Users Report Losing Bitcoin in Clever Hack of Electrum Wallets (zdnet.com)

← Back to Stories (view on slashdot.org)

Users Report Losing Bitcoin in Clever Hack of Electrum Wallets (zdnet.com)

Posted by msmash on Thursday December 27, 2018 @04:01AM from the security-woes dept.

A hacker -- or potentially a group of hackers -- has made over 200 Bitcoin (circa $750,000 at today's exchange) using a clever attack on the infrastructure of the Electrum Bitcoin wallet over the last one week. From a report: The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository. The attack began last week on Friday, December 21, and appears to have been temporarily stopped earlier today after GitHub admins took down the hacker's GitHub repository. Admins of the Electrum wallet expect a new attack to soon get underway, with either a new GitHub repo or a link to another download location altogether. This is because the vulnerability at the heart of this attack has remained unpatched, albeit Electrum wallet admins taking steps to mitigate its usability for the attacker.

19 of 72 comments (clear)

Min score:

Reason:

Sort:

And that's why you verify with GPG sig by Anonymous Coward · 2018-12-27 04:10 · Score: 1

such program's installer before installing it.
This assumes you have used the same GPG key in the past for previous versions. If you downloaded it NOW for the 1st AND the hackers managed to substitute the GPG key mentioned/linked on the official website, then there's nothing more you can do.
LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:16 · Score: 1, Insightful

The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.
You know, after so much hype and bullshit around cryptocurrencies, this shit just makes me laugh.
You wanted to play in an unregulated financial industry, this is what you get. It's the wild west of scams and idiots, and I have no sympathy for any of them.
Boo fucking hoo, more cryptocurrency fools have lost their money.
1. Re:LOL ... love these stories ... by MikeDataLink · 2018-12-27 04:36 · Score: 2, Interesting
  
  The attack resulted in legitimate Electrum wallet apps showing a message on users' computers, urging them to download a malicious wallet update from an unauthorized GitHub repository.
  You know, after so much hype and bullshit around cryptocurrencies, this shit just makes me laugh.
  You wanted to play in an unregulated financial industry, this is what you get. It's the wild west of scams and idiots, and I have no sympathy for any of them.
  Boo fucking hoo, more cryptocurrency fools have lost their money.
  You know people said the same thing when physical currency was introduced. Same exact arguments, physical currency was just stolen by people with bigger muscles and weapons instead of hacking skills.
  
  --
  Mike @ The Geek Pub. Let's Make Stuff!
2. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 04:47 · Score: 2, Insightful
  
  Then keep playing with it. Personally I'll stick with my bank, my stock broker, and my credit card company. Literally millions of dollars have flowed thru these institutions directly by me and not a single penny has been misplaced over decades. I'll stick with what works for me. And exactly what happened when law enforcement was notified of the hack? Anything? I know if someone robbed me of cash I'd call the police and they would at least try to look for the thief.
3. Re:LOL ... love these stories ... by nukenerd · 2018-12-27 05:22 · Score: 1, Informative
  
  You know people said the same thing when physical currency was introduced. ... physical currency was just stolen by people with
  bigger muscles and weapons instead of hacking skills.
  Citation for what was said then? Physical money (coins) replaced bartered physical objects (sacks of corn, chunks of metal) so the possibility of stealing was not new at the time when coins were introduced.
  Fortunately, there is a physical limit to what the "bigger muscled" guys can steal from me because I don't carry all the money I own on me all the time. Typically I might have only about 0.01% of it, so that's all they could take - the rest is buried in a secret place in my garden (LoL). OTOH your entire wealth in digital form can be stolen all in one go.
4. Re:LOL ... love these stories ... by Anonymous Coward · 2018-12-27 05:27 · Score: 1
  
  You can't use logic with crypto supporters to make them realize that if/when crypto goes through the evolutionary steps you are talking about that it will end up subject to rules and laws that take away 99.9% of the original touted advantages of crypto.
5. Re:LOL ... love these stories ... by ArchieBunker · 2018-12-27 06:17 · Score: 2
  
  Half the time the police steal from you. Get pulled over and have a few thousand dollars on you? It's assumed to be drug money and confiscated under civil forfeiture. You'll get it back eventually after getting a lawyer involved.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
6. Re: LOL ... love these stories ... by Anonymous Coward · 2018-12-27 06:20 · Score: 1, Insightful
  
  Where are the proper safeguarding instruments for various crypto faux-currency?
  There are none which makes the 99% of crypto nerds who collectively own 1% of crypto faux-coins (the 99% belonging to the Chinese government) incredibly fucking naive. When my bank is robbed I personally lose nothing. When a waiter steals my credit card info I lose nothing. When my crypto faux-coin wallet is ripped off I get wiped out with no recourse.
  Which is the smart way to go and which is dumb?
  Crypto faux-currency serves no real world purpose or role.
7. Re:LOL ... love these stories ... by dissy · 2018-12-27 08:22 · Score: 2
  
  Fortunately, there is a physical limit to what the "bigger muscled" guys can steal from me because I don't carry all the money I own on me all the time. Typically I might have only about 0.01% of it, so that's all they could take - the rest is buried in a secret place in my garden (LoL). OTOH your entire wealth in digital form can be stolen all in one go.
  What's ironic is bitcoin was designed to be used the same way, but for some reason few seem to do so.
  Bitcoin wallets are free, and transferring small amounts into a new one to have with you or for specific purchases is trivial. Similar to only carrying a small amount of cash with you.
  What is far worse however is many people don't even keep *one* wallet let alone multiples.
  They entrust that task to online sites like exchanges to manage their wallet for them.
  It would be akin to not carrying any cash, but instead having Bob hold your cash and follow you around all day in case you need him to take money or hand some out on your behalf.
  The thing is, you don't really know Bob.
  For some people they wake up one day and Bob has disappeared.
  Or one day Bob says he got beaten up and your money was stolen.
  It's quite silly sounding to even have a Bob that does this, but that seems to be the norm.
8. Re:LOL ... love these stories ... by Dunbal · 2018-12-27 13:05 · Score: 1
  
  Physical currency is backed by governments, laws, courts, police forces and, as a last resort, an army.
  
  --
  Seven puppies were harmed during the making of this post.
9. Re: LOL ... love these stories ... by Dunbal · 2018-12-31 00:16 · Score: 1
  
  I don't think you understand what the word "backed" means.
  Software as a series of instructions followed by computers, does not "back" anything any more than a cookbook backs food. Consensus can "back" something, but since the majority of people don't own or want bitcoin (evidenced by its spectacular failure), consensus doesn't back bitcoin at all. And soldiers of fortune, quite by definition, back the highest bidder.
  On the other hand the US laws are very real, the police forces are constantly and actively seeking law breakers and cushy little economic crimes like money laundering, fraud and tax evasion where they might be able to do a little civil asset forfeiture and benefit directly tend to draw a lot more attention than those crimes where officers won't gain much more than a pat on the back and a "job well done" and shot for their efforts; so they are always looking. Courts are constantly processing new criminals. The US Army (and other more subtle branches of the US government) are all over the world, acting as the long arm of the US government. And finally, as the Kim Dotcom and more recently the Huawei thing clearly demonstrates, both of them cases where the US government had no jurisdiction and no legal right to do what it did and yet convinced other countries to arrest individuals even though no local laws had been broken: the law is whatever the US government decides it to be.
  Sure. Tell me about how impressed I should be with blockchain...
  
  --
  Seven puppies were harmed during the making of this post.
Greater fool theory by Anonymous Coward · 2018-12-27 04:19 · Score: 1

It is worth only what the next fool thinks it is.
Also - "circa" - this is no eurotrash website, msmash. Please keep that lingo appropriate.
Package Manager by jwymanm · 2018-12-27 04:32 · Score: 1

Glad I just rely on package management to update. Though I know that's not entirely safe all the time also but it is a hell of a lot safer.
Re:good by MikeDataLink · 2018-12-27 04:33 · Score: 1

if it cant be used as safe currency then maybe graphic card and ram prices can return to normal
Uh dude. They did. In fact, ebay is flooded with graphics cards below market value as miners are abandoning ship.

--
Mike @ The Geek Pub. Let's Make Stuff!
Re: good by Impy+the+Impiuos+Imp · 2018-12-27 05:41 · Score: 1

Speaking of which, can't these coins be tracked and if someone tries to cash them out, there's your thief?

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re: good by sacrilicious · 2018-12-27 06:12 · Score: 2, Funny

Burn them! Burn all crypto-currency users!
And I'm also afraid of the internet, let's burn that too.

--
- First they ignore you, then they laugh at you, then ???, then profit.
This is why unsigned code is bad. by dgatwood · 2018-12-27 07:03 · Score: 1

I’m not saying Apple’s strict walled garden is a good approach, because the inability to trust new certs actually can make this sort of attack easier by causing third-party app stores to be unsigned until installation, but there is something to be said about ensuring that any app that was code signed by a different cert loses access to app data.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Re:any benefit to e-wallets? by Pascoea · 2018-12-27 09:33 · Score: 1

It's the same reason as everything else "in the cloud": ease and convenience. I can choose to set something up on my computer, make sure it's accessible when I need it, make sure it's backed up, maintain it, etc. etc. Or I can trust someone else to do it for me, usually for a small fee. The problem is that the cryptocurrency sector is, by design, shady. You don't know who you are dealing with.
ignore this by doug141 · 2018-12-27 10:58 · Score: 1

posting to fix a fat finger mod mistake.