This document is a work in progress.
- Electrum (Bitcoin) (Official site: https://electrum.org/)
- Sparrow Wallet (Bitcoin) (Official site: https://www.sparrowwallet.com/)
- Feather Wallet (Monero) (Official site: https://featherwallet.org)
- JoinMarket (Bitcoin) (Official repo: https://github.com/JoinMarket-Org) (*)
Caution: from here on, links in this gist may point to phishing sites.
- On April 27, 2024 the domain
electrum[.]isis registered. - On May 09, 2024 the domain
sparrowwallet[.]netis registered with Gname.com. - On May 11, 2024 the domain
feather-wallet[.]orgis registered with Namesilo. - On June 27, 2024 user
Andyl98adds these sites to the ArchLinux wiki. (The links have since been removed.) - On July 11, 2024 user
welpokin#featheron OFTC first reports the existence offeather-wallet[.]org. - On September 18, 2024 the domains were added to uBlockOrigin's badware list.
- On September 21, 2024 the client status code for
feather-wallet[.]orgwas changed toclientHold. - As of September 21, 2024 the phishing sites for electrum and feather wallet are offline.
- All sites were redesigned from their official sites
- All sites are heavily SEO optimized and rank just below or above their official sites in search rankings. The sites rank highest on DuckDuckGo.
- All sites use hacked forum accounts or other backlinks to boost search results:
- https://web.archive.org/web/20240920192622/https://lowendspirit.com/profile/receivedthanks/geekyhillbilly/ (
sparrowwallet[.]net) - https://www.waivio.com/@prinz007/about (
sparrowwallet[.]net) - https://note.com/sparrowwallet/n/n4f39a40ded78 (
sparrowwallet[.]net) - https://www.waivio.com/@axelalanis119 (
feather-wallet[.]org) - https://web.archive.org/web/20240920193809/https://www.giantbomb.com/profile/daemoncel/ (
feather-wallet[.]org) - https://web.archive.org/web/20240920212932/https://lowendspirit.com/profile/anzepintar (
feather-wallet[.]org) - https://web.archive.org/web/20240920193229/https://s.v2ex.com/member/hdiwhsg/replies (
feather-wallet[.]org,sparrowwallet[.]net,electrum[.]is) - https://web.archive.org/web/20240920194304/https://forums.gentoo.org/viewtopic-t-551822-highlight-liblber.html (
feather-wallet[.]org) - https://web.archive.org/web/20240920213207/https://www.myminifactory.com/it/users/Jonboy5000 (
feather-wallet[.]org) - https://web.archive.org/web/20240920194410/https://www.altcoinstalks.com/index.php?action=profile;u=88753 (
feather-wallet[.]org) - https://web.archive.org/web/20240920195140/https://sites.google.com/view/electrum-bitcoin-wallet/home (
electrum[.]is) - https://web.archive.org/web/20240920195427/https://www.brandsoftheworld.com/logo/electrum-bitcoin-wallet (
electrum[.]is) - https://web.archive.org/web/20240920234052/https://dribbble.com/shots/24158273-Electrum-Bitcoin-Wallet-banner (
electrum[.]is)
- https://web.archive.org/web/20240920192622/https://lowendspirit.com/profile/receivedthanks/geekyhillbilly/ (
- All sites were built using WordPress.
- All sites feature a 'Terms of Service' or 'Impressum' that points to a fake dev e-mail:
- https://web.archive.org/web/20240801075808/https://sparrowwallet.net/terms-of-use/
- https://web.archive.org/web/20240920190838/https://electrum.is/impressum/
- https://web.archive.org/web/20240913184627/https://feather-wallet.org/terms-of-use/ (the fake e-mail was removed in later versions of the site)
- All sites have/had a corresponding fake .onion address:
feather-wallet[.]org-http://featherusyc3og3wf35x2bmvqralsynawxcx2odv63d66y63bjkzroad[.]onion/(linked at the bottom of the site, Onion-Location header)electrum[.]is-http://electrummm63pdlnoi4wcczvs7ruf7fqdp6stfve2dm5odj444a7mrad[.]onion(was online, now offline)sparrowwallet[.]net- (this existed at some point, lost it, no longer listed on the site)
- Some sites point to a fake Telegram channel:
- Earlier versions of
feather-wallet[.]orgpointed to@feather_wallet(not archived) sparrowwallet[.]netpoints to@Sparrow_Wallet- The Telegram channel
@TutorialBTCEnghad a "guide" pointing toelectrum[.]is:
- Earlier versions of
download.feather-wallet[.]orgwas configured to proxy downloads to the real site. Whenever I banned the IP address of the proxy server, it spun up a new instance on Azure Cloud. This continued until I banned all Azure CIDRs. The phishing site now hosts the binaries themselves.- (*) The attacker likely also controls
joinmarket[.]org, registered on May 15, 2024 with Tucows. It was listed on https://slides.com/noaw, which also featured fake presentations pointing tofeather-wallet[.]organdelectrum[.]isbefore the content was deleted. Thejoinmarket[.]orgsite does not appear to host any content at the time of writing. - None of the sites have been shown to serve malicious binaries, however we strongly suspect they are targeting specific users based on geolocation, user agents, etc.
- feather-wallet/feather#198
- https://wiki.archlinux.org/title/User_talk:Tobtoht#Removed_cryptowallet_phishing_links
Extensive discussion on this topic can be found in Feather Wallet's matrix room.