Electrum, one of the most well-known and secure bitcoin wallet application, released a warning with confirmed evidence of a copycat wallet client called “Electrum Pro,” that fraudulently phished a user’s wallet keys to steal funds.
Launched in 2011, Electrum is known for its friendly interface and accessibility alongside using advanced security measures such as multisig authentication and compatibility with hardware wallets, such as Trezor and Ledger. As every great product is often susceptible to duplicates and malicious copycats, however, Electrum was on the receiving end this time.
Electrum Pro, a malware wallet that stole both Electrum’s name and the user’s bitcoins, recently gained popularity as a legitimate product. However, the fame obviously alarmed developers of the original wallet about Pro’s authenticity, leading them to investigate the product’s code. Their suspicions were later confirmed to be true, with Electrum’s team promptly releasing their findings to the public.
We now have proof that "Electrum Pro" is bitcoin-stealing malware. The sha256sum of https://t.co/cCVFExIrNy is f497d2681dc00a7470fef7bcef8228964a2412889cd70b098cb8985aa1573e99. This hash can be confirmed independently using https://t.co/5RT3AeyjXp.
— Electrum (@ElectrumWallet) May 8, 2018
Posted on their website on May 9, 2018, with a link to their GitHub page, Electrum’s developer team released specifics of the malicious code and published a detailed DIY document that encouraged users to confirm the misdoings for themselves.
According to the GitHub post, the malicious code is seen in the lines 223-248 in electrumpro_keystore.py, after which the Pro wallet appears to steal the user’s wallet seed keys and uploads them to the hacker’s servers.
Adding to this, the developers reveal that their investigation has only been done on Pro’s “electrum pro-4.0.2.dmg” macOS binary and “ElectrumPro-4.0.2-Standalone.zip” Windows binary, but warned that “is safe to assume that the other Windows binaries are malicious as well.”
As it stands, in order to trap unsuspecting users, the treacherous team behind Electrum Pro hosted the duping wallet on electrum.com, which easily misled users from the official electrum.org website.
An integral and sensitive part of a bitcoin wallet, seed keys are cryptographic trees that store human-readable words into an algorithmically-converted root private key. By gaining access to the seed keys, anyone can be capable of draining a user’s bitcoin wallet.
Electrum No Stranger to Such Frauds
In the past, scammers have conducted similar attacks to dupe Electrum users, by registering similar-looking domains and providing a similar interface. However, this is by far the most significant instance of a phishing effort, with the malicious product closely replicating the original one.
Unless a user was conversant enough with the original website, Pro’s interface comes close to Electrum’s, with the site claiming to be a “fork” of the latter.
Interestingly, the fraudulent Electrum Pro was reportedly “higher-rated” on Google’s PlayStore, appearing above the original Electrum in a “bitcoin wallet” app search. Upon conducting a Google web search, BTCManager found out similar results. However, Electrum Pro has seemingly exited after its fraud coming to light and doesn’t appear in search results as on the time of writing.
Electrum’s developers claim that only users of the Windows and OS X versions of Electrum Pro are affected, while the Linux version appears to be clean. To ensure such problems do not appear in the future, Electrum is working towards gaining a “verified” status on the Windows Store, with an official app on Mac Store soon to follow.
As a suggestion, BTCManager appeals to its readers to check their versions of Electrum, and immediately shift their bitcoins in case of a fallacy.