, though don't necessarily think is the best way forward. Not wanting to muddle this thread with O.T. discussion, I won't say much more on the matter here, but have made an issue on our tracker (litecoincash-project/litecoincash#14) if you would like to discuss further. |
I'm afraid not, but it may depend on how exactly it was stolen.
This kind of information is not stored in the blockchain, so one would have to actively monitor the network to find out from what IP a transaction was initially broadcast. There certainly are entities doing this kind of monitoring, but I'm not aware of public services providing IP data for Litecoin transactions. Also consider that the transactions may well have been broadcast from your own computer.
I am the only person maintaining Electrum-LTC.
Electrum is an SPV wallet. Communication with the Litecoin network happens via Electrum servers. To these servers the client sends its wallet addresses (to obtain transactions and balance information) and newly created transactions (so that they can be broadcast). There are several public servers, but one can also set up and use a private server. Some servers log IPs and/or activity, some don't. All these servers are independent and are not centrally controlled or monitored.
From the moment malware gained access to your computer, anything could have happened. Software running in the background could have used the Electrum API to move your coins, or maybe a keylogger simply harvested your seed and sent it to a remote server for further processing. By the way, let me note that the timestamp displayed by Electrum for a confirmed transaction is that of the block in which the transaction was included. This is usually within a minute of when a block is actually found, and of course any included transactions must have been broadcast before that.
No.
I don't think this was caused by a bug, but the code is freely available for anyone to review.
I am sorry for your loss, but to be honest I don't think there is much that can be done at this point to get your coins back. Forensic analysis may help reconstruct what happened, but unless whoever is behind this made a serious blunder the chances of identifying them seem very slim. |
|
@l0x and @pooler |
|
When I followed the transactions through the blockchain explorer briefly, whoever stole it sent hundreds of transactions in 110/120 ltc increments to hundreds of different addresses but they seem to potentially go back into the same wallet at the very end - potentially an exchange wallet. I suggest you follow a few of these 110/120 transactions as far as you can go, and if it's all one exchange then the authorities can potentially subpoena the exchange for the identity of who took them. |
|
@pooler |
|
@danbel79 have you contacted Bitfinex and Binance? |
|
@pieman64 |
|
@danbel79, no need to apologize. I'm sorry that there's not much I can do to help, but I'm glad that your investigation is progressing. |
|
I always use Google Chrome for internet. So, I only searched my history in that explorer to look for evidence. Today, I just suddenly had the idea of checking my Mircosoft Edge history even though I never use it. And there it was... I found out that I had downloaded the electrum wallet from electrumltc.org. I also noticed that a Bing search of "Electreum LTC" returns electrumltc.org as the first option. I will report this to Bing to avoid other people falling in this trap! I think this solves the question of "How the Litecoin were stolen?" |
|
Crypto Disrupt has posted a further article regarding the stolen coins. |
|
It's a matter of fact that there are still some people being stolen by this web site. I have a question for developer. Why don't you have doing anything? At least post a banner on the website avoiding people about pishing (it's not enough Hashing the file) because normal people (the most) don't understand that, PLEASE DO as myetherwallet did. In my opinion you have a good wallet but a bad website that make the people feel insecurity using your wallet and allow to foment a bad reputation of criptocurrencies. THERE IS A CLONE OF YOUR WEBSITE!!! |
|
@davilez I agree wallet developers need to do a LOT more to protect coin holders but adding a banner about the phishing site is only part of the answer. For some people a web browser search will bring up the fake site and they will never get to see the banner on the real site. Even MEW had problems this week with the DNS attack. That's why I think a hard limit should be set for all digital wallets as most of them have lost funds at some point. |
I've already reported the malicious website to the registrar and the hosting provider, as well as to search engines. The registrar responded that it is not their place to determine if the website is engaging in illegal activities, and suggested contacting law enforcement. No response from the hosting provider so far.
A notice on the website would be ineffective, as has already been remarked, and in particular it wouldn't have prevented what happened to danbel79. Moreover, keep in mind that the official website can be hacked too (in fact, it has already happened in the past, due to an attacker exploiting a vulnerability in the virtualization software used by the hosting provider), so downloading from there is not a sufficient guarantee of safety. This is why it is so important to verify digital signatures. If you're going to trust your money to an application, verifying the authenticity of the application should be a rather important step of the process. I agree that most people probably don't understand signatures, but this doesn't change the fact that it's the only way to ensure that a file comes from a trusted source. Developers have been trying to educate users on this point for quite some time. |
Yeah but one major problem here is that if they are already on the wrong website, via search engine, dns hack or whatever, the checksums are not a safe bet because they too can be changed to match the malware and otherwise seem legit. Personally I've made a choice to never be in a hurry. If I download a wallet, I try my best to verify the source was legit and check sigs/shas and if possible verify those also match any git or other dev sources where it may also be posted publicly AND then I sit on the download for a few days at least before moving forward just to ensure I am safe from bugs (my initial reason) but also any security flaws/vulnerabilities that would almost immediately be reported by the community. Yes, I let others taste the food first to see if it's been poisoned =) I realize this is probably overkill but as a developer myself, I know all too well that the bad guys are often much more motivated to than the good guys...or often go completely around the "good" guys via the help of the "dumb" guys that have too much power, ie registrars/hosts/indexers/dns providers using customer service agents that know zero about how this stuff works not to mention often easily tricked. Most websites can have their DNS hijacked via a simple convincing phone call to a provider or a hacked email account and happens more frequently than most people know. Lastly, by simply making things difficult you can protect yourself also because there is always a fresh crop of unsuspecting victims, i.e. low hanging fruit. If you ensure don't fall into this group, you add some security through obfuscation, ie. 2fa, requiring multi-sigs, hardware wallets, using a non-production/desktop environment that doesn't get user software installed on it or used for browsing on the internet. |
|
@pingram3541 how would you feel about a hard cap $10K limit per coin on a software wallet? |
Do not confuse checksums with digital signatures. Checksums can only be used to verify integrity, not authenticity, so basically they only protect you against accidental transmission errors. To produce a valid signature of a modified file, on the other hand, a malicious actor would have to somehow gain access to my private signing key, which needless to say is not stored online. |
Why would you need this? This is also not possible to implement. |
Nah. Not a big fan of restrictions. @pooler - Many people aren't that intimate with the project to recognize the signature links removed from the cloned site or maybe even serve up their own rendition of the key check how-to page and using a similar registered email address, and like Andre says, the only way to know if a key that one is checking with is legit is by meeting the dev in person, again unless they already know what is proper and what isn't, and of course many won't. |
|
@GrimFandango92 the "$10K hard cap" is to prevent life changing hacks. No offence but your 5 LTC is not on the same scale as 2399 LTC. Software wallets don't need to have more than $10K in them, period. Presently hackers know that some wallets contain millions of dollars and therefore spend a lot of time and resources gaining access to them. Software wallets are not safe, simple as that. With $10K limits hackers would return to hacking fiat accounts. |
|
Oh, I couldn't agree more. No disrespect taken, and I'll be the first to admit my life is not fundamentally changed by this other than a little more distrust, so I'm not belittling the OP's experience with my comparitively minimal loss. My heart goes out to him - I can only imagine how he must feel; his is just awful. I understand your reasoning and that argument may have its place for other cases of breaches or vulnerabilities within the Electrum-LTC code, but for the purposes of this discussion and for the attack vector used, the argument is academic. The original Dev's code wasn't run, or this wouldn't have happened in the first place. For what little result it's likely to produce, I've reported this to Action Fraud (https://actionfraud.police.uk/) in the slim hopes I can at least contribute to it not happening to anyone else. |
|
Basic further investigations done. I will chronicle further updates on https://www.reddit.com/r/litecoin/comments/8jfe0e/scam_alert_httpelectrumltcorg_is_a_scam_version/ |
|
The hacker moved the money ... and I use the exchanges bitfinex and binance of 100 ltc in 100 ltc .. To then be changed to BTC ... Binance and bitfinex, allow any person to move, good amounts of money .. without anyone demanding money laundering ... Poloniex only lets withdraw 2500 usd a day, for new accounts .. But there is a verification process .. .. The page electrumltc.org .. now redirects to the official website ... of electrum-ltc curiously |
|
@GrimFandango92 just trying a new URL for your Reddit post as the other one fails. |
|
You're a star - thanks mate! :) Wow... You're absolutely correct... With that being said, it looks like www.electrumltc.org is CNAMED to electrumltc.org and electrumltc.org is still pointing to the same IP you mentioned, 111.90.149.13. Yet if visiting from a web-browser, it redirects you to www.electrum-ltc.org. While still pointing at their webserver, it seems it has a redirect on Apache; must have done this to take the heat off them when the article broke. Good to hear from you and I'll let you know if I hear anything from my end - just had an automated response that I'd get a reply back within 28 days today - nothing terribly promising. |
|
@danbel79 Any updates on your attempts to contact the exchanges? |
|
Upon my last contact from Danbel by PM after tracking down an e-mail for him, he'd gotten responses from both BitFinex and Binance that they were happy to co-operate with Law enforcement but he'd not had much luck from the FBI on this. This was a month ago. I found my experiences of contact with the Exchanges to be similar; BitFinex seemed much friendlier and happy to help, but naturally, they'll only supply information/work with Law Enforcement. My relatively minor loss has resulted in no effort from Action Fraud as of yet; just a generic "We're continuing to look into this." e-mail received today. With that being said, BitFinex were kind enough to elaborate that while most funds had been drained, the accounts in question still containing minor funds had been frozen upon "other reports" (danbel, I presume) of fraud on the account. Not holding my breath and I've come to terms with it as a hard lesson to swallow. Was sorely tempted to pop on my black hat, but I ended up deciding to (in hindsight, perhaps a tad optimistically) leave it in law enforcement's hands and avoid it coming back to bite me in the backside. |
|
A bit out of topic. Where should we report this sort of thing? FBI? Local law enforcement in the place we live? I too got hacked in poloniex and polo doesn't share any info to me. |
|
I noticed that http://www.electrumltc.org////////////////// (the fake site) does not have secure logo. That is the main different. I added a bunch of //// so the guy don't get link. I reported to google too. |
|
Google still list the fake site |
|
Who is the hosting provider? It seems that the hosting is very defensive in defending the scammer. What is it? |
|
Interesting... It did get taken down, but sounds like they're at it again. Guess that depends primarily where you live and the extent of the damage. Personal experience was a "couldn't give a damn" attitude from the local police, Action Fraud, BitFinex & Binance. Judging from your question, I'm guessing US, so FBI may be a good shout it it's a substantial amount of money, but others may be better qualified to answer. If your experiences are anything like mine have been this end, law enforcement won't give a rat's ass over small amounts of money. Good luck, and sorry to hear about the misfortunes! |
|
I did my homework at the time to hand over on a golden platter (not that it got read or made the slightest difference) but details should be above. I contemplated initiating an attack, but probably more trouble than it's worth and it's a shared webhosting platform from an outside glance with a litany of complaints and blacklists for scam websites. |
|
I also lost my LTC today, I use electrum-ltc 3.1.3.1. but today when I open it to send money ,it show a message "can't send money, you should download new 3.3.4 version, and list download links" , so I do this, and when I download it and open it, I found all my LTC send to a address immediately. |
|
Can you help me and give me some advice? |
Word of cold and brutal, yet realistic advice: If you have any other crypto assets, put serious consideration into using a hardware wallet instead moving forward and prepare yourself for the likely reality that you'll never see a cent of that again. After over 6 months of fighting, chasing and nagging, my case ended up with action fraud sending an automated e-mail that they're not interested in pursuing it, the exchanges refusing to help without a court order, and the police refusing to supply any demands because and I quote almost word for word "[Sic] confirm that we are NOT investigating this issue. I cannot complete documentation to suggest otherwise. I feel that if you have funds that prima facie belong to the victim you should return; but this is not a law enforcement issue". In other words, both sides preferring to twiddle their genitals and refusing to assist in any meaningful way. Best you can do is report to the police in your jurisdiction and report to the exchanges that the money got laundered through so they can freeze the accounts in question. From there, all you can do is hope and wait for a miracle. I wish you luck, but the odds are against you. We found first-hand the downsides of immutability and lack of regulation. |
|
At work at the moment, but I'll do a check of the modus operandi later to see if it matches mine... If it does, you're SOL. When I checked in January, the scam site is still live and various law enforcement agencies have done diddly to stop them. |
|
Well, your symptoms don't quite match. Checking your browser history, where was the update downloaded from? www,electrumltc.org or www.electrum-ltc.org? The symptoms don't quite match... Am I correct in assuming these are the public keys with your wallet? Lb3cKgPyrc9G1RE7zVUb3JnyF2WuqZ3As7 If so, looks like that tx transferred all of those to the singular LL2fvk9wJbukEC6CsSEsFJjQwr3pWQ5ByQ and there it still sits, with no determinable output from there forward. If your funds have been siphoned to that wallet, the arguably good news is that they don't look to have been transferred to any exchanges (yet), not that it helps your case. How did you find this thread or draw the conclusion you're affected by this? |
|
the coins I've never seen them before, how can you help me?
…On Wed, Jul 10, 2019 at 8:55 PM ashwilly ***@***.***> wrote:
Please let me know if you've found a closure to this issue or I can
suggest for you a way of getting help
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#176?email_source=notifications&email_token=AJFQ6PCMXX6ZGH7IJ5O42HLP62AIHA5CNFSM4E3FFWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZVFBBA#issuecomment-510283908>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJFQ6PGYBACNOATXBVCEMNLP62AIHANCNFSM4E3FFWTA>
.
--
Danny Sanchez
+17862086934
|
|
Thanks I will contact ..
Danny
…On Wed, Jul 10, 2019 at 9:38 PM ashwilly ***@***.***> wrote:
I never believed in bitcoin retrieval cos I felt and was made to
understand it’s not possible. But sometimes last year I fell for a binary
option scam which promised a higher return and I lost close to $15,000. I
read an article on here as regards a recovery expert and genius so I
reached out and to my surprise I got all bitcoins recovered within 12
hours. you can PM him on ***@***.***, he'd walk you through it,
if it's something possible.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#176?email_source=notifications&email_token=AJFQ6PAS3QZ4IW6MUWUKCIDP62FKRA5CNFSM4E3FFWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZVHADQ#issuecomment-510291982>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJFQ6PEOQZZK5LSVA5TIFZTP62FKRANCNFSM4E3FFWTA>
.
--
Danny Sanchez
+17862086934
|
|
Guys my LTC were on Lightcoin electrum. |
|
I think the problem is not in the wallet. They stole LTC on 08/16 and not today. But then how did they do this. I didn't run LTC wallet for a long time. |
|
I think you should add two-factor authentification for wallets. |
|
Wish I would've read this thread 2 days ago. I was transferring my wallet to a new computer so I downloaded what I thought was a legitimate wallet electrum-ltc, and the same night of my download, my litecoins got stolen. Any advice on how to track or possibly get them back? So depressing. |
Hi mate, Really sorry to hear that... Hate seeing others hit by this too. Utterly ridiculous this is still going on. I'm going to give you a dose of brutal honesty. Law enforcement were less than useless and opted to fondle themselves rather than give me the time of day or be remotely helpful - I never came right with mine. Crypto is the wild west, sadly. What address were your coins sent to? Was it the same address(es) listed in this thread? If you follow your coins on a blockchain explorer, did you see them siphoned off bit by bit among different exchanges for selling off like we did described above? I personally was able to track my coins to being sold off at two exchanges in particular, and one of them confirmed they flagged it as a fraudulent transaction before they could get sold and froze the funds, but refused to deal with me direct or release to me and wanted a letter from law enforcement, so that's where my luck ended, as they weren't willing to provide a letter to the exchange to confirm I was who I said I was and I was the original owner of the funds as, and I quote, "they weren't investigating it" - like I said, less than useless. Sack of spuds would have been more helpful. What country do you live in if you don't mind me asking? I'd recommend getting it reported to your local law enforcement authority ASAP first and foremost and getting a case number; just in case you decide to take it further now or down the line. In my case wasn't worth the time or the effort, but there may be some private routes you can take. Sorry again, and hope you come right... Please do keep us updated. |
|
Unsure if the OP came right with his in the end; our funds were shifted together. He was lucky enough to have enough funds to justify the FBI getting involved, but after initial chats with him I never touched base with him. Hope he came right. |
|
I know 100% certain who is behind the scam and I can prove it. I have the real life identity, pictures, address, ... Is there a bounty? |
This comment was marked as spam.
This comment was marked as spam.
and others
Electrum-ltc,
Today I found out Two thousand three hundred ninety nine Litecoins were stolen from my wallet on April 12, 2018.
Here is what I did that day:
1- On the morning of April 12, I decided to reset Windows 10 using the recovery option. and wipe out all files, which I had already backed-up on another drive.
2- After installing Windows office, Chrome and Adobe Reader, I then decided to download the Electrum Litecoin wallet from https://electrum-ltc.org/.
3- I downloaded the "Windows installer" version, typed in my seed during the setup and next a message indicating an error popped-up. The message said something about not being able to connect to the server.
4- I tried once again and the same thing happened. I quickly goggle for an answer but couldn't find a simple one.
5- I then downloaded the "Standalone Executable" version, typed my seed during the setup and the wallet opened. I don't remember checking the balance, but I do remember deciding to give it a few minutes to update. So, I then went to install other wallets and programs, etc. and totally forgot about the wallet.
6- Then, I restarted my computer after some windows updates or something, got carried away with work, and didn't check my Litecoin wallet.
7- Today, April 17, 2018, I decided to check my wallet and I found out my wallet had been emptied.
8- After trying to figure out how I had been hacked I found out that my wallet was emptied seconds after I installed the wallet on April 12. The hack didn't just stop there, my seed was also used to claim and take my Litecoin Cash.
Because the hack happened exactly at the moment of the Electrum Litecoin wallet was installed and seems like it was an automatic process, I suspect the hack came through the wallet downloaded from https://electrum-ltc.org/.
Here are the transaction IDs and screenshots:
69e3611d5bb503e5d32831c5dc2b03caa53f3104ee3073677b816131e812360b
d2bdd3aa1c31102ddd08120e6c4bd6864aabdafb7cb8100feef5ea5ff312f892
I'm posting on this forum hoping someone can help me recover my Litecoins and to alert the community.
Thank you for your attention.
The text was updated successfully, but these errors were encountered: