IMO this depends on the amount you are transferring.
For like 5$, checking just a few chars should be enough. The worst case is you lose 5$.

If you however transfer multiple thousands of $, i'd check at least 8 chars.
Generating a vanity address with 8 given chars costs around 1k$. And an attacker can't know whether you are checking the first or the last 8. Or if you maybe split it into 4 from the beginning and 4 at the end.

So, with 8 chars you should be on the safe side.




Probably not.
But malware can still change QR codes to either change the address or the amount.

This exact type of malware which changes your clipping board with a similar looking address probably won't do that.
But whether THIS malware does it, shouldn't be your concern.

No, he didn't say that.
What he actually said was:


And this actually is the only correct answer to that question.
Currently, there are no known vulnerabilities. This does NOT mean that there are no vulnerabilities. This just means that there is no vulnerability publicly known.
Every Software has bugs, and bitcoin core most probably too. Whether someone can inject malicious code to be executed, can not be answered with an definite yes or no.

If you are opening a lot of wallet files from different (not trustworthy) people, what you in fact should be doing is to sandbox the application you are opening them with (in this case: bitcoin core).

If someone is able to gain access to a trezor, he can extract the seed within a few minutes, given that he has the necessary knowledge/hardware on how to accomplish that.

The thing with the trezor hardware wallets is that the security heavily relies on the password.

There are some hardware projects already which automatically glitch the trezor at the right time to extract the seed (and the pin). This roughly takes 2-5 minutes.


@OP
It depends on your password. More on the amount of characters than on the complexity. With 20-30 chars, you are definitely fine. 5-8 would be pretty risky.

You should consider stop using jaxx.

There is a vulnerability in jaxx which allows anyone with a few seconds of access to your computer with your users privileges to extract the seed of your wallet.
The developers are aware of the vulnerability but refuse to fix it, because "security relies on your device". This is partially true, but a completely retarded statement to make. Especially in the crypto scene.
This wallet offers the same level of security as storing your seed and private keys on a text file on your desktop called "privatekey.txt".

Just stop using jaxx. If you want to use a lightweight wallet, switch to electrum or wasabi.
Both are way more secure than jaxx.

That actually not as hard as you might think it is.

While it indeed could be quite frustrating to break into this from a different location, the easiest approach would be to compromise your mobile phone.
You wouldn't notice the notification. The verification would be given within a split second and the 6 digit code would be sent to the attacker.
The whole security in this kind of attack relies on your mobile phone security.


And that's just one attack vector, and definitely not the only one.

First, if you try to double spend transaction to scam others.. you won't succeed. If you have to ask such basic questions, you are definitely not able to achieve that.

But if it really is for educational purpose.. what you actually want to do in such a scenario is to broadcast the lower fee (to be replaced) transaction at the same time as your higher fee (replacing) transaction.
However, you would use several nodes spread across the world for that. I.e. this means that you would use a single node to broadcast your low fee tx and multiple other nodes (which are not connected with each other) to broadcast the replacing transaction.
With that setup, you would be able to get more nodes to have your 2nd (replacing) transaction in their mempool. Then it is mostly luck which miner does find a block. Either one with your first or with your second transaction.

That's the race attack shortly described. There are a few more ways to double spend, but that is probably one of the easiest.

The "speed" of your transaction is not determined by the type of wallet you are using.
Generating, signing and broadcasting a transaction takes (roughly) the same time on every wallet. And that's all a wallet can influence.
The time it takes for your transaction to be confirmed can always vary and depends on the current amount of transaction waiting to be confirmed, your transaction fee and a bit of luck when the next block is going to be mined. Regardless of the wallet you are using.

As Lucius has pointed out, being your own bank is the whole point of bitcoin. To not rely on any 3rd party.

As others already mentioned, this website is made to scam people.

You should in fact never trust any website which requires you to enter your mnemonic code on the website.
Stay with trusted and recommended wallets and always verify signatures when downloading them.

Besides the fact that the download might contain malware, all it does with the seed is to send it towards the server as seen in the screenshot below.




Whenever downloading or creating wallets, only use trusted and recommended sites from the community. When in doubt, feel free to ask in this forum.

Actually it is very well imaginable that your OS is compromised.

Nothing stops malware from generating transactions and sending them to your ledger for your to accept/verify them.
A locktime of 1 could mean that the person creating the malware/transaction simply just wanted to have the tx to be confirmed as fast as possible (i.e. can be confirmed in the next block) without checking the current block etc.

The safety which comes from using a hardware wallet is, that the transaction details shown to you on the HW screen can not be manipulated and that you actively have to confirm the transactions by pressing a button.
But if your OS is compromised, he definitely can just create transactions and send them to your HW wallet in hope for you to accept them. Waiting until one is created by electrum seems a not too dumb move which might have caught some people off-guard.


And honestly i'd think that your OS is compromised, than that this is a bug from electrum and/or ledger.

This might be the case with this email, but is not always true.

There are ways to infect a device by simply opening an email. Of course this requires some conditions to be fulfilled, but nonetheless it is possible.
The very least you could do is to gather information about the target opening the email (e.g. IP address, browser used, OS, etc..). At least if you are not opening the email in plain text mode.

Oh, and btw.. A few years ago there was a bug in symantecs virus scanner.
It was enough to just receive a malicious email.
Usually the AV checks each incoming mail/attachement in a sandboxed environment. However, there was a bug which allowed an attacker to run code directly with root/administrator privileges on the victims computer.
You wouldn't even need to open the mail, simply receiving it was sufficient.


Usually, opening mails is fine to not get compromised. But it depends a lot on the mail client / browser / whatever you are using to open it.

Is there a specific reason you decided to use a web wallet (you said "web based", did you mean "browser based" ?) instead of your computer to create the seed ?
There is literally not a single advantage over using traditional (reuptable) desktop or mobile wallets to create the seed.

Anyway.. it depends on what "kind of seed" has been generated. If it follows a BIP, you can always recover it in other wallets which support that.
However, if you used some unknown shady wallet, this has not to be the case.

I'd suggest to not use a web wallet or the seed generated by it (same applies to a browser based wallet).
Just download a desktop/mobile wallet and use that.
With desktop/mobile wallets the security relies on your device security. Same applies to web wallets, but they additionally have more attack vectors and are way less secure in general.

Actually that is being used.
That's how the PayNym feature of the mobile wallet Samourai works.

1. Bob publishes a "watching address"
2. Alice creates a notificatin message (transaction) to the watching address of Bob containing 80 byte of Data which is the basis for the ECDH key exchange.
3. The shared secret between both of them is used to derive new addresses for single use.

That's useful if you for example want to provide a (publicly available) donation address without anyone being able to see how much donations you already received.

This question could be understood in 2 ways:

1) Whether there is information about the IP addresses of each individual miner working on solving the puzzle or
2) Whether there is information about the IP addresses of those who publish new mined blocks (i.e. solo miner and mining pools)


If it is 1), then you'll only be able to find out their ip addresses if they were sloppy when setting up their network (i.e. not caring about security). You shouldn't be able to find out their IP.
Regarding 2), this information could be retrieved without much hassle. But it fully depends on how they broadcast their blocks. If they broadcast it via the TOR network, you won't find out their clearnet IP. Same applies to if they are using some sort of obfuscation (e.g. VPN / Proxy) to broadcast the blocks.

You can't change the protocol (i guess you are talking about the bitcoin protocol?) in such a way.
There is literally no way for the rest of the network to see whether a block has been mined by a solo miner or by a mining pool other than the optional field in the block including the name of the miner/pool.

Actually you first had to properly define a pool. If i have 2 miner connected, that obviously wouldn't count as a pool?
And if i have multiple hundreds of miners - eventually even spread across the world - would you count that as a pool already ?

There is no proper way to distinguish between someone who owns a lot of mining rigs and a pool.
I mean.. you could theoretically set a maximum H/s limit per entity.. but since there is no control whatsoever, a single person could create multiple identities.


So in summary.. there simply is no way to ban mining pools.

Offline storage (a.k.a. cold storage) is definitely more secure.
However, you were using an exchange as your 'wallet', which isn't even a real wallet because you don't have access to the private key. You just have some balance on a website and they promise you that you own that much BTC.

With a desktop wallet (on an online computer), it already is way more secure than using an exchange. There are less attack vectors compared to an 'exchange wallet'.
If your PC is compromised, both of them would be compromised. But you don't need to rely on their security anymore to have your coins secured. That's the big advantage.

So.. the answer is yes. It is 'still ok'. In fact it is better than storing your coins on an exchange.

OP is worried about not receiving his coins when someone else sends a transaction to his address.

@OP
As pointed out already, that is not an issue.
Your wallet does not store any coins. It only stores the private keys which are necessary to send the BTC associated to your public keys.

Whenever someone sends you some BTC, he is 'transfering ownership' of them to your public key. This is being recorded in the blockchain.
And once you want to access/send them, you need to sign a new transaction using the corresponding private key.
Your wallet does not have to be online at all when receiving coins.

Since you already know how to fix it, you should now proceed to make sure that this won't happen again.

The most important thing is.. Stop using a web wallet.
Switch to a real wallet which gives you full control (not blockchain.com) and which is more secure than the least secure type of wallets (web wallets).
With 5+ BTC, you should definitely invest ~90$ to get a hardware wallet. That's way more secure than a web wallet or a desktop wallet.

And with electrum as the interface to manage your coins, you will always see how many inputs you have and what it will cost to consolidate/spend them.
That's the best advice i can give to you regarding this.

And if you don't want to invest anything and don't want to buy a hardware wallet, at least use a desktop wallet (e.g. electrum).
It is more secure than a web wallet and will give you full control over your funds. Such an issue won't happen with electrum.

There is something you are missing.. The majority of altcoins (if not all) are worthless and just made to get rich relatively quick.
Bitcoin on the other hand has a value and actually is useful. No one invented it to get rich quick.

Just because people don't invest into shitcoins altcoins, this doesn't mean that they won't invest into bitcoin - a coin with an actual purpose.

While it is true that most 'investors' just want to get rich with bitcoin, there are still some people who actually believe in the future of it. As a store of value and as a currency without any limitations.

IMO people are way too much focused on the BTC/$ value instead of the actual technology and improvements being done.

Please stop calling it a 'hack'.
There was no hack at all.

There was a (low severity) vulnerability which allowed the electrum server to send a custom message to the client. That's all.
This was just a plain simple phishing attack.

And the majority of people who fell for it, would have also fallen for a (badly written) phishing email.




The server always could send messages back to the client in case something happened (e.g. broadcasting transaction failed).
The vulnerability allowed the server to send any custom message, which resulted in the phishing message spread by a lot of malicious server.


@OP
Only download electrum from the official site and verify the signature. This keeps you safe from malicious versions not signed by the developer of electrum.
Then, if you keep your PC clean, you are fine.

Anyone who truly wants to run an exchange shouldn't touch those open source 'exchanges' at all.

Even if we assume that the author did not include an intentional vulnerability which wouldn't be found by a code review (which we shouldn't assume at all),
how would you think you'd handle occurring issues ? Outdated software, new vulnerabilities, etc.. ?

People who have the bankroll and want to run an exchange, get a customized software built for them for several 10k / 100k $.
People who don't have any clue at all, use free open source software. Then they either get hacked or lose funds because of other unforeseen issues.


Just look at the Issues on github.
One person doesn't know how to add a new currency.. but obviously believes he is capable of running an exchange 
Another person can't even get the software to run.. and even worse.. then another one suggests him to give the user running the service root permissions 


People using such open source software to get an exchange running are asking to lose money. Either by the developer through built in vulnerabilities or through other script kiddies.