Bitcoin Forum

According to a tweet shared on the CZ Binance twitter page, a trader has lost around 1400 BTC due to electrum software updates. Some other users of electrum wallet also complained that the message about update comes directly from the electrum server.
https://i.imgur.com/p4jTTwS.png

https://github.com/spesmilo/electrum/issues/5072#issuecomment-683356052

I doubt Electrum has anything to do with this scam! The person was probably using a compromised wallet .exe file. See what he says,


So I suggest you to change the subject line of your thread as it seems that Electrum itself did such scam!

Anyone holding such amount of BTC should get updates what's going on around. The guy didn't access his wallet since 2017 and installed an old wallet. It's definitely a mistake from his side and electrum has nothing to do with it. They should have checked the website before installing an old wallet.

What happened is probably due to the vulnerability already reported in Electrum versions older than 3.3.4.
In versions older than 3.3.4, servers were able to show any message when broadcasting a transaction. The server could easily trick users by asking them to install an update (actually a malware).

Below is what stated on Electrum official website.

https://i.imgur.com/1zkkLvM.jpg

More details about the issue can be found in the link below.
when broadcasting transaction, error message from server is displayed as is (https://github.com/spesmilo/electrum/issues/4968)

So basically this guy was using a ver old version of Electrum which he would have downloaded from some unofficial source and this made the hackers able to steal his funds from his wallet. This is completely the user's fault since he should have installed the latest version of Electrum and that too from an official source.

So, this is the link to the CZ tweet. https://twitter.com/cz_binance/status/1300060478656274433

I tend to agree and I suspected that this was also might have happened. I almost downloaded a phishing link before that popup on the app of Electrum at this version (3.3.4) but good thing I went to the official website and download the latest version. The warning on the Electrum app will not probably appear if you are currently at version 3.3.4. and the victim has used an old version.

Sad to know that the most who will fall in the trap are those who didn't know how to secure their wallet. Once you have Bitcoin, you should also know technical stuff to secure your assets. If the victim know how to verify GPG signature before downloading app, might the Bitcoin is safe.

A small update isn't gonna cause such a big loss in bitcoin. Every big loss will be caused by a big team or it'll be executed by the team itself. What' has happened with Binance trader too seems to be a planned scam. 1400 BTC is a big volume, and Binance will not ruin its reputation with this volume of funds. The reserve of Binance is much high compared to the value that's been scammed. Electrum has gained trust as a best wallet, but this isn't fair play from electrum.

I hope he didn't put all his eggs in one basket.

If I had 1400 bitcoin in an electrum wallet, I would also have at least 1000 in some other wallet and apart from that a lot of money in fiat, stocks, mutual funds etc.

I doubt the victim is updating his wallet using the official Electrum website which is Electrum.org. The message about update should come directly from the Electrum server but it could happen that the user made the downloading of the latest version from an unofficial site of Electrum, a phishing site most probably.

thread title is misleading, probably bc of the wording used, i think it should be "Because of vulnerability in wallet, user lost 1400 btc" ???

regardless, why would anyone use old software to open their wallet? let alone if there's 16 million dollars worth of btc in the wallet? no one to blame but the user...And he shoulda spread those coins to different addresses, but according to the tx, this person has been hodling those coins in the same address since 2017 :/

CZ is so dumb, "Not your code, not your funds." really now?  ::)

I was finding it hard to believe this case. After all, 1400 BTCs in 2017 had a value between 1,1M$ and 28M$ (back then), and even if the last time he used the wallet was when the value was on the lower range of the two, it does not seem plausible for a trader not to have used the wallet all the way through the ATH (and the 28M$ equivalent) and subsequent fall in price.

He does provide the BTC address of the recipient, bc1qcygs9dl4pqw6atc4yqudrzd76p3r9cp6xp2kny, and it does indeed receive the said amount on the 29/08/2020. What’s more, the recipient’s address is related to fake electrum updates here on this forum:

Trying to take my money (https://bitcointalk.org/index.php?topic=5218655.msg53638793#msg53638793)
 I lost my Bitcoins by fishing attack "update electrum 4" (https://bitcointalk.org/index.php?topic=5267471.0)
 Bitcoin 'successfully' transferred to an invalid bitcoin address  (https://bitcointalk.org/index.php?topic=5182537.msg52383421#msg52383421)
Lost Money? (https://bitcointalk.org/index.php?topic=5216795.msg53579903#msg53579903)
 What to do when i sent bitcoin and receiver states they didn't receive it?  (https://bitcointalk.org/index.php?topic=5253517.msg54566254#msg54566254)

The address is certainly related to fake updates, as the above threads point towards. The only doubt is if @1400BitcoinStolen really suffered this in person, or is piggybacking on some other person’s case, but the TX exist to the scammers address with prior cases of a kind.

It still surprises me how someone can own 1,400 BTC but still fail to secure the Bitcoin stash using a couple of Hardware wallets that don't cost more than 100 quid each  ::)

That was very dumb of him and I guess he had to pay $16 Million tuition fees to just learn that lesson.

This Electrum bug was first published in December 2018, and has been widely publicized and discussed on their website, on GitHub, on this forum, on Reddit, on Twitter, on Medium, on every social media platform imaginable and on every instant messaging service imaginable.

Not only has this user broken the most basic rules (only download from the official site and always verify your download before running it), and not only have they stored 1,400 BTC on a non-airgapped software wallet, but they also haven't kept even the slightest bit up to date or paid the slightest bit of attention to the security of their coins in almost 2 years.

Blaming Electrum for this is moronic. This is like clicking on a random link in an email, downloading the file it leads you to, and then being shocked when your personal data is stolen by malware.

Tell me a person that isn't fool and carries 1400 bitcoins on a non verified electrum wallet. These should be on a cold wallet right now.

Actually no, a "small update" can easily turn out to be a disaster if you don't take care of the security of your millions worth of BTC. I would rather look up the safest way to open a 3-year old wallet worth that much than risk losing it all and crying out loud later. Do you think the scammers only target high-value addresses? Electrum's devs aren't to blame for it. It's just stupidity at its best.

Any news on damages? The rules of the service must specify actions in case of such emergencies. No one is protected from this, but such cases leave an unpleasant imprint on the reliability of storing their assets and savings in cryptocurrency. I hope the investor will be able to return their funds. Good luck!

Not so long ago after binance got hacked, CZ was searching ways to rewind the bitcoin blockchain. He backpedalled after the bitcoin devs explained him how it is an impossible (or damaging, may not really be impossible because eth did it before) thing to pull. This guy is the CEO of the biggest crypto exchange.

So what´s the correct method to update electrum wallet? I might have few of the old ones in my old laptops and when ever i get them working again i was planning to go trough my wallets. But i am afraid of any automatic updates now.

Delete the old one. Re-download it from the official website. Check if it is a valid copy or not by comparing the signatures... Cross your fingers so you won't land on the bugged version.

I really don't feel sorry for this guy at all.
Storing that amount on an online wallet and not checking the signature when installing a wallet is more than just careless. It is extremely stupid.

And blaming anyone except himself just shows how irrational people can be.




There are no automatic updates.
Visit the official website (https://electrum.org (https://electrum.org)) and download the latest version. Then, before installing it, verify the PGP signature. There is a How-to on electrum.org.

Verifying the signature ensures that you are using the version which has been uploaded by the developer and not a malicious one (e.g. from someone who might have hijacked the web server).

moment of silence for that hodler :(


CZ said that Binance already blacklisted the addresses involved, but we all know that it won't help anything.
it can be mixed as well.

so, goodbye 1400 BTC.

1,400 Bitcoin is a huge amount. If you have this kind of bitcoin you can rest the rest of your life. If I lost that amount I don't know if my mind can handle it. How come the owner of this wallet didn't store in much safer storage? How can he have that large amount of bitcoin and didn't know how to secure it? Goodluck to that hodler hopefully he's in the right mind after that disaster.

First of all I don't understand how somebody would hold 1400 BTC since 2017 and not check the balance or install updates. Even if he bought it in 2017 for 1000 dollars and forgot about it it would still be 1.5 million USD spent on Bitcoin. With hardware wallets priced at 100 dollars it's amazing that he did not protect his coins.

From what he wrote it's obvious he had a compromised wallet file and lost it all because he was too lazy to download a legit version from the right site.

Can anyone translate this? I've no idea what they're attempting to say.

If this user has been blissfully unaware since 2017 then I can see how they'd walk straight into this. I expect the person who propagated this will continue to benefit from it as people fire up long untouched Electrum wallets.

If you come back from a long absence you'd better do your homework on the software you stored your coins with. An awful lot can go wrong and be exploited in a year or two, let alone longer.

How come the owner too stupid but yet have 1400btc in his account that untouchable for two years? I guest he must be a billionaire that why he set and forget his bitcoin for a long time now. Maybe that why he so stupid to download the app from unknown resources and not direct official website. It like owner fault that he loses his money and congrats to scammer.. You now a millionaire dude.. 

I'm sure many people have wallets they haven't touched for years. If you're not going to move or sell it why would you? Even then you need to keep abreast of wallet developments.

The old official version directs to this fucked up one so he could have downloaded from the correct source originally and been fooled by this. If you didn't know about it you likely wouldn't question it.

The problem is that not all of the people are technicians/programmers/paranoids. There are just some people that want to invest. A lot. They don't believe that something like that can happen. If I were him, I would just export the private key offline, then I would buy a laptop and make it cold storage. If I were him, I wouldn't put 1400 bitcoins in one address in the first place. Too bad for bitcoin fame. Now anti-cryptos can again mention another scam incident.

The scammer now can rest for his entire life.

We know electrum are not to blame for the attack because they have already stated that wallet older than 3.3.4 are vulnerable to phishing attacks and the problem stated from the person the lost his BTC for installing older version of electrum wallet. However, I dont any electrum user claiming the phishing popup wallet update message was from electrum server.

What he need to change is the part that says "Some other users of electrum wallet also complained that the message about update comes directly from the electrum server."

Could be that sorry but I was wondering also for that long since 2017 that person never accesses his electrum account.
https://i.imgur.com/ZpVsONL.png?1

I'd never say that he's lying to us but kinda weird how it happens. It is because it is not normal to hold that long, keep your funds online and not even bother to check sometimes. It is impossible that it has gone, unless if your account has been hacked or you already forgot the right wallet address you have visited with. Might be ridiculous but can be possible if you have a lot of wallet address and you have miss one of them.

Agree. How can someone who keeps a big amount of Bitcoin never accesses their electrum account since 2017? It seems a bit strange!. Even if you are the long term holder, doesn't mean you only buy Bitcoin and put it on the wallet without check it regularly. Especially, a digital asset, it doesn't make sense if he never checked the Bitcoin. 1,400 BTC isn't a side asset, it is a serious asset and must be threatened in a special way, including active to monitor the price on the market and check the wallet or account where you put it.

I can say that we are still responsible on making our coins to be safe and to think that there would be always wallet upgrades that do happen and if you did just held up your coins for too long
without minding on what are the updates that had been done you would be completely clueless on which one is the right and which one is on the vulnerable side.This malware had been known
last 2018 as far as i remember and its odd for bitcoin holders like this didnt even know on whats happening on crypto world in terms of hack and scams knowing that he do hold up thousands of btc
which means that he do need to know everything on possible hacking ways or exploits and also people do always miss out the basic thing on checking out those warnings or announcements
on the main site itself.

Most electrum users are aware of the said bug and warning from the website itself. Owning 1,400 BTC should make him more careful of updates and bugs from the wallet that he's using.

Is he that a busy person to forget this hefty amount of wealth and download the outdated version carelessly?

This is clearly the user's mistake, to the point of losing 1,400 BTC. For not being careful and careless download Electrum update from
unofficial sources. Therefore it was successfully stolen by hackers, so this incident was not the fault of Electrum. Often lots of people
tricked by hackers with phishing methods, because they did not learn how to secure their own wallets. This incident is a lesson that
always pay attention to the sites we access, do not let us access other unofficial sites.

This vulnerability has been known about for a while now. It's just irresponsible to hold that many Bitcoin in a software wallet and not even bothering to validate the signatures when you do an update.

This is why i rather be in Custodial wallet than in open source cold wallet, because only inexperienced or few people manages it, then split my private keys into different Crypto's into many different wallets, just in case a major critical error or a software happens to that one specific wallet. As the saying goes "Never put all your eggs in one basket" better safe than never.

The ability to send any sum of money without any additional verifications is both strength and weakness of Bitcoin. No one will ever freeze your money, but also no one will ever check if it's truly you who are sending the transaction. With banks you would be contact by their representatives for far smaller sums than this one, and transaction will take a long time to clear, giving you chance to cancel it if it wasn't you.


It's really not like that, an email you can receive message from anyone, so it's expected that some will be malicious, but this Electrum bug made messages from nodes look like they came from the wallet itself.

I doubt that he forget it, probably just letting it sit there for a while, he said he didn't accessed the wallet since 2017, so I have the impression that he knows he had it. But he doesn't have the security hygiene to check everything before downloading the supposedly latest Electrum.

$17 million gone just like that, so sad to hear that these criminals are really milking crypto enthusiast. But I would say that it was clearly a big mistake on his part and no one to blame but himself.

A custodial wallet is worse. There's no guarantee that they won't steal your money. I used to use Coinbase before they mandated KYC and then lost access because I registered under a pseudonym and I couldn't provide an ID with that name. A few weeks ago I received an email from Coinbase saying that anybody who hadn't been KYC'd would lose access to their account forever and any funds still on Coinbase would be forfeited to the user's local government.

1400 Bitcoin equals $ 16 million at the moment. Why could he be so careless? That's the bulk of his wealth, I think if he deposited his money in a reputable exchange he probably wouldn't lose all of his money. This will be a lesson for us in managing our assets. The best way is to use the latest and licensed software.

There are as many as you want, there are dozens (if not hundreds) of cases on this forum that have lost their coins this way - you just need to search the Electrum board or the whole forum by using keywords. There are people who have no idea what is going on, do not read the forums and are not aware of all the vectors of attack that exist - we can freely call them unintelligent investors.

I believe that there are a lot of them who will appear in large numbers with identical stories in the period of the new big pump. The people behind the Electrum phishing scam are actually geniuses who will receive donations for years to come, and that can't be prevented because of the way Electrum works.

One hardware wallet worth $50 or less would probably save the former owner, but in some cases even that doesn’t help because people lose their coins by typing their seeds in fake Ledger or Trezor sites.

This is not the first time that we have heard someone losing their big chunk of bitcoin through this message. The problem is that the guy didn't even bother to check the latest Electrum version and it seems he was really out for 3 years (for whatever reasons it maybe). It's just one days, he decided to check his assets, so we don't know where he is living for the last 3 years that he didn't know what's really going on crypto or at least with Electrum. A lot of options is available for him to store his bitcoins but he didn't. Disheartening to hear this news, unfortunately there's nothing that we can do as it is a foregone conclusion.

Or at least run a wallet on a pruned node.

That's even more careless on his part then. If he was genuinely out for three years, and hadn't been keeping track of bitcoin or Electrum at all, then he has no idea what could have happened to Electrum in that time. It could have been abandoned, been sold by the developers, been bought out by some shady corporation, been turned in to literal malware, and so on. He just blindly downloaded it and opened his wallet without a second thought, when all he knew about the software was that it used to be good three years ago.

It reminds me of someone I saw on Twitter who had a ton of some token and missed the window to exchange them for coins after the token launched their own blockchain, which as with this Electrum bug, was a widely discussed event. If you can't keep even the slightest bit up to date with your investments, then you should probably just put everything in a fiat account and be done with it.

You should have included in your post the actual tweet so readers won't immediately jump to the conclusion that it's Electrum's fault, although I'm not saying that they are not in any way liable. Also, most of the tutorials I've watched and read explicitly advise the use of a hardware wallet when storing huge amounts of bitcoin. This situation just proves it right. I hope they recover all of it. That's 1400 BTC after all.

x-post:

It makes no sense. "Not your code?" Is he suggesting everyone should be writing their own code and their own wallet software? And how exactly is that an argument against Electrum while not also being an argument against custodial wallets like his exchange? Also, it obviously isn't an "official" update. This is complete nonsense.

The address in question has been posted in multiple other scam accusations regarding the same bug, and it did indeed receive a 1,400 BTC transaction as claimed.

While I'm definitely sorry for this person because he has lost a fortune at the same time I cannot believe that a person can hold more than 16 million dollars, avoid checking their coins for three years, not update his wallet during that time and when he decides to do so he update it his wallet not from the official source but from another website and think that everything is going to be OK.

If I had such an enormous amount of bitcoin I will have taken the time and money to buy several hardware wallets and only deposit a fraction of my savings in bitcoin to each one of those wallets, that way if I lost one of those wallets and I lost as well the seed words then my loss will not be as big and I will still retain the majority my capital, so please to all of you learn the lesson, you are your own bank, if you make a mistake no one is going to save you, you need to take care of your coins because if you don't then no one is going to do it for you.

I read this well informed piece. Nice @ avitz for sharing this. And Op has to adjust the title of this thread. He or she is yet to do that

IMO, the title and body isn't approximate on electrum.

Terrible shame, any time you’re having a bad day think of this guy. I’ve seen too many of these type of stories, nobody should be keeping that amount of coins on a platform like Electrum.

Very sad indeed.

And that's too much for him to learn about learning to check the bugs and attending to the warning of software that he use. The lost that he made is just unacceptable on his part and he can't think of his mistake.

If he's a whale, I hope that this isn't that he got and he still have some other "untouched" wallets that has a lot of bitcoins.

This is an unforgettable mistake, one day he can tell this to his grandchildren if time comes. I've seen a lot of this too, but this is huge, 1400 BTC is around $14 million dollars, he can bought 2 mansions from it. Software wallet was never safe, there are really bugs and holes in the security. if he's taking 1400 BTC in a single wallet then he probably more in different wallet, if I got that huge amount of bitcoin I'll just put it in a hardware wallet. How I wish  ;D

Actually no, I disagree that software wallets are unsafe. If you are understand how they work, you can store a million bitcoins. If you are paranoid like me, go buy a useless laptop (worth of 50$) and do it cold storage. You can't get "hacked" this way.

Yep, his grandchildren will be like "GRANDPA WE COULD HAVE A BILLION DOLLARS RIGHT NOW" (oops speculation).

I am always speechless when I read bad experiences like this, because the amount that is missing is not small.
In my country if you have 1400 BTC, including the rich people. Therefore this must be a great loss that will not
be forgotten. Do not let us have to experience events like this first, then be more careful in protecting the Bitcoin
that we have.

You can still install malware on an airgapped software wallet or somebody could clone your hard drive. A hardware wallet can still be hacked if you have physical access to the device but it is not as easy. If you have 1400 BTC your best options would be a hardware wallet, preferably one that can function offline like Coldcard, or an encrypted paper wallet. It's almost no effort and low cost for that additional security.

I don't know how much does a hardware wallet cost but I consider this the best way:

Buy a 50$ laptop and a fresh usb. Download electrum latest version and install it on the cold storaged laptop. Verify the signature of electrum. Create a seed, save it on a paper (and memorise it). Then burn the laptop and/or destroy it. This way you can be 100% sure that the laptop won't "fool you". Save the paper on a book or whatever.

It's not that I consider hardware wallets unsafe, I just like having bitcoins without trusting the hardware company.

I don't get how you can get a malware with the way I mentioned.

I don't think he downloaded the electrium wallet file from the official website, maybe he downloaded a phishing file from another site, one of the members posted something similar here in the forum where he downloaded an electrium wallet and it turned out to be a phishing file and stole all of his bitcoins.
Pay attention to downloading the file only from the official website: https://electrum.org/#download
You should also download the latest updated version only because they have put a warning there:


Basically, it is a mistake to put this large amount in one wallet, he had to put bitcoin in more than one wallet, and it is better to use a hardware wallet such as Trezor or Ledger !!

I find it doubtful why would anyone would have the audacity to store 1400 BTC on a single wallet which is not updated regularly!

If I had been the owner of those Bitcoins, I think I would have stored it proportionally in more than 10 different wallets just to be more safer. Imho.

1400 is not a small value, if I were him I probably would not have saved it in my Electrum wallet, because of security, of course I will definitely take care of the money properly, at least I will break up all the funds using a different wallet, currently I only use blockchain wallets and it was very safe for 5 years after I moved it, it's just that I didn't access it anywhere except at my house, it's a shame to lose 1400 BTC  :'(

This is a trick the hackers have done in the past and are still doing until now, lots of victims on this trick already. If the user just easily follow the link where he will download or update the app and not verifying if the site is legit or not, then hackers could easily steal your bitcoin, I just don't get why the user does not manage the risk effectively, putting 1400 btc in one single wallet is not managing the risk.

note: picture attached already broken.



This one is the biggest amount I've seen so far.  >:(

They say if something smells like shit, the probability is high that you stepped in it.  ::)

I remember when this problem was first mentioned on this forum and the Electrum developer team almost immediately reacted with a patch to solve this issue. It was highlighted on their website and it was posted on Reddit and on this forum and several other Crypto media platforms.

I sometimes wonder if stories like this are not made up to discredit the Crypto currency community. It is easy to fabricate something like this, because it is a known vulnerability and you simply have to transfer coins out of your wallet to a Bitcoin address that you own and then tell people that you were a victim of this scam.  ::)

Being in control of your own wealth, comes with great responsibility. If you cannot follow basic directions, like updating your wallet to the latest version of the software, then you should stick with centralized organizations that charge you to manage and secure your wealth.  ::)  

Electrum is not a platform, it is an open source desktop/mobile wallet "released under the MIT License", and the main reason why people use it is that it is free and fairly easy to use. What most people don't know is that such software is subject to code changes and that anyone with a little understanding of programming can make a fake wallet and distribute it over the Internet.

No matter how secure the crypto wallet was, keeping 1400 BTC inside just one wallet is a stupid move - if I had 10% of it I would divide it into at least 5 different and independent wallets, and thus diminished the risk of losing everything in one bad move.

Wrong move by the owner of the funds, able to owned 1400 btc which is around $16 million but does not know how to secure the funds. If we made sure to diversify our funds when investing to minimize the risk, how can a person allowed himself to store his bitcoin in one address only?

I think putting your money in an exchange is quite safer than in electrum wallet with that amount since with exchange, they have more secured system and if the exchange is hack, I'm sure you will be compensated somehow as long as the exchange is regulated.

Known issue, this was made very public with a lot of sites, including this forum. As with most software, you always want to update to the very latest stable version, and Thomas was really quick to fix the vulnerability and release a patched version. Unfortunate, but yeah, with owning Bitcoin, comes a lot of responsibility. Hard lesson.

Note: Guy didn't seem too depressed... or I'm just not catching the emotion?

That's hideous 'advice'.

Most of the time it's you that gets hacked, not the exchange. Your exchange account will be drained and there's nothing you can do and it's certainly not the exchange's problem.

I also wouldn't want to put an exchange's own insurance to the test if it was hacked, not that many have proper policies anyway.

I don't think the person downloaded his electrum wallet from unofficial source.  Electrum wallet, from time to time were reported being exploited by hackers and this is not the only case that someone lost BTC from electrum wallet upgrade. 

https://cointelegraph.com/news/electrum-faces-another-fake-wallet-attack-users-reported-to-lose-millions-of-dollars

Possibly the same strategy is applied in this case.

---

We must be vigilant in everything we do that involves Bitcoin.   That is why, whenever an upgrade notice appears in Electrum wallet, I always check their main site and see if the upgrade is really needed  or not. 

I also share your belief. The owner specifically said the update came from their server. On less, it is being hijacked. Electrum is very vulnerable and it would be better if the dev of that project could present a lasting solution or better close down. Electrum is not the only DEX wallet but the constant vulnerability of the electrum might be an indication that the project need to be redesign with a full and latest security to prevent bridge 

There are zero reports of an Electrum wallet downloaded from the official source and properly verified resulting in a user losing funds (unless there was other malware on the computer, in which case, that has nothing to do with Electrum). Every one of these cases is because someone has visited a random link, downloaded some unknown software, not verified it, and then installed it.

An Electrum server is not the same thing as the official Electrum site. Anyone in the world can run an Electrum server.

If people are unable to follow very simple instructions which are the first thing you read when you visit electrum.org - "Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures." - then there is nothing else that can be done. This is like blaming the writers of BIP39 for people typing their seed phrases in to random websites.

i thought old versions (which allowed the malicious download messages) no longer worked because updated servers DOS them? i remember the old version became totally unusable back when this bug was patched. i guess the attacker must still be running lots of servers. crazy.... i thought this exploit was long gone.


yeah, it's prudent to spread around your holdings. code bugs and exploits are always possible with any wallet.

the real lessons IMO: 1. always go to the official source and verify that the update is legit before downloading/installing, and 2. keep your private keys offline.

the victim should have used his master pubkey to make a watching-only wallet on his online machine, then used an offline machine to sign transactions. this type of exploit cannot target an airgapped machine. if your watching-only node can't push transactions or is getting spammed with weird messages, that's a warning to look for an update through official channels.

Hardware wallets even the cheapest ones are a little bit more expensive however I agree with you, a person that installed in a computer with no Internet access one of the many different flavours of Linux which he downloaded and verified himself and that installed a wallet like electrum there and verified the wallet as well and then wrote down his seed words in a piece of paper could store a lot of money safely as long as he followed the same steps over and over again.

Hardware wallets are convenient but they are unnecessary for the ones that know how to take the right precautions, but in this particular case it would have helped this person as it is obvious he could not secure his coins properly.

I think the issue here is that the merchant is ignorant from securing his coins. If he doesn't know how to distinguish fake wallets to a real one, it's most likely that he isn't aware from the fact that there are hard wallets that will help him secure his coins. He's probably also afraid to use wallets that is unknown to him.

Ignorance can really bite a person hard.

More likely this is the case, I guess those scammers have found something crucial information on how to get some BTC on ignorant electrum user. we must stay vigilant and we need to spread this incidence so that the other member will be aware and take safety precautions to save their bitcoin if they using an Electrum wallet. However, there are no official statements on how this happened. whatever it is, we need to take the first step to double-check our systems and update some of our anti-viruses.

If you really want to keep all those bitcoins in a single address i agree with you it would be much safer to have them on an exchange that has several security systems to offer in addition to having them on Electrum. The weird thing about this guy is that he doesn't even seem so sad or depressed about losing 1400 bitcoins  :D

Please actually try reading the thread before spamming your signature.

This bug has been known about for years, has been discussed widely by the Electrum development team, has been patched since version 3.3.3 (released in January 2019), and has a banner at the top of the Electrum site warning people about it. What you have written is outright false.

This is terrible advice. Would you give $16 million to a complete stranger to keep safe for you? And let anyone who can guess your password or phish your account steal it all? What about if the exchange goes bankrupt? Or gets hacked? Or exit scams? Or an employee steals for them? Or their security is poor? Or they lock your account? Or stop serving your country? Or get shutdown by government regulations? Or get seized for shady business practices or trading? Or your account is hacked? Or your email is hacked? Or your password is reset?

Exchange are hacked all the time. Even the big "reputable" ones like Coinbase and Binance have been hacked. Storing your coins on them is not safe.

Ignorance, bad advices like this one (https://bitcointalk.org/index.php?topic=5272416.msg55146620#msg55146620), the overall advertising about hardware wallets which makes people think they are fool proof, all did its part.

For big amounts of coins (where "big amount" may depend from person to person) there's only one good solution imho: cold storage (and also this, only if properly used, obviously).

I will be always grateful to satoshi because when I first found out about Bitcoin I realized the most important thing of it all was, guess what, security!
Security for my hardware, for my finances, for my digital life etc.
While studying Bitcoin I had to study several other things that, otherwise, I would have never thought they would even exist in the first place.
Long live bitcoin

CZ must be wrong by saying beware of Electrum's official update because no one will get hack if that is official, probably that was use by hackers to steal the information of the wallet and the user was dumb enough to store 1400 BTC in one wallet only. Lesson learned but the hard way, and hopefully we can learn from this costly mistake of this particular trader, we can't afford to still make mistakes when this has been happening already even before.

Always be careful of "PHISHING" this is a very effective tool of scammers for non educated individual.

It is not the fact that it was stored on a single wallet. That itself is perfectly fine.
The problem were how the wallet was secured (it wasn't) and how careless the person was, not how the funds were spread.




Why do you assume he was a trader?
Not touching the wallet for multiple years doesn't indicate he was actively trading.

Does this person not understand that anyone can run an electrum server, and they could make that server send idiotic messages? Whats next, when he gets a message in the browser to format windows, will he do it too?

I'm technically opposed to the client from showing any server messages, precisely because of these fools. In fact it shouldn't even autoupdate or show update available. This is a horrible windows practice, a system without official repositories.

I'll say more: the windows version of Electrum should be removed. If you cannot bother to learn using a proper os like Linux, you shouldn't be messing with Electrum, let alone moving those quantities of money...

In Linux, you usually don't care if there is a new version of anything. Your distro package maintainers curates the packages (which are also signed), and you will eventually update it using your distro official package manager; instead of going to web pages and risking downloading a fake. Yes, in Linux distros, there is usually an army of people verifying the software they upload into their official repositories, it has been like this for decades. Its one of the reasons (but not the only one) malware is much less common there.

Can you please stop blaming Electrum from user mistakes? And if you handle any non trivial amount of money can you please stop using windows and maybe even spv wallets and run your full node with Core? I mean, 1400₿?, windows? electrum? seriously?

Make sure you also keep your gold ingots and cash under your bed, totally safe, no thief would ever find it...

I believe this is the user's fault and not Electrum's. Why would one keep that much amount of bitcoins in one wallet and not access it since 2017? Why would someone with much coins not get updated about his wallet before moving such coins? Doesn't he know that a lot of updates would have been made in the space of 3 years?
Secondly, pushing the blame on Electrum is unreasonable. His wallet must have been infected with a malware when he was asked to make the update causing him to lose that much amount of bitcoins.

I think that has to be improve on the exchange side, there's no sense of them getting regulated if the government can't enforce them to safeguard our assets, since they are a centralized exchange, they should act like a bank where their depositors accounts are insured up to a maximum amount. I know this will happen in the future as they can't always be not held responsible if our money is hack, it's their platform, not ours, so it's their responsibility.

Cryptocurrencies is to be your own bank, take care of your finances under your custody with adequate check and balance. He has failed to do a normal check for that amount of BTC, Developers has nothing to do with this and why not using hardware wallet for a BTC that is over 1000? This is a bitter lesson

This is so, very, unlucky. Electrum does not have anything to do with this though.

I agree with the rest of your post, except this one line. Most people won't use anything other than Windows or maybe macOS. Given that Windows is spyware, I would suggest no one should be using it at all, but we both know that's never going to happen. If you take the option of a desktop wallet away from these users, they aren't going to go to the effort of installing Linux - instead they will just use a web wallet, which is even worse.

We already have institutions which will hold all your money for you, demand your complete trust, report everything you do to the government. They are called banks. If you want this level of nanny state, then you should go back to fiat. This is exactly the type of nonsense that bitcoin was created to combat. You should not be encouraging it.

And while the coin is on their platform, it's their coin, not yours, so they can do whatever they like with it.

Somebody wake me up, it's 2020 already and we are still repeating these very basic bitcoin management principles! There are tons of guides out there that explain crystal clear how to properly manage a wallet and its keys. Jeez...... ::)

No it is not, this kind hack has been known for a long time, the transactions happened, and some exchanges have blacklisted the address, I know it does not make sense but that is reality for you, I do not have an amount of bitcoin that is anywhere close to that amount and I still check my coins at least once a week to see that everything is fine and I try to keep my wallets updated so something like this does not happen to me.

This just shows the irresponsibility of some investors when it comes to their money and how they do not seem to understand that in this market if you lose your money there is not a bank behind you helping you to get that money back, you are your own bank and that includes securing your coins properly from hacker attacks.

Unfortunately, there is a serious problem with the older version of Electrum wallet. I have heard many people carelessly installed the older version. It has big security vulnerabilities. When you once use it, you are most likely at risk. 1400 BTC is too much. I hope he can restore them.

actually even if you check your addy once a week (or more) by the time you see the problem its done and gone. but i agree with the rest.

the main thing is secure the wallet private key and/or seed when the wallet is created. and when you are prompted to update the wallet (from within the wallet itself or email/news/etc) you need to spend the time to check the official site for the new version to see what updates there are and the reasons for those updates. then at the very least verify the checksum/hash before installing.

five minutes in a search engine would of prevented this.

edit: when a new version of a wallet comes out i usually wait a bit (couple weeks minimum) to see if anyone runs into problems. in my case the core wallet and trezor hardware wallet. i let others test updates.

^ How they lead to that old version if they will go to the official website of the electrum? I don't know if the stole bitcoin will be recovered because as a common scenario, it will be lost forever and it will not recover anymore. If you have a large amount of bitcoin probably it is good if you will directly store on the cold wallet for the safety of your bitcoin. A free installed wallet is good for bitcoin below $200 that you can afford. But a moment like this, it should on the hardware wallet.

Exactly. Retroactively checking if your coins are still safe is pointless.

You should know your coins are secure because you created your wallet(s) securely. I have encrypted paper wallets which I have not checked the balance of since I created them, which for some has been several years. Partly because I do not have the address written down or stored anywhere else for deniability reasons, but mostly because I know I set them up in a secure fashion and I know they are stored securely. Do you visit your bank every week to take a look inside your safe deposit box "just to check"? Of course not.

Further, if you are checking your address(es) repeatedly on a block explorer, then you are compromising your own privacy.

the only caveat to this in cases of critical vulnerabilities being discovered. If that's the case you should either update immediately, or if you really want to wait a few weeks, then do not use the app/software at all until you have updated. You should also turn off auto-updates for this reason, especially when it comes to software which is holding your bitcoin. A couple of lines of malicious code pushed to your device in an auto update and your coins can be gone.

I just updated my Electrum to the latest version, nothing of significant happen. In any case, here is an update: Bitcoin wallet update trick has netted criminals more than $22 million (https://www.zdnet.com/article/bitcoin-wallet-trick-has-netted-criminals-more-than-22-million/).

Do you really expect for something to happen? Of course nothing will happened if we do make update on official website and now they do have that notification that you would
need to make an update.It is on the bottom right when i do make out a transaction then it do requires me to update.This time it is indeed came from Electrum team itself
and i do make out verification first before proceeding.Lots really been fooled out because they do lack on verifying anything first before making some update.
They cant really just make visit and if they would able to do so but its already too late.

A ton of choices is accessible for him to store his bitcoins however he didn't. Demoralizing to hear this news, tragically there's nothing that we can do as it is an inevitable end product. I will at present hold the dominant part my capital, so please to every one of you get familiar with the exercise, you are your own bank, on the off chance that you commit an error nobody will spare you, you have to deal with your coins.

this is why we need to update on thier site or the appstore and google play store only if they have an app and not outside of the external links because that can be a hack and your device is suspected to be infected by a malware .

this happens on the past on other wallet but staffs here already pinned an announcement to warn others . they can also target wallets with big funds because some wallets that have small or funds or no funds at all are not said to be included on the hack .

Each huge misfortune will be brought about by a major group or it'll be executed by the group itself. What' has occurred with Binance dealer too appears to ever be an arranged trick. 1200 BTC is a major volume, and Binance won't ruin its notoriety with this volume of assets. The issue is that the person didn't try to check the most recent Electrum adaptation. I here and there keep thinking about whether stories like this are not made up to dishonor the Crypto money network.

I doubt they'll remove it, and there always will be someone doing unofficial compiles of it making it even worse. So its not like i actually expect the Electrum people to do it, but yes i wish they did put some giant red letters warning people to stop moving money with windows.

Of course you are not going to agree, or the world would already be different. People want to be robbed of their money by using the OS they like playing games with instead of learning something else. And while the user and the os have most of the fault, its always Electrum getting the short end of the stick. They mention Electrum in the headline (or thread topic), but they don't mention the foolish user doing foolish things windows users usually do. Its Electrum, and sometimes Bitcoin, the source of all evil, because with the banks this would never have happened...

See, the naive politically correct logic doesn't really apply here. Stay away from windows if you value your money, and learn using cold wallets already.

The unfortunate trader is probably a less tech savvy dude. And fell prey to scammers. This kind of stories scare mainstream investors or traders away from crypto

The hacked amount of BTC wasn't responsible for the electrum, it is the user's mistake because he downloaded the older version of the electrum, he was holding a huge amount of money so he should be careful about doing such things. He should check the first official website of the electrum if they posted things about it. Do not do something without doing some research about it.
He downloaded a pishing software and it is not any responsibility for the electrum.
 
I wonder how a person who is holding 1400BTC did not secure properly his money, that is a huge amount of money so always be careful when doing such things that may put your money at risk.

I think they have issues with the phishing electrum because today one of the best features of the electrum is the Synchronization of the wallet, recently I have trouble with my wallet because my hard drive got curorruted and one of the best ways to do is re-format and I thought all of my bitcoin store on this wallet will be gone, so I try with the use of the electrum application the transaction becomes smooth because I just used the seed I used before on my computer and right now even I always update my wallet, its already sync without any problem.
It's better to download the electrum wallet to their website to make sure it's safe.

How can someone with 1400 BTC not spend just 0.005 BTC to store it securely in a hardware wallet? Baffles the mind.

maybe he had too much money so he didn't take the time to buy a Hardware wallet which would certainly be safer. 1,400 BTC is a lot of money, but only stored in your Electrum wallet without double security. Somehow he managed to get 1,400 BTC, whether he was a holder from the past or a rich man who kept BTC carelessly.

The Electrum update that is carried out is of course a fake update containing malware which will then take 1,400 BTC in a very easy way.