Bug #16421

Electrum Phishing Attack - Upstream Fix Committed

Added by tailshark 7 months ago. Updated 9 days ago.

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:


As part of this ticket, reintroduce the test case i.e. revert f092b0d6f268a12550283e3a510f0455055ca1d9.

Initial report:

I was using Tails (newest version) and stumbled over this a few hours ago.

When broadcasting a Bitcoin transaction it would come back telling me to manually upgrade Electrum with a link. I thought this was suspicious as the response was rich text and my hygiene (cyber or otherwise) is amazing.

Did a little digging and this:

Bottom line: Attacker electrum nodes in the wild are able to send custom responses to Electrum <v3.3.3. Tails looks like it's at v3.1.3 at present. Electrum devs responded with a counter-move. They started upgrading Electrum nodes to authorize your transaction but shout at you for using an older version.

Current user experience: At this time every Electrum transaction on Tails shouts at me. It's either the phishing response trying to bait me into installing the backdoored Electrum (and the transaction fails) OR it's a legitimate Electrum node that authorizes the transaction but tells me I'm on a vulnerable version.

At this time it looks like the attack requires user participation to manually go and install stuff from the attacker site(s). I'm not sure how many Tails users this would actually pwn since Tails users are here for a reason. But at the very least it might freak people out. I checked all the doors & hatchets myself when seeing the phising response for the first time.

Thought I would share before you get a ticket like this one:

"I'm lose ~12 BTC ~ $42k, from an UPDATE SHOW ME ON 3.3.3 OFFICIAL !!!! my family going to dead #5064"

Related issues

Related to Tails - Bug #16564: Consider shipping Electrum as an AppImage Resolved 03/15/2019
Related to Tails - Feature #16565: Mention Electrum updates on the doc/known issues page Resolved 03/16/2019
Blocks Tails - Bug #16969: "Electrum starts" test step is broken on Buster Confirmed

Associated revisions

Revision f092b0d6 (diff)
Added by intrigeri 9 days ago

Test suite: remove totally broken Electrum scenario (refs: #16421)

Given Electrum is broken in Tails currently, this scenario gives us zero
valuable information but its constant failure has a cost. Let's can bring it
back once we have a working Electrum again.


#1 Updated by mercedes508 7 months ago

  • Assignee set to intrigeri
  • Type of work changed from Code to Research

Already received a report about this issue. Not sure what we can do from a Tails perspective as said here

#2 Updated by intrigeri 7 months ago

  • Assignee changed from intrigeri to s7r

Dear s7r, can you please triage this?

#3 Updated by s7r 7 months ago

  • Status changed from New to Confirmed
  • Priority changed from Normal to Elevated
  • Type of work changed from Research to Wait

This is confirmed.

Some important notes:

- there is no vulnerability in the application itself. Nothing can be exploited. The only bug is that the arbitrary error message sent by the malicious server is displayed as rich text by QT.

- because of how electrum server peer discovery works, there is nothing that can stop the sybil attack or filter the servers. There's no authoritative directory which assigns flags or reputations to servers. Any client using auto-connect or random server has the N % chances to run into a malicious server where N = the % of the malicious servers in the server pool.

- it is a phishing attack. if the users use a trusted server, or a honest server, they are unaffected. If the users use a malicious server, get the error but don't follow up and don't install Electrum from untrusted sources, and just simply switch servers, they remain unaffected.

- the fix upstream in 3.3.3 ONLY renders error messages to plain text instead of rich text, and doesn't allow arbitrary messages but strict error codes.

- in Tails it's not trivial to install something from other sources, so I aim to think Tails users are OK.

At the moment, the network of Electrum servers is sybil-ed with malicious peers, there are so so many.

ElectrumX (the Electrum server implementation) 1.9.3 was tagged which:

a) filters and identifies most malicious peers (servers) and does not further broadcast them to clients;

b) uses the same "bug" to display a WARNING that the users should upgrade, even thus the transaction was successfully sent.

This was done because, users simply don't upgrade in the wild, and remain vulnerable to the phishing scam.

Electrum's Debian package maintainer had some problems that did not allow him to work on Debian, and when I last discussed I understood that work will be resumed at mid February, which is soon. It's going to be tight with the Buster freeze, but let's see what happens.

This is what we are waiting for in order to close all Electrum tickets. There is nothing much we can do in Tails, except display a notification on the website, or maybe even in Tails itself, that all Electrum users will either:

a) get a phishing message that will advice them to install a backdoored Electrum from an untrusted source, message that should be ignored.

b) get a warning message that the transaction was sent, but the version of Electrum used is vulnerable. This will be fixed in another release.

c) provide some trusted onion Electrum servers so that they don't have to go through many servers until they find one that broadcasts their transaction, since the Electrum server pool is heavily sybiled at this moment.

Comments from more people needed here, to see what's the best way here.

#4 Updated by tailshark 7 months ago

@s7r - Sounds good. I was going to ask who maintains bringing Electrum security fixes to the Debian mainline. I had some concerns this might sit in rotation until June~ or whenever Buster releases.

#5 Updated by sajolida 5 months ago

  • Related to Feature #16565: Mention Electrum updates on the doc/known issues page added

#6 Updated by sajolida 5 months ago

  • Related to Bug #16564: Consider shipping Electrum as an AppImage added

#7 Updated by sajolida 5 months ago

  • Related to Feature #16565: Mention Electrum updates on the doc/known issues page added

#8 Updated by sajolida 5 months ago

  • Related to deleted (Feature #16565: Mention Electrum updates on the doc/known issues page)

#9 Updated by mercedes508 5 months ago


#10 Updated by intrigeri 5 months ago

  • QA Check set to Info Needed
  • Type of work changed from Wait to Communicate

Provided guidance on the thread (, we'll decide how to proceed once s7r has answered the questions we have :)

#11 Updated by intrigeri 5 months ago

  • Target version set to Tails_3.14

#12 Updated by CyrilBrulebois 3 months ago

  • Target version changed from Tails_3.14 to Tails_3.15

#13 Updated by intrigeri 3 months ago

  • QA Check deleted (Info Needed)

#14 Updated by CyrilBrulebois about 1 month ago

  • Target version changed from Tails_3.15 to Tails_3.16

#15 Updated by intrigeri 9 days ago

  • Blocks Bug #16969: "Electrum starts" test step is broken on Buster added

#16 Updated by intrigeri 9 days ago

  • Status changed from Confirmed to In Progress

#17 Updated by intrigeri 9 days ago

  • Description updated (diff)
  • Status changed from In Progress to Confirmed

Also available in: Atom PDF