Users Report Losing Bitcoin in Clever Hack of Electrum Wallets (zdnet.com)

← Back to Stories (view on slashdot.org)

Users Report Losing Bitcoin in Clever Hack of Electrum Wallets (zdnet.com)

Posted by msmash on Thursday December 27, 2018 @04:01AM from the security-woes dept.

A hacker -- or potentially a group of hackers -- has made over 200 Bitcoin (circa $750,000 at today's exchange) using a clever attack on the infrastructure of the Electrum Bitcoin wallet over the last one week. From a report: The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository. The attack began last week on Friday, December 21, and appears to have been temporarily stopped earlier today after GitHub admins took down the hacker's GitHub repository. Admins of the Electrum wallet expect a new attack to soon get underway, with either a new GitHub repo or a link to another download location altogether. This is because the vulnerability at the heart of this attack has remained unpatched, albeit Electrum wallet admins taking steps to mitigate its usability for the attacker.

72 comments

Min score:

Reason:

Sort:

And that's why you verify with GPG sig by Anonymous Coward · 2018-12-27 04:10 · Score: 1

such program's installer before installing it.
This assumes you have used the same GPG key in the past for previous versions. If you downloaded it NOW for the 1st AND the hackers managed to substitute the GPG key mentioned/linked on the official website, then there's nothing more you can do.
Haha by Anonymous Coward · 2018-12-27 04:11 · Score: 0

CRYPTO IS THE FUTURE!!!
LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:16 · Score: 1, Insightful

The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.
You know, after so much hype and bullshit around cryptocurrencies, this shit just makes me laugh.
You wanted to play in an unregulated financial industry, this is what you get. It's the wild west of scams and idiots, and I have no sympathy for any of them.
Boo fucking hoo, more cryptocurrency fools have lost their money.
1. Re:LOL ... love these stories ... by MikeDataLink · 2018-12-27 04:36 · Score: 2, Interesting
  
  The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.
  You know, after so much hype and bullshit around cryptocurrencies, this shit just makes me laugh.
  You wanted to play in an unregulated financial industry, this is what you get. It's the wild west of scams and idiots, and I have no sympathy for any of them.
  Boo fucking hoo, more cryptocurrency fools have lost their money.
  You know people said the same thing when physical currency was introduced. Same exact arguments, physical currency was just stolen by people with bigger muscles and weapons instead of hacking skills.
  
  --
  Mike @ The Geek Pub. Let's Make Stuff!
2. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:47 · Score: 2, Insightful
  
  Then keep playing with it. Personally I'll stick with my bank, my stock broker, and my credit card company. Literally millions of dollars have flowed thru these institutions directly by me and not a single penny has been misplaced over decades. I'll stick with what works for me. And exactly what happened when law enforcement was notified of the hack? Anything? I know if someone robbed me of cash I'd call the police and they would at least try to look for the thief.
3. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:47 · Score: 0
  
  You know, after so much hype and bullshit around currency, this shit just makes me laugh.
  You wanted to play in a conceptual trading industry, this is what you get. It's the wild west of scams and idiots, and I have no sympathy for any of them.
  Boo fucking hoo, more currency fools have lost their arbitrary value.
4. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:53 · Score: 0
  
  You can't speak logic to these folks. they just can't get their head around such a new idea that requires evolutionary steps we've for the most part forgotten about.
5. Re:LOL ... love these stories ... by nukenerd · 2018-12-27 05:22 · Score: 1, Informative
  
  You know people said the same thing when physical currency was introduced. ... physical currency was just stolen by people with
  bigger muscles and weapons instead of hacking skills.
  Citation for what was said then? Physical money (coins) replaced bartered physical objects (sacks of corn, chunks of metal) so the possibility of stealing was not new at the time when coins were introduced.
  Fortunately, there is a physical limit to what the "bigger muscled" guys can steal from me because I don't carry all the money I own on me all the time. Typically I might have only about 0.01% of it, so that's all they could take - the rest is buried in a secret place in my garden (LoL). OTOH your entire wealth in digital form can be stolen all in one go.
6. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 05:27 · Score: 1
  
  You can't use logic with crypto supporters to make them realize that if/when crypto goes through the evolutionary steps you are talking about that it will end up subject to rules and laws that take away 99.9% of the original touted advantages of crypto.
7. Re: LOL ... love these stories ... by DFurno2003 · 2018-12-27 05:30 · Score: 0
  
  "people said the same thing when physical currency was introduced. Same exact arguments,"
  Citation badly needed
8. Re:LOL ... love these stories ... by war4peace · 2018-12-27 05:39 · Score: 0
  
  Literally millions of dollars have flowed thru these institutions directly by me and not a single penny has been misplaced over decades.
  That's because proper safeguarding instruments had been implemented decades before your time. Currency was insecure for hundreds of years before today's times, and still is as far as cash is concerned.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
9. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 05:49 · Score: 0
  
  You know people said the same thing when physical currency was introduced
  Now there's some grade A fucking bullshit ... humans have been using coins since before the Romans.
  You're just spouting bullshit and you know it.
10. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 05:50 · Score: 0
  
  You know people said the same thing when physical currency was introduced.
  You have reliable records of opinions from ancient Egypt?!?! Why the hell haven't you published your discoveries? I would sure love to read about them. I mean, you do realize that physical currency has a VERY long history, right?
11. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 06:05 · Score: 0
  
  You have one. Go look for it!
12. Re:LOL ... love these stories ... by ArchieBunker · 2018-12-27 06:17 · Score: 2
  
  Half the time the police steal from you. Get pulled over and have a few thousand dollars on you? It's assumed to be drug money and confiscated under civil forfeiture. You'll get it back eventually after getting a lawyer involved.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
13. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 06:20 · Score: 1, Insightful
  
  Where are the proper safeguarding instruments for various crypto faux-currency?
  There are none which makes the 99% of crypto nerds who collectively own 1% of crypto faux-coins (the 99% belonging to the Chinese government) incredibly fucking naive. When my bank is robbed I personally lose nothing. When a waiter steals my credit card info I lose nothing. When my crypto faux-coin wallet is ripped off I get wiped out with no recourse.
  Which is the smart way to go and which is dumb?
  Crypto faux-currency serves no real world purpose or role.
14. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 06:31 · Score: 0
  
  If she filed a report, care to share it? All reports are public record after all.
  Not saying I don't believe you, but I don't believe you. Mostly because if the police acted that way, one could sue the police department and demand a jury. And with evidence handed to them, that's going to be a hell of a lot of explaining to do and once the press catches wind there's going to be a lot of heads on the chopping block.
15. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 08:11 · Score: 0
  
  Yea I think this is all fUD. The cops had video evidence but told you they couldn't do anything? Sounds like a nice lawsuit to me.
16. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 08:11 · Score: 0
  
  The OP lives in Florida. A repubtard shit hole.
17. Re:LOL ... love these stories ... by dissy · 2018-12-27 08:22 · Score: 2
  
  Fortunately, there is a physical limit to what the "bigger muscled" guys can steal from me because I don't carry all the money I own on me all the time. Typically I might have only about 0.01% of it, so that's all they could take - the rest is buried in a secret place in my garden (LoL). OTOH your entire wealth in digital form can be stolen all in one go.
  What's ironic is bitcoin was designed to be used the same way, but for some reason few seem to do so.
  Bitcoin wallets are free, and transferring small amounts into a new one to have with you or for specific purchases is trivial. Similar to only carrying a small amount of cash with you.
  What is far worse however is many people don't even keep *one* wallet let alone multiples.
  They entrust that task to online sites like exchanges to manage their wallet for them.
  It would be akin to not carrying any cash, but instead having Bob hold your cash and follow you around all day in case you need him to take money or hand some out on your behalf.
  The thing is, you don't really know Bob.
  For some people they wake up one day and Bob has disappeared.
  Or one day Bob says he got beaten up and your money was stolen.
  It's quite silly sounding to even have a Bob that does this, but that seems to be the norm.
18. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 08:28 · Score: 0
  
  You know people said the same thing when physical currency was introduced. Same exact arguments, physical currency was just stolen by people with bigger muscles and weapons instead of hacking skills.
  Not exactly the same situation because cash is regulated but not crypto currency.
19. Re:LOL ... love these stories ... by Dunbal · 2018-12-27 13:05 · Score: 1
  
  Physical currency is backed by governments, laws, courts, police forces and, as a last resort, an army.
  
  --
  Seven puppies were harmed during the making of this post.
20. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 13:29 · Score: 0
  
  Where in Florida? I said mayor. If you live in Miami or any other high population area then everything I said is true. You live in obamaville and suffer the consequences of your dumb voting. And I -knew- you were an irrational leftist from your whining about crime and co-s being too busy to wrap a case handed to them on a silver platter. Exact same thing happened to my buddy wh- got pistol whipped and robbed in San Francisco. Attacker was on video a few blocks away at a gas station using his card. Cops did nothing. Obamaville shithole.
  Please stay in your own leftist shithole city, do not leave and bring your stupid votes to my area where the cops aggressively pursue arrests especially when someone hands it to them in a silver platter with video and names. That shot does not happen in nice places where the cops are supported and appreciated by the citizenry and not seen as enforcers of fascism by socialist morons.
21. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 13:32 · Score: 0
  
  What city? Leftist controlled shithole?
  Name the city and a provide a case # or stfu.
22. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 14:10 · Score: 0
  
  ... half the time?
23. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 17:56 · Score: 0
  
  Just curious ... .are the perps (your wife's co-workers and you sister in law) all white? That would explain how they skated.
24. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 19:13 · Score: 0
  
  Evidence the card was used, yes... but their lawyer would say "Their co-worker gave them permission to use the card, then changed her mind." giving reasonable doubt.
  It's their three person word vs. the single victim word, so more evidence on the side of innocent, so probably a not guilty verdict, so not worth the cops time.
  Now, if there was video of them snatching the crd from the victim's purse as well...
25. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 19:52 · Score: 0
  
  You're joking right? She said I could borrow her car indefinitely, officer. Then she changed her mind. I have witnesses. I can keep the car, right?
26. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 19:55 · Score: 0
  
  What came before physical currency that was immune to theft. I must have slept through that history class.
27. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 19:58 · Score: 0
  
  The police are unlikely to bother to follow up on coworkers stealing from each other as that can be handled at the workplace. I suspect if they were people not known to your wife it would have been handled differently.
28. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-28 15:13 · Score: 0
  
  Given that, crypto currency is backed by software, consensus, and as a last resort, an army of soldiers of Fortune.
29. Re: LOL ... love these stories ... by Dunbal · 2018-12-31 00:16 · Score: 1
  
  I don't think you understand what the word "backed" means.
  Software as a series of instructions followed by computers, does not "back" anything any more than a cookbook backs food. Consensus can "back" something, but since the majority of people don't own or want bitcoin (evidenced by its spectacular failure), consensus doesn't back bitcoin at all. And soldiers of fortune, quite by definition, back the highest bidder.
  On the other hand the US laws are very real, the police forces are constantly and actively seeking law breakers and cushy little economic crimes like money laundering, fraud and tax evasion where they might be able to do a little civil asset forfeiture and benefit directly tend to draw a lot more attention than those crimes where officers won't gain much more than a pat on the back and a "job well done" and shot for their efforts; so they are always looking. Courts are constantly processing new criminals. The US Army (and other more subtle branches of the US government) are all over the world, acting as the long arm of the US government. And finally, as the Kim Dotcom and more recently the Huawei thing clearly demonstrates, both of them cases where the US government had no jurisdiction and no legal right to do what it did and yet convinced other countries to arrest individuals even though no local laws had been broken: the law is whatever the US government decides it to be.
  Sure. Tell me about how impressed I should be with blockchain...
  
  --
  Seven puppies were harmed during the making of this post.
Greater fool theory by Anonymous Coward · 2018-12-27 04:19 · Score: 1

It is worth only what the next fool thinks it is.
Also - "circa" - this is no eurotrash website, msmash. Please keep that lingo appropriate.
1. Re:Greater fool theory by Anonymous Coward · 2018-12-27 05:40 · Score: 0
  
  The zdnet article already goes "circa". Just like it goes "group of hackers, hacking, with hacks". msmash just really likes the meaningless clickbait. The "circa" is really the only thing vaguely honest about the whole thing, because bitcoin roller coaster.
Don't worry, your coins are safe with us hahahahah by Anonymous Coward · 2018-12-27 04:26 · Score: 0

Don't worry, your coins are safe with us hahahahah
Package Manager by jwymanm · 2018-12-27 04:32 · Score: 1

Glad I just rely on package management to update. Though I know that's not entirely safe all the time also but it is a hell of a lot safer.
1. Re:Package Manager by Anonymous Coward · 2018-12-27 05:29 · Score: 0
  
  Yeah, this attack doesn't seem clever so much as relyng on end user stupidity.
Re: good by Anonymous Coward · 2018-12-27 04:33 · Score: 0, Troll

Yup it time for the bitcoin stories to die
This was the tech version of a pyramid scheme. Time for it to be banned
Re:good by MikeDataLink · 2018-12-27 04:33 · Score: 1

if it cant be used as safe currency then maybe graphic card and ram prices can return to normal
Uh dude. They did. In fact, ebay is flooded with graphics cards below market value as miners are abandoning ship.

--
Mike @ The Geek Pub. Let's Make Stuff!
Re:black people by Anonymous Coward · 2018-12-27 04:36 · Score: 0

fried chicken and waffles
Re: good by Anonymous Coward · 2018-12-27 04:41 · Score: 0

But it uses blockchain technology!
And it's ... by Anonymous Coward · 2018-12-27 04:50 · Score: 0

Gone
Re: good by Anonymous Coward · 2018-12-27 05:27 · Score: 0

Because I want a card someone previously mined with?
Re: good by Impy+the+Impiuos+Imp · 2018-12-27 05:41 · Score: 1

Speaking of which, can't these coins be tracked and if someone tries to cash them out, there's your thief?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
any benefit to e-wallets? by Anonymous Coward · 2018-12-27 05:59 · Score: 0

Is there any reason to use E-wallets? (can you keep bitcoin files on your own computer?) the only time I ever see anything about e-wallets is when its used to steal from someone
1. Re:any benefit to e-wallets? by Pascoea · 2018-12-27 09:33 · Score: 1
  
  It's the same reason as everything else "in the cloud": ease and convenience. I can choose to set something up on my computer, make sure it's accessible when I need it, make sure it's backed up, maintain it, etc. etc. Or I can trust someone else to do it for me, usually for a small fee. The problem is that the cryptocurrency sector is, by design, shady. You don't know who you are dealing with.
Re: good by Anonymous Coward · 2018-12-27 05:59 · Score: 0

many miners undervolt so a lot of miner cards are gonna be ok to game with
Re: good by sacrilicious · 2018-12-27 06:12 · Score: 2, Funny

Burn them! Burn all crypto-currency users!
And I'm also afraid of the internet, let's burn that too.

--
- First they ignore you, then they laugh at you, then ???, then profit.
Blockchain Security!!! by sdinfoserv · 2018-12-27 06:21 · Score: 0

Any other blockchain evangelists want to pontificate how secure the technology is?
If nothing else, why can't the coins be tracked to the new wallet (they are) and recouped? Oh, ya, it's unregulated and not back by a government.. to bad.
1. Re:Blockchain Security!!! by Anonymous Coward · 2018-12-27 09:09 · Score: 0
  
  One might even go as far as to say "too bad."
Re: good by Anonymous Coward · 2018-12-27 06:23 · Score: 0

yeah, but that'd mean getting the government involved to uncover the IP addresses of those wallets, and seeing these are mostly used for illegal purchases, most users effected were probably involved in less than legal dealings and would rather not risk exposing themselves.
This is why unsigned code is bad. by dgatwood · 2018-12-27 07:03 · Score: 1

I’m not saying Apple’s strict walled garden is a good approach, because the inability to trust new certs actually can make this sort of attack easier by causing third-party app stores to be unsigned until installation, but there is something to be said about ensuring that any app that was code signed by a different cert loses access to app data.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Distributed Ledger by Anonymous Coward · 2018-12-27 07:29 · Score: 0

If itâ(TM)s a distributed ledger, why canâ(TM)t the stolen coins be tracked and recalled? Or at least tracked? I always thought blockchain a big thing was to be able to trace every transaction ever in an untamperable fashion.
1. Re:Distributed Ledger by Anonymous Coward · 2018-12-27 10:04 · Score: 0
  
  So if someone is allowed to do this edit who? What happens if they abuse this position? Will cause distrust if done. I believe ethereum has done this at least once.
2. Re: Distributed Ledger by Anonymous Coward · 2018-12-27 10:18 · Score: 0
  
  In which case, it is a currency without any concept of policing, recovery, theft prevention or insurance. A solid new world.
3. Re:Distributed Ledger by Anonymous Coward · 2018-12-27 10:48 · Score: 0
  
  how can you "recall" a transaction if it is supposed to be an "untamperable fashion". Bitcoin is traceable as is every transaction. But it requires the end user to reveal their identity through mistakes or transactions and requires them to be in a country where you can actually do something about it. Bitcoin absolutely sucks balls from a consumer protection perspective and the criminal is well protected (except from their own mistakes)
4. Re: Distributed Ledger by Anonymous Coward · 2018-12-27 11:38 · Score: 0
  
  Well some level of those can be applied at market level. Also no insurance theft :P
  Governments can not leverage the system to impose sanctions or just take peoples money when they feel like it.
Bullshit detector missing? by Anonymous Coward · 2018-12-27 10:03 · Score: 0

Are some people criminally stupid? How do you go to some location and download *something*, don't ask questions even when large amounts of money are at stake? That sets off at least a yellow alert surly?!?
* picard facepalm *
ignore this by doug141 · 2018-12-27 10:58 · Score: 1

posting to fix a fat finger mod mistake.
Re: good by Anonymous Coward · 2018-12-27 11:58 · Score: 0

Does it have STDs? If it's in working condition why wouldn't you want it?
Seriously - is there a real risk of some failed miner putting malware in the graphics card?
Re: good by Anonymous Coward · 2018-12-27 19:52 · Score: 0

Affected.
Re: good by Anonymous Coward · 2018-12-27 20:49 · Score: 0

My favorite explanation of bitcoin is from Twitter: Imagine if keeping your car idling 24-7 produced solved Sodokus you could trade for heroin.
Great Timing by Anonymous Coward · 2018-12-27 21:20 · Score: 0

Good thing they waited until now to steal the Bitcoins. Such wealth!
Re: good by Anonymous Coward · 2018-12-27 21:27 · Score: 0

There is significant risk of the card having been overclocked and overheated to near death, so that you will pay a lot of money for a used card that may or may not live for for a few more months
Miner Miner Forty-Niner by Anonymous Coward · 2018-12-28 02:08 · Score: 0

krypto kurrency.
1849. Live the dream. Again. Make 'merka Greedy Again.
shithole by Anonymous Coward · 2018-12-28 02:15 · Score: 0

The whole COUNTRY is a shithole, as evidenced by your comments. "obamaville" this, "leftist" that. like that dumbass in the white house, you can't see the forest for the trees. you deserve the shithole you live in. god bless !merka