Developers have found that a fake version of a popular Bitcoin Wallet comes equipped with the ability to steal users’ seeds.
On 9 May, the Electrum team published a document on GitHub calling out “Electrum Pro” as “stealware” and “bitcoin-stealing malware.”
According to the developers, the individuals behind Electrum Pro took control of “electrum dot com” and created a website with a slightly different design and logo than the Bitcoin wallet’s actual website, which is located at electrum.org. When called out as scammers, those managing Electrum Pro responded on Reddit by saying their website is a fork of the Electrum project. They went on to state that their work aims to help “improve the user experience.”
Electrum’s developers have long suspected that these copycats were up to no good, but they had no “formal evidence” of any wrongdoing, so all they could do was warn users to be careful.
That changed when they decided to do a public security audit of one of Electrum Pro’s Windows binaries.
The developers downloaded the binary from Electrum Pro’s website, uncompressed the zip, unpacked the binary, decompiled it and had a look at the output. Something immediately stood out for them. As they wrote on GitHub:
In this binary, a few extra lines have been added by the scammers: A thread is started that sends an HTTP POST request to their website, and its payload is the user’s seed. This demonstrates that “Electrum Pro” is bitcoin-stealing malware.
For their analysis, Electrum’s developers looked at just one of Electrum Pro’s Windows binaries. They confirmed that the .dmg file for Mac users contains the same modifications as the file they examined and believes the other binaries available for PC could be dangerous. As for the Linux packages, they found them to be relatively harmless “presumably because the scammers did not want to have these changes in plain sight.”
Electrum’s developers concluded by recommending that users download their software only from official sources and check the GPG signatures.
News of this discovery follows several months after a cybercrime gang based in Ukraine made as much as $50 million after tricking Bitcoin investors into handing over the login credentials for their online wallets.