New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new malicious forks: electrum-wallet/electrum and electrum-project/electrum #4953

Open
SomberNight opened this Issue Dec 21, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@SomberNight
Copy link
Member

SomberNight commented Dec 21, 2018

There is a new malware being distributed that disguises itself as the "real" Electrum.
See https://github.com/electrum-wallet/electrum/releases

  • note the text "Sources and executables are signed by ThomasV. GPG Key ID : 0x6185FDBFC15DDD19"
    but the real key for ThomasV is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
  • note that the binaries are hosted at git-cdn.org, e.g. https://git-cdn.org/electrum-3.4.1-setup.exe
  • note that GitHub displays a green Verified badge on the release, as it is on a legit commit signed by me...
    "This commit was signed with a verified signature"
  • the binaries are almost surely based on modified source however
  • I could not yet decompile their binaries using the previous method since that method does not work on newer pyinstaller it seems
  • note that their windows binaries are signed by "PRO SOFTS"
    GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
    serial number: 158fd7d2fb6e69e775abee6e
    (signer name for legit Windows signer is "Electrum Technologies GmbH")
  • hash of one of the binaries for future reference
    $ sha256sum electrum-3.4.1.exe 
    6b327b099ef195ff63a0f2c15e339f3e39ec96d0f2a03d6a3b9357773d4e4602  electrum-3.4.1.exe
    
  • their binaries use our crash reporter endpoints most likely; and issue #4952 was probably created by those
  • the "full list of included changes" they enumerate for their 3.4.1 release is simply our release notes for 3.2.3
    # Release 3.2.3 - (September 3, 2018)

@ecdsa @EagleTM

EDIT: GitHub promptly took down that repository. Thanks for that!
Archived at https://archive.fo/Fb2lZ

@EagleTM

This comment has been minimized.

Copy link
Contributor

EagleTM commented Dec 21, 2018

Good to see github reacted to fast. They used to take quite some time in the past

@SomberNight

This comment has been minimized.

Copy link
Member

SomberNight commented Dec 21, 2018

I am no longer sure it was GitHub that took down the repo, as a few minutes later I had also noticed that the website where the binaries were hosted was also down. Either GitHub took down the repo, the attacker noticed and took down the website; or the attacker was following the conversation on IRC and took down both himself.

@SomberNight SomberNight changed the title new malicious fork: electrum-wallet/electrum new malicious forks: electrum-wallet/electrum and electrum-project/electrum Dec 26, 2018

@SomberNight

This comment has been minimized.

Copy link
Member

SomberNight commented Dec 26, 2018

@SomberNight SomberNight reopened this Dec 26, 2018

@upag

This comment has been minimized.

Copy link

upag commented Dec 27, 2018

So if I understand the comments above, I tried to send a transaction and got a message that I could not send btc until upgrading to electrum 3.4.1, I was directed to a url at github and did the download for the upgrade and immediately lost all of my bitcoin and my wallet has been synchronizing for hours. I can see the bitcoin that was transferred into an unknown wallet. Have I just lost all of my bitcoin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment