Bitcoin Forum

I have not used this wallet for years, i have alreay forgotten about it on my PC,at some moment i needed to pay some online service , it adviced me to pay via wallet and it showed up , the message occured with error then to uprgrade your old version, of course it is natural after to 2 years. Yes i understand my fault that i should check signatures , download directly from the site and other blablabla. But where is assurance that in new version of software will not happen the same shit. I think that is partly developers fault that we lose our money. I am absoultely lost, it was all my earnings  i accumulated , the sum is really big, the main idea now is to kill somebody who involved

The same thing won't happen again since it has been already fixed (https://github.com/spesmilo/electrum/issues/4968). Before the 3.3.3 update was released, Electrum had never notified users of available updates. You are the one at fault. No wallet is completely secure and bug-free.

who knows about that? 10% user who sitting on this forum? I am not a one ,try use google seach there are thousend victims!

the same thing of course will not happen but the other one can happen easily. The product is raw and they are testing bugs by our money lost

I am aware of that. Still, all of these users are at fault for not using the common sense. If you had looked at your address bar, you would have noticed that you were not on the official website. Everything that involves money should be proceeded with extreme caution. Do you check if you are on the correct website when logging in into your bank account? That's basically the same.

You know deep inside that you should have never left such a really big amount in a desktop wallet. That you should have bought a hardware wallet.

Desktop Wallets in your daily PC are just for a few bucks. Buy a ledger or a trezor and never lose money again.

i always used apple app on my iphone, the thing was that i didn't know that electrum is still installed on my PC and linked to my wallet from the old times

That's not any better either.

Actually, sharing the same seed on two insecure environments will just double risk your funds....

Just buy a hardware wallet, or study good security practices like making an airgapped computer (there are also risks involved if you make a mistake or ignore some security recommendations).

The developers are at fault that you have fallen for a phishing message ?
It is stated on the website (and on this forum and almost everywhere on the internet) that you need to verify the signature to make sure you are using the original software.

I am sorry to say, but only you are at fault. No one else.




So you were storing all of your coins on a wallet shared between your computer and your mobile phone ?

It seems you need to reconsider how you store your coins. Try to acquire knowledge regarding secure storage of sensitive information. This forum is a good place to do so.
If the sum was really big, why did you store it on a computer which is connected to the internet, shared with your mobile phone  ??? Why no hardware- or paper wallet ?




Verifying the signature is common sense if you spend at least half an hour reading about securing funds.




Just read what the website says and follow. Verify the signature and don't click on any link you see. As easy as that.

A message from the electrum server you were connected to told you to update the software.

If you would have checked the link, you would have realized that it lead you to a fake website (or to github without any source code).
This, combined with the fact that you didn't verify the signature, lead to your funds being stolen by malware.




As already mentioned, verify the signature before installing (as stated on the website).




1) It was never very secured if you stored it on an online computer AND your mobile phone.

2) They got stolen once you downloaded and installed malware, electrum is not at fault.

If you used Chrome to download a fake version of Chrome, installed it, opened it, used it for online shopping, and typed all your personal info and credit card details in to it, would it be Google's fault when your credit card gets cloned and used by someone else? If someone phones you up and tells you to transfer all your money to their bank account, and you do it, is it Apple's fault for providing you with a phone? The Electrum website quite clearly states right at the top "Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures." If you ignore their clear instructions and do things they tell you not to do, then you can't hold them liable when things go wrong.

Software wallets, in particular mobile wallets, should never be considered truly safe anyway. If you wanted to protect your coins long term, then you should have invested in a hardware wallet or an airgapped machine.

ok but my credit card has second security stage,limits etc and i never care about it althought never downloaded fake chromes. I just wanted to say people who created electrum should be more responsible for security as bitcoin is not protected at all.  Everything looks very tricky, you open your old version programm, it asks for the upgrade, of course how you can suspicious about that if you are an ordinary user who check your wallet once in 2 years and never sitting on forums. All you write here is true but it works only for very attentive people sitting here

And so do crypto exchanges, where many newbies store their coins. The whole point of bitcoin is to "be your own bank" and not have to rely on a third party to look after your coins for you. You have complete control over your own money, which is very powerful, but yes, also risky if you don't know what you are doing. If you weren't confident in your ability to securely hold your coins yourself, then you should either of spent more time reading and learning, or handed over your coins to someone else to look after on your behalf like you do with fiat and banks.

Bitcoin is far more secure than fiat, provided you use software properly and properly secure your wallets. If you download a program and then ignore instructions and use it incorrectly, I'm afraid the fault is with you, not the developers.

Sorry for your loss, these darn phishers seem to be getting away with a lot of stolen funds D:

If I may,  how much was lost?

The only mistake Electrum developers did was to allow servers to send those messages. But that mistake was realized and rectified in version 3.3.3.
It sucks to lose your money, I am sure. But this is 99% your fault. Nothing anyone says here can change the fact that your funds are gone.
I have been properly using Electrum for a long time and never had any problems. I also use cold storage options for the crypto that is worth saving.

What is the point to talk to someone about something that is supposed to do long time ago? He is not first and certainly not the last person who will lose money in this way, this is unfortunately something that will happen for years to come. As I said before, there are those who open their wallets every one or two years, or in time when BTC price is going up - probably 8 of 10 will download that fake wallet.

There is no doubt that the main culprit in this story is Electrum developers who have not noticed this vulnerability, and in doing so they allowed some bad people to steal large quantities of BTC, and they will do that for years.

So we can say that users are guilty of becoming victims of phisning, and this is true - same as Electrum is guilty for served as the perfect platform for such an attack.

Somehow I fear it's not emphasized enough that people should not keep big amounts of money in hot wallets, wallets that go online, even if that happens very seldom.
Just because all the bad things can happen, no matter whose fault is.

I mean: we (as community) kept telling people that web wallets are not safe enough. But hot wallets can be a problem too.

I don't feel like electrum is responsible for anything.

It is an open source wallet and everyone should use common sense when dealing with sensitive information (what private keys are).
You can't blame electrum for serving as a kind of platform to perform such attacks. You'd have to also make banks responsible for online-banking or check-fraud and the universities of the US for creating email - which is the most common 'platform' for phishing.

Just because someone offers a platform or technology, doesn't mean he is responsible for anything which happens with it.
You don't blame Satoshi for creating bitcoin and the involved crimes (blackmailing, money laundering, etc..), do you ? Or the Gov for their FIAT and the involved crimes (drug dealers and hitmen being paid with FIAT, etc..) ?

You mix things that should not be mixed -  banks, universities or fiat are something completely different then cryptocurrency. How can you say that Electrum developers "is responsible for anything", they develop that software and they did not see that vulnerability which was used for distribution of fake wallet.

Let's put aside ignorance of users, they are the victims of their ignorance, but it all start with exploit in Electrum - saying that all blame is on users is not fair in my opinion.


I agree that there is a problem in fact most of us maybe create public opinion by saying "Do not use web wallets", and most users think desktop wallets are safe option. I am not sure is it more appropriate to direct users to hardware wallets, so far they are safe, but who can guarantee that this will be the case tomorrow or in a year?

There is not a single software without vulnerabilities. Not a single one.

And the vulnerability in electrum has a CVSS score of roughly 3/10.
That is very far away from a sever vulnerability. The severity is low.. at max.

There is absolutely nothing which can happen based on this vulnerability. The user has to make several mistakes in a row (falling to phishing message, downloading from a fake site, not verifying signature, executing malware ..) in order to lose coins.
Those people most likely also would fall for a cheap phishing mail.

IMO absolutely their fault. No one forced them to use electrum. And neither did anyone force them to download malware from a fake site.

Well, cold wallets are safe and nowadays they're not so difficult to set up.
And there's always the option of storing on paper wallets (of course, they have to be properly done, and of course, there were problems there too, mostly because of not-random-enough seeds).
But you are right. Human error is always a factor that has to be properly counted in.

I would agree with you until I have seen this post:


Even after I have read about the dots, still I was trying to clean the screen because I was sure it is something on the screen.

I think this one is the biggest threat from all fake URL's I have seen so far and people should be aware of these.

actually this does not concern wallets at all because technically you should not even care where you download the binaries from because even if you download them from the official website it still is not safe until you cryptographically verify its digital signature.
the only thing that you should ever worry about is acquiring the real public key of the developer. then you could even receive the binaries in your Email from someone and check the signature with that public key. as long as PGP is not broken (which it is not) there is no way to fake this.

those people who got scammed (mentioned in the comment you quoted) got scammed because they never bothered with signature verification ever.

I agree with you and we should do all we can to inform at least Bitcointalk members about this and educate further on how to use PGP encryption and programs like Kleopatra.
As we all know the most used OS is Windows and this is not so easy to verify signatures on this system for beginners or not tech-savvy people.

To be honest, I have never checked signatures until today. Already downloaded Kleopatra (a couple of times) and started the process (with the help of a how-to tutorial) but always gave up halfway.
I am sure, I have failed every time because is just not easy to set up PGP and I wasn't needed it very badly, for example, to secure all my BTC holdings. In such circumstances, I would do it for sure, no matter how time-consuming and complicated it could be.

This is not the first time we have problems with malicious links to wallets on the web and here on Bitcointalk. I think I have seen already all kinds of wallet hacks: changed links in quotes, changed links in ANN and bounty threads, posting links from hacked accounts, malicious updates and pop-ups, fake redirects, counterfeit signatures, etc. You name it - I have seen it.

Still, I haven't heard about signatures check using PGP, until a couple of months ago, when the problems with Mycelium wallet exploded. I am very long and frequently here on the forum and from what I have seen, everybody was always using VirusTotal, as a reference tool, to check the wallets for viruses and verify them. In all wallets reviews posted here, I have never seen a single PGP signature check to be made.

Sometimes viruses were found by VirusTotal in wallets and I have written about this, to warn other members. I just couldn't believe, that some of them tried to defend these wallets, vouched they were clean and all found viruses are only "false-positive" and totally not harmful  ;D. In the beginning, there were no viruses in wallets at all, even false-positives, but somebody started misinformation (on purpose), wrote a couple of posts, articles, answers about false-positive matches on VirusTotal. This way changed the opinion of enough members, to bring chaos and total misinformation about false-positives virus warnings in the scanned wallets. In my opinion, it was made on purpose and we have missed it on our watch.

I think, the best way to handle this is an informational campaign, to let people know about the need for PGP signature check and how to do it correctly. There is actually no other way, to be relatively safe when downloading something online, as to do the PGP signature check every single time. We should talk about this and keep repeating on every occasion, especially in the Beginners and scam sections. If we start to do it, I am sure, members will create a lot of additional content about PGP (tutorials, translations, guides to Kleopatra, etc) and the word will keep spreading further kinda automatically.

Have you seen Abdussamad's (https://bitcointalk.org/index.php?action=profile;u=85981) page of Electrum guides at https://bitcoinelectrum.com/ (https://bitcoinelectrum.com/)? There is one for how to verify Electrum using Kleopatra (link here (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/)) which is pretty straightforward to follow and use. Hopefully it should help you out. Make sure you double check Thomas V's GPG key which appears on that page, to protect yourself in the rare chance that that site is hacked.

There is no way to contact everyone who uses, or intends to use, Electrum - there is no database of users, in-wallet messaging service, or email sign up. The best that can be done is to give clear instructions on the site, which is already done. On the landing page it says to verify the signature, and on the download page there is a box which explains why you should verify signatures, and provides links to various tutorials.

As you say, we can talk about it on the forum, but the majority of threads are ones such as this one - users who have already ignored the instructions, installed malware, lost their coins, and then come to complain. Few users seem to spend any time doing basic due diligence before downloading and install new software.

I agree with you, but I was not talking only about Electrum wallet but rather had in mind a much bigger picture. What I mean is that we should try to inform people (best we could) to develop a habit, to check every signature of the downloaded file using PGP, especially when it goes to programs with sensible data, but not only of course. The best outcome would be when literally every download will be checked. This is exactly, as it was with VirusTotal, at some point, I started to scan almost all URLs, files, downloads which were new or seemed suspicious to me. So far I was never hacked or don't know about it.

I almost fell for this and wasn't aware of how you got notified of Electrum updates.  I got a pop-up to upgrade and proceeded to do so, but my virus protection software said the update had malware on it.  Crazy.  That was like 2 months ago or so.  I assume that's the issue OP had.

Aside from that, Electrum is a great wallet--you just have to be careful about hacking attempts, I guess.  I wouldn't go so far as to blame OP for falling for the trick, as he hadn't used the wallet in some time and had no reason to think he'd get scammed that way. 

And if you ever wonder why the average person won't adopt bitcoin, see the above quote.  Lol.

The average person is not ready yet to take responsibility for their own money.
It is the average person who gets involved into credit card fraud because they entered it into a shady site or in an open wifi.

Verifying signature is a mandatory step which takes less than a minute. And with all the guides available and all the messages telling you to verify it, it is quite sad that people still don't do that.

We definitely can have adoption of bitcoin. But first we need some idiot-proof wallets (e.g. hardware wallets embedded into mobile phones with triple checking of everything).
Hardware wallets can already be used by average persons, if they are capable of reading and double checking the address on the display.
It is just that the riskier wallets (desktop-, mobile- and paper wallets) need more tech savy people who know how to protect digital information and how to verify integrity of data.

I agree that would be ideal, but the chances of 100% of users checking 100% of the time is 0%. People should also always be checking the URL of the page they are entering their details in to, they should be checking the sending address of the email claiming to be from their bank, they should be scanning every file they download for malware, they should be double checking the sending address they just copy pasted, and so forth. Unfortunately, most people don't pay any attention to basic security and safety measures until they have already fallen victim.

It's for these reasons that banks keep implementing more and more security steps you have to go through and hurdles you have to jump to be allowed to spend your own money. People who pay no attention and keep getting scammed make the system worse for the rest of us. As bob123 says, we do have an issue with wallets being too complicated for the average person, whose only tech knowledge is how to post selfies on social media.

well it is a matter of how you value your own security. sometimes we have to endure the complicated process to reach the high security we need. it doesn't come cheap.
with that said i am a windows user and have only verified signature on windows once. i didn't like Kleopatra either. but i did a workaround, i used Ubuntu. download verify Ubuntu signature and now i have that for easy verification each time i download a new software.

it is probably the biggest attempt but certainly not the first. there has been a lot more in the past, i myself have reported at least 10 or 12 malicious repositories on github trying to fool people into thinking they are downloading the "real" electrum from the "real repository"!

from 2016: https://bitcointalk.org/index.php?topic=1588906.0
a good idea to inform others as much as we can, but still the information is already out there, users must look for it themselves.

How did the OP get the error message which had the clickable link to the fake Github page? A few months ago most Electrum server nodes started to crash any clients to prevent this from happening.

When he last used Electrum he had a server list of Electrum nodes, it most likely tried to connect to those nodes. 100% of those nodes were good nodes and one of those should of crashed his client before he accidently found a node which was fake to display the message.

I think this the main reason why people don't use PGP encryption more often or even don't check the signatures because is too complicated.

I wonder if there is no improvement possible?

A very easy to use, super user-friendly PGP software that every not tech-savvy person can operate would be a perfect solution.


As I said before and your words confirm my statement that PGP is not used because is too complicated. It starts with download where people are immediately confused because there is a set of programs and to be honest only Kleopatra is needed but an average person doesn't know about this and download the full package (which only makes the confusion even bigger later on). Every next step is more confusing and I am not wondering that almost nobody is using this if they really don't have to.

I think my computer knowledge is much higher as by an average person but still, I find PGP encryption using Kleopatra not easy to do, especially if one has to do the initial setup on his own and never had any experience with PGP or Kleopatra.

Maybe there are other better and more user-friendly PGP programs and I don't know about it?

If you think about it, it really isn't complicated at all. All you have to do is read the instructions and follow them. The problem is that people are lazy.

The first step mentions you only need Kleopatra so don't even bother installing the rest or if you do, you don't need to use them ever.
Everything else is explained step by step. There are even pictures.

https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

Electrum is fixed phishing pop-up notification completely in version 3.3.4, and any version under that is still vulnerable to such attacks. Users who still have older versions and are not aware of the danger will be the victims of such attacks for a very long time. Unfortunately, there is no way for such users to be contacted, they have a potential threat on their computer and if they go the wrong way with update, they will lost their coins same as OP.

Looks like very easy setup, which is strange because tutorial which I was using back then, was a lot more complicated and required many more steps.

The only difference is, that I was trying to decrypt a message back then and now this is a signature check for Mycelium wallet.

I will try it for sure, thank you very much for the link.