**** WARNING **** Fake Electrum binaries in the wild at electrum-wallet.com

[GiGa#]

Like in 2015, someone just cloned the electrum.org website into electrum-wallet.com and distributes bad binaries.  

So far I found a few changes in their version of the installwizard.py file

Someone this morning got robbed with 45 Bitcoins from this trojan - ouch!!!   https://bitcointalk.org/index.php?topic=2059967.msg20555125#msg20555125

[1714669154]

1714669154

[1714669154]

1714669154

[OmegaStarScream]

Googling for Electrum wallet or simply Electrum should give you the original legit site. I'm really curious to know how people fall for this honestly and how they even find these sites and what makes things even weirder is the software version, the original is 2.9.1 while the one on that site is 2.7.12 so not to be rude or anything but people should really use their brains sometimes.

[kolloh]

It looks like they also provide a fake signature for verifying the binaries as it differs from the one on the legit site.

You definitely need to be careful and do more research before simply downloading a wallet from a random site. Hopefully this fake site can get taken offline quickly so that no others are fooled.

[Coin-Keeper]

Its just so easy to verify GPG signatures and we have a script already made for the purpose in this forum.  Still, this is another reason why I love my Trezors.

[Coin-Keeper]

Gi-Ga# - OP,

Thanks for taking the time to post this thread as a warning.  I fear that by the time someone comes here to find out what happened it will be too late.  Still, thanks for trying.

[jhenfelipe]

That's why I rather type the URL myself (if you know it) rather than googling it. Also, it is recommended to have an Anti Virus with web protection, that will surely detect a malicious website (I have malwarebytes here in my end). Let's be extra careful and responsible to all our actions.

[Coin-Keeper]

True, but nothing holds a candle to a full GPG verification of Thomas' signature, which he places on every official release.

[kolloh]

True, but nothing holds a candle to a full GPG verification of Thomas' signature, which he places on every official release.

Yeah, but that doesn't help people if they aren't on the right website or don't have ThomasV's signature since the fake websites also publish fake GPG signatures.

[Coin-Keeper]

True, but nothing holds a candle to a full GPG verification of Thomas' signature, which he places on every official release.

Yeah, but that doesn't help people if they aren't on the right website or don't have ThomasV's signature since the fake websites also publish fake GPG signatures.

If THEY don't have Thomas' GPG public key on their keyring they are not verifying anything!  Any fake signatures are beyond worthless if compared with Thomas' actual fingerprint verified key.  This is basic stuff.

Another sub standard to GPG solution would be to verify Electrum's site certificate number in the url before downloading any files.  In the case of electrum dot org the correct and ONLY actual fingerprint would reflect the following sha256:  D0:9E:C1:85:9C:CF:85:4A:42:C1:48:38:8D:33:43:0C:4F:23:77:A3:BB:F3:DE:92:51:9F:0E:6F:E8:63:DE:C6

If you don't see this fingerprint while logged into what you assume is Electrum you are NOT on the official site.  A middle man cannot replicate this fingerprint without PWNing the private key and that is unlikely.  Still GPG is somewhat better and the final acid test.

[Bitcoinsummoner]

That site is fake the real website for electrum is electrum.org this is the correct site..

If you use this site expect that you can be scam so better to check the url everytime before you download because you can be reach if you don't check it carefully.
Look at the bitmixer there are many fake promoted in search engine. .

[kolloh]

True, but nothing holds a candle to a full GPG verification of Thomas' signature, which he places on every official release.

Yeah, but that doesn't help people if they aren't on the right website or don't have ThomasV's signature since the fake websites also publish fake GPG signatures.

If THEY don't have Thomas' GPG public key on their keyring they are not verifying anything!  Any fake signatures are beyond worthless if compared with Thomas' actual fingerprint verified key.  This is basic stuff.

Another sub standard to GPG solution would be to verify Electrum's site certificate number in the url before downloading any files.  In the case of electrum dot org the correct and ONLY actual fingerprint would reflect the following sha256:  D0:9E:C1:85:9C:CF:85:4A:42:C1:48:38:8D:33:43:0C:4F:23:77:A3:BB:F3:DE:92:51:9F:0E:6F:E8:63:DE:C6

If you don't see this fingerprint while logged into what you assume is Electrum you are NOT on the official site.  A middle man cannot replicate this fingerprint without PWNing the private key and that is unlikely.  Still GPG is somewhat better and the final acid test.

My point was that someone downloading Electrum for the first time and accidentally going to a fake website is not going to know any of this. They likely do not know that the developer is ThomasV and they have no idea which certificate number is valid or which URL is valid. Of course that information will help people knowledgeable about Electrum or previous users, but I'd imagine that new users would be the most susceptible to fake websites such this.

[noormcs5]

I expected stealing it this hard fork time, but not a stealing seems to be where I thought it was going to be I thought a lot of my life website for promise easy transition for people's Bitcoin while it's at the Bitcoin cash and the reality of that easy transition would be able to be going into somebody else's wallet. Instead it seems to be a software attack.