Decompiling the Electrumpro Stealware

Electrum is a popular Bitcoin wallet, distributed on and spesmilo/electrum.

A few weeks ago scammers bought the electrum dot com domain and started using it to distribute a modified malware version of electrum called ElectrumPro to steal its user’s bitcoins.

The electrum team published a decompiling guide for ElectrumPro binary on windows to proove that it is indeed stealing users:

This document describes how to decompile the “Electrum Pro” Windows binaries, and how to verify that they indeed contain bitcoin-stealing malware. We previously warned users against “Electrum Pro”, but we did not have formal evidence at that time.

The scammers seem to have invested a big sum to acquire the domain, which was previously used by someone in the US to sell energy drinks and food. The change happened on the 23rd of March 2018 according to whois data:

Registry Domain ID: 24034_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2018-03-23T21:33:29Z
Creation Date: 1996-05-15T04:00:00Z
Registry Expiry Date: 2023-05-16T04:00:00Z
Registrar:, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: 480-624-2505

As a reminder the only official website for the Electrum wallet is

Support us and the authors of this article by donating to the following address:


Comments powered by Talkyard.