Post
Topic
Board Electrum
Re: Fraudulent transaction along with the correct one(Ledger Nano S + Electrum)
by
Electrum_LedgerNS_Issue
on 10/02/2020, 15:24:29 UTC
I have to admit that this is the first time I've ever heard of a case like this, and it's really weird this happened to you. I see that you are not a beginner and that you understand the basics on which a hardware wallet works, so I will not doubt that everything you wrote is true.

Assuming you have legitimate software (Electrum, firmware in Nano S and legit Windows 10) I would personally assume it was some sophisticated malware that somehow bypassed the protection Ledger had and added another transaction. Another possibility is that it's some kind of internal bug that is a combination of some incredibly strange circumstances that occurred during your legitimate transaction. Still, the question remains, where did this new address come from if it wasn't some malware?

I understand your privacy concerns, but it would still be advisable to put the ID of both transactions, there are members who can conclude something from the transactions. Are you using any kind of antivirus protection, have you tried scanning your computer for possible virus/malware?

I used the Nano S in combination with Electrum a few days ago, and the transaction went pretty normal.


Thanks for your reply.
Indeed, I searched my PC trying to find traces of the address string and I didn't get anything, thus either a script injected it then deleted itself either it was derived by Ledger somehow with a wrong derivation path.

I've tried recreating the bug the same day with a different Ledger which had the keys on a much smaller account and didn't manage to recreate the behavior.

As for security, only Avast and the Windows firewall at the time when the incident happened.
Downloaded Malwarebytes after it happened and ran a scan - only some PUPs but the realtime protection detected 2 things afterwards: Malicious site "exs[dot]ignorelist[dot]com pointing to electrum-3.3.8.exe and qualified as an exploit and endthefed[dot]onthewifi[dot]com pointing to electrum-3.3.8.exe qualified as "Phishing", so this might be a lead even if I don't see what a server can do to cause this.


Greatly appreciate any help or ideas.
Thanks