ElectroHunt Part 2: Ukraine Obsession with Crypto Continues

Peter Kacherginsky
May 8 · 15 min read

By Jeremiah O’Connor and Peter Kacherginsky

In Electrohunt Part 1, we outlined the recent phishing and malware campaigns targeting the Bitcoin Simple Payment Verification wallet Electrum. In this portion we will discuss the continued onslaught by these financially motivated criminals on the Electrum network and its users. We will analyze some of the different actors and trends we are seeing as of late in the criminal cryptosphere. Additionally we will talk about the detection methodology we are building, and will trace some of the transactions on the Electrum network using blockchain analysis to investigate where these stolen funds are being laundered.

We have observed attacks on the Electrum network originating from the Ukrainian/Russian region, where criminals are notorious for targeting the financial sector (cryptocurrency, banks, credit card fraud) in order to further fund their illicit activities. There have been a variety of delivery vectors in the past, however recently attackers have began a new method in order to get users to connect to malicious servers by launching a DDoS on the network in order to bring down legitimate servers and connect to malicious ones. Currently there are multiple actors abusing the Electrum network, the biggest one originating from the Ukraine region. We can assess with high confidence this financially motivated actor is advanced and has a good amount of knowledge about cryptocurrencies and how the Electrum network works in order to manipulate it to their advantage. To the current date we estimate this actor has stolen over ~7 million dollars worth of BTC since December 2018 (current estimate at time of writing).

Financial Actor Using Bulletproof Providers

Currently we are tracking many different financially motivated actors that are abusing different crypto brands via DNS with the help of DomainTools. Among one of the most pervasive trends we have been observing as of late is the rise of phishing combined with malware targeting cryptocurrency SPV wallet software, with Electrum being one of the primary targets. We’re observing a particularly big actor (along with some other smaller but successful actors) coming from Ukraine/Russian regions targeting the Electrum network, creating domains in bulk, and a flux network in order to evade detection. Here we can see clusters of Electrum phishing sites coming from multiple Ukrainian netblocks with very little abuse prevention. These rogue infrastructures sometimes run by criminals themselves, aid in the criminal endeavors by these syndicates. These bulletproof hosts generally have low rankings among ASNs, with a low IP to high domain abuse ratio. Here we can see one of the biggest clusters of phishing sites hosted on ASN 206638, HOSTFORY, UA:

electrumapp.org,91.211.89[.]115,AS206638 HOSTFORY, UA
electrumapp.org,91.211.89[.]115,AS206638 HOSTFORY, UA
goelectrum.com,91.211.89[.]113,AS206638 HOSTFORY, UA
myelectrum.org,91.211.89[.]112,AS206638 HOSTFORY, UA
downloadelectrum.org,91.211.89[.]111,AS206638 HOSTFORY, UA
electrumbtc.org,91.211.89[.]110,UA,AS206638 HOSTFORY, UA
btcelectrum.org,91.211.89[.]109,AS206638 HOSTFORY, UA
downloadelectrum.com,91.211.89[.]108,AS206638 HOSTFORY, UA
electrumdownload.com,91.211.89[.]107,AS206638 HOSTFORY, UA
electrumupgrade.org,91.211.89[.]106,AS206638 HOSTFORY, UA
electrumbase.org,91.211.89[.]103,AS206638 HOSTFORY, UA
electrumsafe.org,91.211.89[.]103,AS206638 HOSTFORY, UA
electrumware.org,91.211.89[.]103,AS206638 HOSTFORY, UA
electrumcore.com,91.211.89[.]103,AS206638 HOSTFORY, UA
electrumopen.org,91.211.89[.]103,UA,AS206638 HOSTFORY, UA
electrumdownload.org,91.211.89[.]102,AS206638 HOSTFORY, UA
electrumupdate.com,91.211.89[.]101,AS206638 HOSTFORY, UA
electrumcircle.com,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumapp.com,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumapps.net,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumbit.org,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumgit.com,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumgroup.net,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumsoft.net,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumversion.com,91.211.89[.]100,AS206638 HOSTFORY, UA
electrumreleases.org,91.211.89[.]100,AS206638 HOSTFORY, UA
getelectrum.com,91.211.89[.]100,AS206638 HOSTFORY, UA
electrum.sx,91.211.89[.]100,AS206638 HOSTFORY, UA
electrum.bz,91.211.89[.]100,AS206638 HOSTFORY, UA

These IPs are coming Ukraine IP Space:

Country: Ukraine
Region: Dnipropetrovska Oblast
City: Dnipro
ISP: Pe Brezhnev Daniil

This hosting provider offers dedicated servers for purchase with DDoS protection and very little enforcement of the content hosted on them, a nice haven for criminals to operate freely, also giving visibility into the amount of revenue generated by this particular group and what these criminals are willing to spend on dedicated hosting:

This actor is spreading their campaign across other providers coming from 185.200.190[.]204, AS42533 DCUA-AS, UA, Ukrainian provider:

electrumfix[.]com,185.200.190[.]204,UA,2019–02–12T20:05:56,AS42533 DCUA-AS, UA
electrumbase[.]net,185.200.190[.]204,UA,2019–02–12T20:06:06,AS42533 DCUA-AS, UA
electrumsite[.]com,185.200.190[.]204,UA,2019–02–12T20:03:03,AS42533 DCUA-AS, UA
electrumbuild[.]com,185.200.190[.]204,UA,2019–02–12T04:27:08.00,AS42533 DCUA-AS, UA
electrumcore[.]net,185.200.190[.]204,UA,2019–02–09 17:01:22,AS42533 DCUA-AS, UA
electrumapps[.]com,185.200.190[.]204,UA,2019–02–07 17:39:44,AS42533 DCUA-AS, UA
electrumbase[.]com,185.200.190[.]204,UA,2019–02–07 17:39:54,AS42533 DCUA-AS, UA
electrumweb[.]net,185.200.190[.]204,UA,2017–11–30T02:49:16Z,AS42533 DCUA-AS, UA
electrumsource[.]org,185.200.190[.]204,UA,2017–11–30T02:49:16Z,AS42533 DCUA-AS, UA

IP Location

Country: Ukraine
Region: Kyiv
City: Kiev
ISP: Ntx Technologies Ltd

ASN

AS51765 CREANOVA-AS Oy Creanova Hosting Solutions Ltd., FI (registered)

Here is a cluster of Electrum phishing sites coming from a Russian AS29182, THEFIRST-AS, RU, also using IDNs to make their spoofs more legitimate looking:

eilectrum.org, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
eliectrum.org, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
ellectrium.org, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
elliectrum.org, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
get-electrum.net, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
get-electrum.pro, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
xn — eectrum-9hb.org, 82.146.37[.]8, AS29182,THEFIRST-AS, RU
xn — eletrum-45a.com, 82.146.37[.]8, AS29182,THEFIRST-AS, RU

Importance of Delivery Vector, History of Abuse

Using awesome DNS visibility tools such as DomainTools we are able to monitor and analyze attacker infrastructures. Here we can see attackers copy the content directly from Electrum’s page source, using a Let’s Encrypt SSL certificate to make their spoofed sites appear more legitimate:

One of the key parts of any successful phishing campaign is the delivery vector of how the fraudulent content is served to the victim. Criminals actors targeting cryptocurrencies have used a variety of different delivery mechanisms including email, mass malvertising, spoofing inside error messages and most recently DDoSing legitimate servers on the Electrum network in an effort to force naive users to the malicious servers. The delivery mechanisms in this campaign were somewhat novel, the user operating legitimate Electrum software connects to an Electrum server run by the attacker, when they try and broadcast their transaction a server replies with an error message redirecting the unknowing user to the phishing site advertising to the user to download the malicious version. To increase the probability of success for this attack, attackers are not only creating new domains on different infrastructures (within similar region) in pervasive manner and fluxing through them, the attackers are also spawning many new servers (sybils) in order to increase chances of legit clients connecting to rogue server.

Electrum has been a target of nation-state actors as well as organized crime groups in the past. We have seen Electrum widely abused in the past with different delivery mechanisms by a adversaries in same Ukraine/Russia region. Electrum was a big target in mass malvertising campaigns in Google Ads:

Google Ads targeting cryptocurrency wallets and exchanges has gone under heavy remediation since late 2017 early 2018, which we have helped out with and the overall hygiene of crypto currency related ads is much cleaner. Recently attackers have turned to DDoSing the Electrum network with a massive botnet of over +80K IPs (numbers at time of writing). They are pointing it at the legitimate servers in an effort to overload them and force client connection to the malicious nodes in order to advertise the upgrade to the latest version, redirecting users to the phishing sites, where they download the offline wallet malware.

Detection mechanisms

We are in the early stages of building out our statistical attack detection capabilities and experimenting with a suite of different algorithms for discovering these fraudulent sites within network traffic. For our training set we built up a knowledge base of different cryptocurrency wallets/exchanges sites and data associated with them. Extracting signals from labeled network traffic and using Doc2Vec to build a model on features from the legitimate crypto brand sites’ DOM, we are currently leveraging a combination of unsupervised and supervised techniques to look for suspicious behavior in network traffic. Testing the model live on some of these actor’s networks we are monitoring we’re getting some awesome preliminary results and finding many of these domains alive serving weaponized content at the same time, indicating they’re rotating between the different domains they have registered. Here are some results when probing the network on February 18:

— — — — — — — — — — — — — — — —
Domain: electrumbase.org
Timestamp: 2019–02–18 21:07:51.625177
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumsafe.org
Timestamp: 2019–02–18 21:07:57.839763
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumware.org
Timestamp: 2019–02–18 21:08:05.534325
Index, Cos Sim (0–1), Document (Brand/Domain)
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumcore.com
Timestamp: 2019–02–18 21:08:12.128769
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumopen.org
Timestamp: 2019–02–18 21:08:18.911233
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
HTTPConnectionPool(host=’electrumget.com’, port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x1a22296210>, ‘Connection to electrumget.com timed out. (connect timeout=10)’))
— — — — — — — — — — — — — — — —
Domain: electrumdownload.com
Timestamp: 2019–02–18 21:08:35.910781
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumdownload.org
Timestamp: 2019–02–18 21:08:42.666782
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: goelectrum.com
Timestamp: 2019–02–18 21:08:48.912725
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: etelectrum.com
Timestamp: 2019–02–18 21:08:56.183600
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — — HTTPConnectionPool(host=’electrumupgrade.org’, port=80): Max retries exceeded with url: / (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x1a22bb7d10>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known’,))
— — — — — — — — — — — — — — — —
Domain: electrumupdate.com
Timestamp: 2019–02–18 21:09:02.765260
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — — HTTPConnectionPool(host=’electrumpgrade.com’, port=80): Max retries exceeded with url: / (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x1a22bb7cd0>: Failed to establish a new connection: [Errno 61] Connection refused’,))
— — — — — — — — — — — — — — — —
Domain: electrumdownload.com
Timestamp: 2019–02–18 21:09:09.291047
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — — HTTPConnectionPool(host=’electrumbtc.org’, port=80): Max retries exceeded with url: / (Caused by NewConnectionError(‘<urllib3.connection.HTTPConnection object at 0x1a2329ad10>: Failed to establish a new connection: [Errno 51] Network is unreachable’,))
— — — — — — — — — — — — — — — —
Domain: downloadelectrum.org
Timestamp: 2019–02–18 21:09:22.838411
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: downloadelectrum.com
Timestamp: 2019–02–18 21:09:29.267028
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: btcelectrum.org
Timestamp: 2019–02–18 21:09:35.728569
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —
Domain: electrumware.org
Timestamp: 2019–02–18 21:09:42.282752
Prediction → Phish, Class → Electrum
— — — — — — — — — — — — — — — —

Fluxing networks of phishing sites is a common adversarial technique used by attackers to evade detection and tracking, as soon as one malicious domain is found and reported, a new domain is spun up and ready to rob, sometimes on different (yes still bulletproof) infrastructures in order to make correlation harder.

Blockchain Analysis: Following the Money

Using blockchain analysis tools we were able to trace the money flow of this attacker group, here we can see a majority of the transactions (373 txns at time of writing) went to BitSquare:

At Bitsquare the stolen funds (BTC) were then converted to a more privacy geared technology Monero (XMR):

When engaging in criminal activities, it is beneficial to not have your transactions stored on a public ledger for law enforcement and cyber security professionals to analyze. Privacy coins such as Monero, while alone is just a privacy technology and non-malicious, can sometimes function as another layer of anonymization for criminals to further mask the movement of stolen funds, a trend that is already very common among actors knowledgeable about cryptocurrencies. Analyzing the transaction graph a bit deeper we were able to determine some heuristics that were characteristic of this actor group, and were able to uncover over 150+ addresses related to these attacks. Among the common patterns associated with this group:

  1. Interaction with addresses found in the malware executables and through open source intelligence gathering
  2. Use of one-time, disposable sub wallets for further obfuscation of stolen BTC
  3. Sending to other bech32 (segwit support) addresses with a split of ~2.0BTC, what we suspect to be some sort of payment to another entity (see screenshot below with transactions on 4/16)

4. Similarity among entities where the funds were sent such as BitSquare, Bitfinex, and other exchanges with limited KYC enforcement, abused by criminals en masse for lack of better term “bulletproof exchanges”

Tracking the stolen funds that went through Bitfinex, we observed they were sent to MorphToken, a token marketplace dedicated to swapping assets similar to ShapeShiftIO. Additionally we can see interaction between LocalBitcoins, aka “the Craigslist of bitcoins” a peer-to-peer exchange, that offers an easier/safer way for financial actors to cashout. We can also see interactions with Russian Darknet Markets including Hydra and Wall Street Market:

Rise in Bitcoin Wallet Malware Attacks:

We are observing an increasing trend in this type of coin stealing malware targeting a variety of different brands and we expect it will continue to become more prevalent. Users who are aware of the nefarious activity on the Electrum network are looking to the next Bitcoin wallet which also are being targeted by crypto motivated attackers. Attackers are beginning to phish other brands of Bitcoin wallet including Exodus and Bitcoin Armory. These are coming from similar Ukraine/Russian region, and we have observed an array of phishing attacks on cryptocurrency coming from this netblock AS48282 MCHOST-AS, RU, this particular IP is 185.251.39.110:

Here we can see the domain bitcoinarmory[.]tech on the same IP targeting another offline wallet Bitcoin Armory:

Other attack trends to note in this region are the attacks on Trezor wallets as outlined in the recent Phishfort article, these attacks were hosted on, 91.220.101.25, 91.220.101.37, 91.220.101.53, on AS34259, HIGHLOAD Systems. We are observing a continued trend of financially motivated attackers in Ukraine, Russian region targeting all different types of cryptocurrencies not limited to software, but also including hardware wallets.

Conclusion

While working on tracing this Electrum campaign our detection methods converged on multiple different levels. We were able to track these campaigns at the DNS level, malware executable level, open-source intelligence, and also using blockchain analysis and cataloging heuristics specific to this actor group we are able to trace new wallets as they are created. Intelligence gained from analyzing this particular actor group’s activity also helped us tune our own detection models and software tools to increase traceability and further better secure the crypto economy. Make sure to stay aware when downloading latest versions of cryptocurrency wallet software. Some of the security measures users can take to avoid getting phished/infected with wallet malware:

  • Inspect URL of where you are downloading/entering credentials
  • Book mark the URL of wallets/exchanges you are transacting with
  • If downloading from outside source, make sure to it is trusted, and legitimate executables hashes match

Special thanks for contributions to this article and intelligence to DomainTools, Elliptic, Phishfort, MyCrypto, and other security professionals at wallet companies/exchanges in crypto community that we will keep anonymous, you know who you are ;)

Appendix A — Malware Campaigns

Campaign #1

This campaign relies on advertising malicious error messages to older Electrum clients and instructing them to download backdoored versions of the client. Based on the malware analysis, this is the same actor as Campaign #1 outlined in the previous part of the repot.

Domains for this campaign:

https://electrum[.]bz
https://electrumproject[.]org
https://electrumsecure[.]org
https://electrum[.]la

The malware uses the backdoored version of the Electrum-3.3.3 wallet. Below are the hashes

8324ecf39c1f297d781e735ece4abb81 Electrum-4.0.0.0-release.apk
3ff2d49aee1198454f33efea26f08c0a electrum-4.0.0.dmg
e0cef18af25e66fc7c5734ea89be62ef electrum-4.0.0.exe
788055c6b769a1e515a60f9e851f5b46 electrum-4.0.0-portable.exe
6a48a4b0aecf5eaf9a4d8139a152be59 electrum-4.0.0-setup.exe
4e77091af3c083f97b54355e0d36f92e Electrum-4.0.0.tar.gz

Redirects transactions to the following address:

bc1qcla39fm0q8ka8th8ttpq0yxla30r430m4hgu3x

Modifications made:

  • Disabled various application warnings
  • Disabled update mechanism
  • Caches application password

The malware have also modified the default node list removing the majority of nodes only leaving the following intact:

bitcoin3nqy3db7c[.]onion
electrumxhqdsmlu[.]onion

It has also added the following new nodes:

luggscoqbymhvnkp[.]onion
ndndword5lpb7eex[.]onion
ozahtqwp25chjdjd[.]onion
qtornadoklbgdyww[.]onion
s7clinmo4cazmhul[.]onion
wsw6tua3xl24gsmi264zaep6seppjyrkyucpsmuxnjzyt3f3j6swshad[.]onion
oneweek.duckdns[.]org
electrum.electrumxm[.]com
electrum.elastics[.]info
electrum.esrv[.]one
electrum.ssrv[.]info
electrum.fullhealth[.]net
electrum.tnsfr[.]link
electrum.livex[.]biz
electrum.rollerco[.]xyz
electrum.arcade[.]tel
electrum.bip.click
electrum.xs500[.]net
electrum.lightspeed[.]tel
electrum.txid[.]pw

Campaign #2

The backdoored version of Electrum wallet attempts to upload base64 encoded private key to the following server:

http://38.128.66[.]3:4285/post/data=[KEY_BASE64]

Campaign domains:

https://www.electrumsecuredownload[.]com

Malware samples:

313562c72732ac7a9ad43571ac7e5856 electrum-3.4.0.exe
e35a2e2c5180c6b63e534cb1c4671552 electrum-3.4.0-portable.exe
068d4ebe8901f00b7df9e885198bbc32 electrum-3.4.0-setup.exe
d9a7365787febee99a1d95ee9aeaad8b electrum-3.4.0-x86_64.AppImage

Campaign #3

Propagates by sending fake error messages through malicious servers. Targets a BCH fork of Electrum called Electron-Cash. Unique in its use of sharefile.com.

Standalone Executable: https://Electrum.sharefile.com/d-s133ec465886459b8

Windows Installer: https://Electrum.sharefile.com/d-sd63f248b96c410d9
Portable version: https://Electrum.sharefile.com/d-s8e5840fd61d46dfa
MacOS https://Electrum.sharefile.com/d-s356f875975c47079

Hashes for the above:

5768cf5db5ca9fd8c97a42779b1c3601 Electron-Cash-3.3.6.dmg
fee2190475e8d1742a65c5c8a49cc517 Electron-Cash-3.3.6.exe
3b149a9d7ad6f4032f386d2f08968f08 Electron-Cash-3.3.6-portable.exe
0f2b668e71a086ab662ddc25a7486135 Electron-Cash-3.3.6-setup.exe

Campaign #4

A unique actor that uses malicious nodes to trigger phishing error messages in older Electrum clients. The actor appears to be relatively new and has several unique techniques below.

Phishing site:

http://electrumwalletbtc.hopto[.]org

Malware samples:

21655fdacbfac2b187f0a5f98f39888e electrum-3.3.4-portable.exe
80f570f3026f4a09d5eff3c29858fa63 electrum-3.3.4-setup.exe
77f846b48ad7a625f585c1f126dc2252 electrum-3.3.4-x86_64.tar.xz

The malware is unique in its use of the latest source from the official Github. 441da52b HEAD in particular. It performs the following modifications to the files:

  • Disables update UI options
  • Captures user’s seed value and forwards it to the C2 URL using HTTP POST parameters {‘s’: seed,’se’:seedext}

C2 Domain:

http://electrumwalletbtc.hopto[.]org/time.php

Appendix B — Infrastructure

DNS Infrastructures

eiectrum[.]net, 185.222.202[.]108, AS204725 UVL2-ASN, UA
myelecrum[.]info, 185.222.202[.]108, AS204725 UVL2-ASN, UA
electrume[.]com, 185.222.202[.]108, AS204725 UVL2-ASN, UA
electrume[.]org, 185.222.202[.]108, AS204725 UVL2-ASN, UA
electrume[.]info, 185.222.202[.]108, AS204725 UVL2-ASN, UA
btc-electrum[.]com, 185.222.202[.]108, AS204725 UVL2-ASN, UA
electrumapp[.]org, 91.211.89[.]115, AS206638 HOSTFORY, UA
electrumbitcoin[.]org, 91.211.89[.]105, AS206638 HOSTFORY, UA
myelectrum[.]org, 91.211.89[.]112, AS206638 HOSTFORY, UA
electrumsecure[.]org, 93.171.158[.]14, AS201094 GMHOST, UA
electrum[.]vc, 93.171.158[.]14, AS201094 GMHOST, UA
electrumapp[.]com, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumapps[.]net, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumbit[.]org, 93.171.158[.]14, AS206638 HOSTFORY, UA
electrumgit[.]com, 93.171.158[.]14, AS206638 HOSTFORY, UA
electrumgroup[.]net, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumsoft[.]net, 93.171.158[.]14, AS206638 HOSTFORY, UA
electrumversion[.]com, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumreleases[.]org, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrum[.]sx, 91.211.89[.]100, AS206638 HOSTFORY, UA
eilectrum[.]org, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
eliectrum[.]org, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
ellectrium[.]org, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
elliectrum[.]org, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
get-electrum[.]net, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
get-electrum[.]pro, 82.146.37[.]8, AS29182, THEFIRST-AS, RU
xn — eectrum-9hb[.]org, 82.146.37[.]8, AS29182 THEFIRST-AS, RU
xn — eletrum-45a[.]com, 82.146.37[.]8, AS29182 THEFIRST-AS, RUelectrumapp[.]live, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumbch[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumdownloadserver[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumlite[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumlitecoin[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumn[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumsecuredownload[.]com, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrumx[.]org, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrunm[.]org, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
getelectrum[.]live, 38.111.114[.]7, AS62563 AS-GLOBALTELEHOST — GLOBALTELEHOST Corp., CA
electrum[.]sx, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumhub[.]com, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumnet[.]com, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumreleases[.]com, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumsafe[.]org, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumstart[.]org, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrumware[.]com, 170.130.175[.]154, AS49532 SERVERHUB-NL, DE
electrum[.]bz, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumcircle[.]com, 91.211.89[.]100, AS206638 HOSTFORY, UA
electrumproject[.]org, 93.171.158[.]14, UA, 2019–03–14T01:07:36Z, AS201094 GMHOST, UA
electrumweb[.]net, 185.200.190[.]204, UA, 2017–11–30T02:49:16Z, AS42533 DCUA-AS, UA
electrumsource[.]org, 185.200.190[.]204, UA, 2017–11–30T02:49:16Z, AS42533 DCUA-AS, UA
electrumfix[.]com, 185.200.190[.]204, UA, 2019–02–12T20:05:56, AS42533 DCUA-AS, UA
electrumbase[.]net, 185.200.190[.]204, UA, 2019–02–12T20:06:06, AS42533 DCUA-AS, UA
electrumsite[.]com, 185.200.190[.]204, UA, 2019–02–12T20:03:03, AS42533 DCUA-AS, UA
electrumbuild[.]com, 185.200.190[.]204, UA, 2019–02–12T04:27:08.00, AS42533 DCUA-AS, UA
electrumcore[.]net, 185.200.190[.]204, UA, 2019–02–09 17:01:22, AS42533 DCUA-AS, UA
electrumapps[.]com, 185.200.190[.]204, UA, 2019–02–07 17:39:44, AS42533 DCUA-AS, UA
electrumbase[.]com, 185.200.190[.]204, UA, 2019–02–07 17:39:54, AS42533 DCUA-AS, UA
www.electrumclient[.]org, 185.200.190[.]204, UA, 2019–02–10T16:34:42, AS42533 DCUA-AS, UA
electrumofficial[.]com, 190.97.167[.]181, PA, 2019–02–07 23:53:20, AS27956 Cyber Cast International, S.A., PA
carderstuff[.]pro, 190.97.167[.]181, PA, 2018–11–01 13:00:55, AS27956 Cyber Cast International, S.A., PA
privatstuff[.]site, 190.97.167[.]181, PA, , AS27956 Cyber Cast International, S.A., PA
privatstuff[.]store, 190.97.167[.]181, PA, , AS27956 Cyber Cast International, S.A., PA
electrumbase[.]org, 91.211.89[.]103, UA, 2019–02–06 20:20:41, AS206638 HOSTFORY, UA
electrumsafe[.]org, 91.211.89[.]103, UA, 2019–02–04 18:35:10, AS206638 HOSTFORY, UA
electrumware[.]org, 91.211.89[.]103, UA, 2019–02–06 20:20:02, AS206638 HOSTFORY, UA
electrumcore[.]com, 91.211.89[.]103, UA, 2019–02–07T02:57:10, AS206638 HOSTFORY, UA
electrumopen[.]org, 91.211.89[.]103, UA, 2019–02–06T20:20:22, AS206638 HOSTFORY, UA
electrumget[.]com, 170.130.175[.]154, DE, 2019–02–07 21:37:16, AS49532 SERVERHUB-NL, DE
electrumdownload[.]com, 91.211.89[.]107, UA, 2019–01–29T07:00:00, AS206638 HOSTFORY, UA
electrumdownload[.]org, 91.211.89[.]102, UA, 2019–02–04T18:30:03, AS206638 HOSTFORY, UA
goelectrum[.]com, 91.211.89[.]113, UA, 2019–01–29T07:00:00, AS206638 HOSTFORY, UA
getelectrum[.]com, 91.211.89[.]100, UA, 2019–01–29T07:00:00, AS206638 HOSTFORY, UA
electrumupgrade[.]org, 91.211.89[.]106, UA, 2019–01–29T19:57:55, AS206638 HOSTFORY, UA
electrumupdate[.]com, 91.211.89[.]101, UA, 2019–01–29T07:00:00, AS206638 HOSTFORY, UA
electrumpgrade[.]com, 107.161.23[.]204, US, 2019–01–29T07:00:00, AS3842 RAMNODE — RamNode LLC, US
electrumdownload[.]com, 91.211.89[.]107, UA, 2019–02–10T07:00:00, AS206638 HOSTFORY, UA
electrumbtc[.]org, 91.211.89[.]110, UA, 2019–01–29T19:57:55, AS206638 HOSTFORY, UA
downloadelectrum[.]org, 91.211.89[.]111, UA, 2019–01–29T19:57:55, AS206638 HOSTFORY, UA
downloadelectrum[.]com, 91.211.89[.]108, UA, 2019–01–29T07:00:00, AS206638 HOSTFORY, UA
btcelectrum[.]org, 91.211.89[.]109, UA, 2019–01–29T19:57:59, AS206638 HOSTFORY, UA
electrumware[.]org, 91.211.89[.]103, UA, 2019–02–06T20:20:02, AS206638 HOSTFORY, UA

Interaction with Darknet Market sites

Hydra — hydraruzxpnew4af[.]onion
Wall Street Market — wallstyizjhkrvmj[.]onion

Samples of the XMR transaction on BitSquare

90321b6890622ea49011c22752011d019d451f61e60fe5b0b73fbf657790f62f
19d39108e709144980564d5c3e9ea193ef3e0f18b9fae19d2afe564bc8490ec4
38da16437b1507db8f48c68131031d1bcda7497d841f3267192b0dcbf8836e57
1af76520fe244174ebe1402e7e7a30182a207e8d02a91b8ed8922ad37299065d
d097233c97361dc09d91d676fcac75356dfef3ee407c525ea697b7f170f61434

Some of big addresses

Bc1qcla39fm0q8ka8th8ttpq0yxla30r430m4hgu3x

Peter Kacherginsky

Written by

Cryptocurrency, Malware Analysis, Incident Response, Pentesting, BlockThreat.net

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade