Decompiling the Electrumpro Stealware

Electrum is a popular Bitcoin wallet, distributed on electrum.org and spesmilo/electrum.

A few weeks ago scammers bought the electrum dot com domain and started using it to distribute a modified malware version of electrum called ElectrumPro to steal its user’s bitcoins.

The electrum team published a decompiling guide for ElectrumPro binary on windows to proove that it is indeed stealing users:

This document describes how to decompile the “Electrum Pro” Windows binaries, and how to verify that they indeed contain bitcoin-stealing malware. We previously warned users against “Electrum Pro”, but we did not have formal evidence at that time.

The scammers seem to have invested a big sum to acquire the domain, which was previously used by someone in the US to sell energy drinks and food. The change happened on the 23rd of March 2018 according to whois data:

Domain Name: ELECTRUM.COM
Registry Domain ID: 24034_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-03-23T21:33:29Z
Creation Date: 1996-05-15T04:00:00Z
Registry Expiry Date: 2023-05-16T04:00:00Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: 480-624-2505

As a reminder the only official website for the Electrum wallet is electrum.org.

Support us and the authors of this article by donating to the following address:

36cPz3bxFd4Cu6wAnbiuMEFCbicgmcptsL

Comments powered by Talkyard.