Malware (and other avenues of losing money)

Dimecoin (when used as intended) is non-custodial money. With fiat in a bank (custody), the bank is responsible for safe-guarding it. With dimecoins, the user is responsible for safe-guarding it.

Electrum-Dime is non-custodial wallet software, meaning the software installed on the user’s computer has complete and exclusive control over all funds. For example, no developers or third-parties can access/move/see your coins.

However, this model makes dimecoin users prime targets of malware: compromising the user’s computer can lead to stealing all their dimecoins.

Attack Scenarios

Malicious Clone

i.e. downloading (clone of) Electrum-Dime from unofficial source

Attackers often clone our website and host it on lookalike fake domains. They then pay for Google ads to advertise their fake domains.

The official Electrum-Dime project does not pay for Google ads.

When users search “electrum-dime” on Google, they see the malicious ads, click them, go to the lookalike website, download malicious clones of Electrum-Dime, and run it. When running the malware, “Electrum-Dime” seemingly opens and the user enters their password to open their wallet file. At that point, the software broadcasts a transaction sending all money out, and/or uploads the seed words to a remote server.

  • Signs of Compromise: if you see a transaction in your wallet history that you do not recognise, AND that transaction moves all your coins AND your wallet balance is now zero (shown in bottom left corner), then you might have downloaded malware that stole your coins.

  • Defense: users should only download Electrum from official sources (and verify GPG signatures).

Clipboard Hijacker

A clipboard hijacker a simple external program (virus) that monitors the user’s clipboard: every time the clipboard changes, it checks if it is a dimecoin address, and if so, replaces it with another dimecoin address that belongs to the attacker.

The idea is that usually a dimecoin address being copied means the user is going to paste it to a wallet right away and send money there.

  • Signs of Compromise: if you copy a dimecoin address and then paste it to a text editor, a different address gets pasted.

  • Defense: users should preview (and confirm details of) any transaction they sign before signing it.

Compromised PC

i.e. having other malware present on computer that accesses wallet file or RAM and steals your seed words

When using a “standard wallet” in Electrum-Dime on a PC, any (sufficiently privileged) other program on that same PC might get access to the wallet file and try to steal the seed words. More advanced attacks might dump the main memory (RAM) and find the seed words or private keys or the wallet password (given the right timing).

Posing as Support

i.e. posing as “support” on forums, Telegram, Discord, etc (social engineering)

If you post on telegram/discord/reddit/bitcointalk/etc, attackers might reply or send a private message claiming to be “Electrum-Dime Support” or “Customer Service”. They might then ask you to download a new version of Electrum-Dime and give you a link, or ask for your seed words. They may also directly ask for money to process your issue faster.

There is no paid customer service. These are scams. Be vigilant.

Any support provided is always in public and you will never be messaged first!

Backup Accessed by Flatmate/etc

The seed/private keys should not be stored digitally, but instead preferably on paper. Paper cannot be hacked.

Be mindful of where you keep your backups (written down seed words). E.g. a roommate might find a piece of paper and move your coins.

Taking a photo of your seed, and especially uploading that photo to cloud storage, is asking for trouble. So is generating/entering the seed in a public place.

Planted Wallet File

An attacker might copy their wallet file onto the victim’s computer. The next time the victim runs Electrum-Dime, it is the attacker’s wallet that gets opened. If the victim does not notice and generates an address to receive on, any incoming funds will go to the attacker’s wallet.

This attack can even be done before Electrum-Dime is installed at all. The attacker places their wallet file where Electrum-Dime would expect to find it, and leave it there for months/years until the user downloads Electrum-Dime.

  • Defense: use password-protected encrypted wallet files and be suspicious if you were not required to enter the password to open the wallet.

Defense, Best Practices

In increasing order of complexity:

  • only download Electrum-Dime from the official website

  • password-protect wallet files (using built-in methods)

  • verify GPG signatures (of the downloaded Electrum-Dime executable, before running it for the first time)

  • don’t use hot wallets for holding large quantities of dimecoin

    • use 2fa, or multisig wallets (across different computers or phones)

    • use hardware devices to sign (such as Trezor)(coming soon)

    • use cold storage / offline-signing setup

  • double-check recipient addresses and amounts using a second/trusted source, before signing. check the address:

    • on the screen of each multisig cosigner

    • on the screen of the hardware signer

    • on the screen of the offline signer computer

Help! My Coins Have Been Stolen!

Dimecoin transactions are irreversible, so in case of theft, there is unfortunately nothing the developers (or anyone) can do to recover the money.

If you know how the attack worked, you are welcome to tell the developers. It is useful for us to know about the type and number of attacks, to try to prevent or mitigate future attacks. If the stolen amount is substantial enough, consider reporting the theft to the police.

If you think what happened might have resulted from a bug (and not malware), we ask you open a bug report.

Can I Keep Using the Wallet?

If your coins got stolen, you must not keep using your existing wallet (the same seed words). If you send more coins into your wallet, those too will likely get stolen.

  • You should wipe/format your computer and do a fresh re-install of the OS.

  • Then you can download Electrum-Dime again (from the official website this time!).

  • Then you need to create a new wallet, as in, generate a new seed.

My Anti-Virus has Flagged Electrum-Dime as Malware!

See the relevant FAQ section.