Bitcoin Forum

Hey guys! After recent issues with Electrum hacks I've got worried about my funds and changed the password for my wallet. But the reason I'm creating this thread is that recently we see such reports too often. I like electrum and would like to continue using it but some questions have to be asked:
1. Pretty much money were stolen due to such hacks. Does any one got any compensation from the side of devs that allowed such things to happen? I know that the question is naive and everyone probably got nothing but anyway...
2. Is it safe to use old versions of Electrum? Considering that some errors, asking to update wallet might be a malware is it safe just to stick to one wallet?
3. Anyone thought about creating an official Telegram channel? I see on the website that they got twitter but twitter is turning into a huge pile of crap while Telegram is becoming more popular each day. It would be nice to get notifications about any changes there.

Thanks in advance.

Best way is to keep your old wallet on an isolated pc (or bootable usb key that you clone several times) . Export master public key (MPK) from this COLD wallet and put it on your pc connected to internet.

On this connected pc, use any electrum version you want (older ones may have sync issues since servers started to ban some corrupted versions < 3.3) and import your MPK in.
Then you got a watchOnly wallet, and you're safe  ;) no one (even you) could spend your satoshis / btc from this connected pc since only your usb or isoled pc got the private keys.

This workflow took me some time to set but :

- only your cold wallet can sign transactions
- your still able to see all your history

You can sleep smoothly 8)

Although changing the password is usually a good measure, in case of these hacks that would not help at all.
And for the other questions, I should better start with what these "hacks" were about.

Electrum is a SVP wallet. It relies on a number of servers to check/validate/rely transactions, check funds and so on. These servers are maintained by various people around the world, you can make one yourself.
The "hackers" made a number of "bad" servers, which used to send a message to the users connected to them to update Electrum, providing a link to a fake Electrum, which was stealing the funds if ran.
The fix is a version of Electrum that doesn't allow such messages get received anymore.


Since the users installed the bad software themselves, it's partly their fault too. Also Electrum is free software, you can choose to use it or not. So no, no reimbursements afaik.


It's not safe to use old versions of Electrum. Those will show the fake upgrade message. Also the "good" servers nowadays don't allow old Electrum connect to them.
The users should go to electrum.org, make sure that's the site, download the newest version (3.3.4), check the signature (https://bitcointalk.org/index.php?topic=5130429.0) to make sure it's the correct thing and then install.


I don't know about a telegram channel. But that would need time spent by somebody to keep it alive and clean, I guess. Time spent by somebody for free.
Normally one should simply go to the website every time something is not clear. Also this part of the forum is for Electrum users, ask here and you'll get answers.


Edit: added the hyperlink to the posts explaining about signature checking.
I'd also add that if you want to sleep easier, you should:
1. Keep offline the coins you don't spend for long time. Safely generated (you can search how to do that) and printed/written down paper wallets are pretty safe.
2. For the normal spending coins, if the value is big enough to make it worth it, you should consider buying a hardware wallet. You can get one for under 70$.

It depends on the point of view.

There were no hacks. There was a (low severity) vulnerability which allowed malicious server to show a message. Nothing more.

Multiple people have fallen for this (very bad) phishing attempt and downloaded malware. This happens quite often (less often through a message from the electrum server, more often from some phishing sites).


The devs have nothing to do with it. If you visit any phishing site which has electrum in its name and download malware.. shall they compensate you for this mistake too ?

It is the users responsibility to use their common sense and to not fall for phishing attempts.




I'd always try to stay up-to-date.

While a specific version might be safe today, there could be some dangerous vulnerabilities or bugs found tomorrow.

You should always aim for an up-to-date system. You just need to make sure to download electrum from the original site (https://electrum.org/#home (https://electrum.org/#home)) and from nowhere else. Then you are safe.

the thing about security is that YOU should be responsible for it instead of relying on others to notify you. a Telegram channel is worst thing because it can easily be abused to spread malicious links.

if you are so worried then do these two things:
1. use cold storage properly (air-gaped computer, verify signatures,...)
2. watch the project's github repository (bookmark it and visit regularly and look at change log and issue list)