new malicious forks: electrum-wallet/electrum and electrum-project/electrum

[SomberNight]

There is a new malware being distributed that disguises itself as the "real" Electrum.
See https://github.com/electrum-wallet/electrum/releases

• note the text "Sources and executables are signed by ThomasV. GPG Key ID : 0x6185FDBFC15DDD19"
  but the real key for ThomasV is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
• note that the binaries are hosted at git-cdn.org, e.g. https://git-cdn.org/electrum-3.4.1-setup.exe
• note that GitHub displays a green Verified badge on the release, as it is on a legit commit signed by me...
  "This commit was signed with a verified signature"
• the binaries are almost surely based on modified source however
• I could not yet decompile their binaries using the previous method since that method does not work on newer pyinstaller it seems
• note that their windows binaries are signed by "PRO SOFTS"
  GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
  serial number: 158fd7d2fb6e69e775abee6e
  (signer name for legit Windows signer is "Electrum Technologies GmbH")
• hash of one of the binaries for future reference

  $ sha256sum electrum-3.4.1.exe 
  6b327b099ef195ff63a0f2c15e339f3e39ec96d0f2a03d6a3b9357773d4e4602  electrum-3.4.1.exe
  

• their binaries use our crash reporter endpoints most likely; and issue TypeError: dest_address__() missing 1 required positional argument: 'choice' #4952 was probably created by those
• the "full list of included changes" they enumerate for their 3.4.1 release is simply our release notes for 3.2.3

  electrum/RELEASE-NOTES

  Line 40 in b491a30

  # Release 3.2.3 - (September 3, 2018)

@ecdsa @EagleTM

EDIT: GitHub promptly took down that repository. Thanks for that!
Archived at https://archive.fo/Fb2lZ

[EagleTM]

Good to see github reacted to fast. They used to take quite some time in the past

[SomberNight]

I am no longer sure it was GitHub that took down the repo, as a few minutes later I had also noticed that the website where the binaries were hosted was also down. Either GitHub took down the repo, the attacker noticed and took down the website; or the attacker was following the conversation on IRC and took down both himself.

[SomberNight]

See #4968

Their latest project is: https://github.com/electrum-project/electrum/releases/tag/3.4.1
archive: https://archive.fo/fPVz9

[upag]

So if I understand the comments above, I tried to send a transaction and got a message that I could not send btc until upgrading to electrum 3.4.1, I was directed to a url at github and did the download for the upgrade and immediately lost all of my bitcoin and my wallet has been synchronizing for hours. I can see the bitcoin that was transferred into an unknown wallet. Have I just lost all of my bitcoin

[ValdikSS]

electrum-wallet/electrum now contains only a single initial commit with README.md states that "spesmilo/electrum" is the only Electrum.

[ecdsa]

closing this issue, the repo has been blocked