Bitcoin Forum

Hi, guys!
I have a question, first of all to developer @ThomasV

I'm using now Electrum 3.0, software asked me to update.
Because of huge amount of fakes, I'm afraid to do this.

How can I verify, that https://electrum.org/#download is good and real electrum, not fake?
Developers, could you in second source, post MD5 / SHA-1 of real Electrum? Here on BTtalk or in oficial twitter?

Is this real Electrum https://www.virustotal.com/#/file/09e877b25a518eba9c4b2b874f4af980f577764065e841e9066c15d7e802610a/detection
Why it's detected by AVs as trojan?

If you are on Windows check this thread with tutorial to verify signature : https://bitcointalk.org/index.php?topic=5105901.0

In general you should be safe if you download from official site, and if you verify signature. Nothing more then this can not be done, and if you follow all steps you should be good.

Regarding virustotal detection, it is in most cases false detection by some minor av engines, and I think this is also such case. There is few threads where this issue is explain in more details.

You should update to latest version, because developers fix problem with bad servers displaying links to fake wallets, but take your time and triple check every step to be sure that you have legit version.

Can't you just use a pruned bitcoin core wallet instead? It is not a download and go solution like electrum but once you set it up you can use it like the way you use electrum.

Whatever you do, don't click those pop-ups.

Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

Just verify the signatures.

Electrum is commonly acussed as a trojan by a few random AV’s. But that’s just a false-positive. It happens all the time.

Here is Electrum’s “official” explanation:
More: https://github.com/spesmilo/electrum/issues/3198#issuecomment-458949319

You can already verify the sig. If you still don't trust it, you can build it from scratch as explained on the GitHub page. I'm not sure if Thomas would reply because he already gave his GPG fingerprint.

yes, I know about sig https://bitcointalk.org/index.php?topic=5105901.0
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Пoмoгитe ПOЖAЛУЙCTA,тoлькo чтo cдeлaл oтпpaвкy биткoйнoв чepeз микcep,нaжaл oтпpaвить выcвeтилocь oкнo гдe былo нaпиcaнo oбнoвитe вepcию и пoдoбнoe,ccылoк нa cкaчивaния вepcий нe былo,я нaжaл oк .Я нaжимaл oтпpaвить биткoйн нa aдpec,пocлe чeгo oкнo нaжaл oк,нaчaл oбнoвлять вepcию,cмoтpю a пepeвoд yжe пoшёл,пocлe чeгo нaчaл cмoтpeть тpaнзaкцию пepeвoдa,oтпpaвкa yжe пpoизoшлa a вoт нa aдpec yкaзaнный мнoю дo cиx пop нe пpишли биткoйны пpoшлo yжe 3 чaca и нe oднoй пoдтвepждeннoй тpaнзaкции пoмoгитe пoжaлyйcтa мyжики,я нe пoймy мeня oбoкpaли или кaк?Я пo ccылкaм нe кaким нe пepexoдил,пpocтo вcплылo oкнo мaлeнькoe и я нaжaл oк и вcё!



Help PLEASE, just made sending bitcoins through a mixer, clicked send a window appeared where update was written and so on, there were no versions download links, I clicked ok. I clicked send bitcoin to the address, after which the window clicked ok, I started updating version , I look and the translation has already gone, after which I started watching the transfer transaction, sending has already taken place, but bitcoins have not yet arrived at the address I have already received 3 hours and not one confirmed transaction please help the guys, I don’t understand me or what? I didn’t follow the links by any means, a small window popped up and I clicked ok and that's it!

electrum.org file is not safe! it contains a trojan!


I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?

https://imgbbb.com/image/tyI0r

If you send it as a RBF enabled transaction, you can try to send it again by paying a higher fee with different outputs but if you haven't done it before you'll probably fail to do it before your first transaction gets a confirmation. (I did it before long time ago but if I had to do it again, I wouldn't make it in time probably) You are racing with seconds right now.

You better google "child pays for the parent" and "replace by fee" right away.

This post here explains it quite well:
https://bitcoin.stackexchange.com/questions/49723/replace-by-fee-vs-child-pays-for-parent


Do not click anything. Delete that shit and never download it again. (don't delete your wallet files) Use only the core wallet.

Also fuck electrum. Just stop using that malware.

I am (was) also an electrum user but seeing these people getting scammed like this finished it for me.

It is a false positive... For some reason (shitty heuristics), a number of antivirus applications detect programs that use PyInstaller as having trojans... I think it is because a number of viruses/malware apps use PyInstaller... so the antivirus incorrectly marks ALL apps that use it as being trojans ::) ::)

If you downloaded from https://electrum.org/#download and follow the instructions here: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

And the digital signature checks out OK, you can be confident that you have a legitimate copy of Electrum and that it is safe. Ignore Windows Defender, it is a shit antivirus.

This is serious shit!

Is there no way to warn users before they install the hacked wallet? If the hacker can still infect older wallet versions then devs should have no trouble sending out a general warning via all servers.
People are still losing money and its total bullshit.

There is nothing infected. It’s an vulnerability that lets the servers send customized messages to Electrum wallets connected to it.

The devs are already using the same vulnerability to warn the users on the affected versions.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/). It'll serve you well in the future.

electrum.org is the correct site btw.

But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

This would be a pointless exercise. Do you even know how people end up installing fake electrum versions? Most of them google electrum and follow a link in an ad to the fake electrum site. Others are falling prey to the phishing messages in old electrum versions. Non of these people frequent this or any other community forum. If they did they would know better and would only download from electrum.org.

Now consider what happens when people who have fallen prey to fake versions come here and complain. They never visited this forum before but when they need help they seek it out. What are we to tell them? Would it serve any purpose to ask them whether they verified the hashes? The fake sites have hashes for the fake versions so there is no point in verifying hashes. As HCP pointed out hashes alone do not let you authenticate the source of the software. A digital signature of the maintainer is required for that.

Why are you and other users so resistant to learning how to verify digital signatures? It only takes a few minutes to learn how to do this. Here's (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/) a guide if you're interested.

There is no need for this bullshit.

Just VERIFY THE SIGNATURE.

There is absolutely NO reason for checking the hashes. All files are signed by TomasV's PGP key.
Signatures should always be MORE TRUSTED than hashes compared with hashes posted on a website / forum.

There are quite a few tutorials available on how to get the PGP key and how to verify the signature.
If you want to be sure that you got the original electrum (and not a fake / malicious version), verify the signature or build it yourself from source.

Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.

If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?

Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.

AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).

YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE FROM THE FAKE WEBSITE.

Then you get scammed. ;)

That’s exactly my point. You SHOULD have ThomasV real PGP key before trying to download anything. Then, you verify the file and if the signature is valid, you are safe to use it.

Take some time to get his real PGP key once and everytime you download a new update, you can verify it.

https://www.gpg4win.org/package-integrity.html

< insert same link here >

Yes. You can find its source in their download page.

Wtf dude? I literally just linked you to a page where there are plenty of ways of verifying your gpg4win file. At this point I’m starting to wonder if you’re just troling me.

Again: https://www.gpg4win.org/package-integrity.html

https://github.com/gpg/gpg4win/blob/master/README

Yes.

Just like the OS that you're running... unless you're compiling your own OS from source code and have personally verified and checked all the code :P

This is a very "chicken and egg" problem... the (less than ideal) "solution" is that unless you have a LOT of technical ability and knowledge... then, at some point, you have to trust something/someone.

First of all, no one here is obligated to answer or help you, so stop with this “stupid Legendary” thing. Do you not know the word respect?

Second, do whatever you want. ThomasV isn’t publishing hashes of the files any time soon and there is nothing you can do about it. Either stop with this bullshit and verify the signatures yourself, or use any other wallet that publishes hashes. Easy.

Now goodbye. This stupid legendary here already gave you way too much attention; and my patient is over.