my electrum wallet (NEW VERSION) has been hacked

[gentlemand]

The Bitcoin codebase is still so young right now and comparable to the early internet. Devs will learn from these mistakes and carry on. I hope no more people loose money to this exploit.

This has absolutely nothing to do with Bitcoin's code. The moment they started to introduce 'consumer protection measures' into the code itself is the moment it's abandoned by the people who develop it.

[1714944302]

1714944302

[1714944302]

1714944302

[1714944302]

1714944302

[veleten]

sad for your loss, but whenever you receive an email or message from any "bank" or in this case wallet
make sure you check ten times if its legit
in 99% cases its a scam
I got countless fishing messages from fake blockchain, coinbase and other wallets to develop immunity to this sort of scam
unfortunately, too many users learn the hard way and lose all of their money, at least all you lost was 0.04 btc which is painful but not the end of the world

[gentlemand]

sad for your loss, but whenever you receive an email or message from any "bank" or in this case wallet
make sure you check ten times if its legit
in 99% cases its a scam

This is an in wallet message which most would pay far more attention to than some random email which would guarantee an insta ignore. I can imagine many people would've unthinkingly followed its instructions.

It still sucks but it's more understandable that more would fall for this.

[ranman09]

It still sucks but it's more understandable that more would fall for this.

Agreed even if I were presented by this message out of nowhere when I am doing a natural thing for me of sending funds. I would fall for this trap. Just wondered, he said he downloaded from electrum.org? Isn't that the true website? Or is it already hacked?

I hope developers do something about this. Not all people have the time to read such discussions like this. They just do what they been doing ever since. It's been 10 years of bitcoin so I guess more got the habit of using it and have the habit in mind to always update software for better performance.

[jackg]

It still sucks but it's more understandable that more would fall for this.

Agreed even if I were presented by this message out of nowhere when I am doing a natural thing for me of sending funds. I would fall for this trap. Just wondered, he said he downloaded from electrum.org? Isn't that the true website? Or is it already hacked?

I hope developers do something about this. Not all people have the time to read such discussions like this. They just do what they been doing ever since. It's been 10 years of bitcoin so I guess more got the habit of using it and have the habit in mind to always update software for better performance.

Don’t update software as soon as it’s released. I have a 30 day cooling off period for example.
The cooling off period isn’t great but it means if something is wrong, it’s probably been spotted. This potentially means I should also start verifying signatures to be more secure or at least the sha checksum.

[veleten]

sad for your loss, but whenever you receive an email or message from any "bank" or in this case wallet
make sure you check ten times if its legit
in 99% cases its a scam

This is an in wallet message which most would pay far more attention to than some random email which would guarantee an insta ignore. I can imagine many people would've unthinkingly followed its instructions.

It still sucks but it's more understandable that more would fall for this.

yes, I agree when you receive such a message in the wallet itself it adds credibility
but I would go to the official site and check the news and download there
in any case , Electrum just lost many potential users due to this strange security lapse

[stomachgrowls]

sad for your loss, but whenever you receive an email or message from any "bank" or in this case wallet
make sure you check ten times if its legit
in 99% cases its a scam

This is an in wallet message which most would pay far more attention to than some random email which would guarantee an insta ignore. I can imagine many people would've unthinkingly followed its instructions.

It still sucks but it's more understandable that more would fall for this.

yes, I agree when you receive such a message in the wallet itself it adds credibility
but I would go to the official site and check the news and download there
in any case , Electrum just lost many potential users due to this strange security lapse

You cant say such thing because even im on the situation i would be most likely to believe since most of us do know
the reputation of Electrum so if its on wallet message then high chance it would really get attention.You would only
realize that you loss money if such news pop-out or people already starting to lose money.

[bL4nkcode]

Obviously, hardware wallet can prevent this to happen if ever people have them, even though they can afford to buy it but due to some reason in which they prioritized, they didn't and they lost this much.

It might try and send it to a different address with a hardware wallet still and people would have to pay attention to the receiving address located on the hardware screen, which could still lead to a loss of funds since so many don't pay attention to that.

But that's not the case here.

And everyone who has hardware wallet should and make it a practice to double check the address for confirmation that shows in the screen before sending.

yes, I agree when you receive such a message in the wallet itself it adds credibility
but I would go to the official site and check the news and download there
in any case , Electrum just lost many potential users due to this strange security lapse

Well, yeah every time there's an update I always go to the official website and download the software. But regarding to notification, I never received any or pop up in my computer that there's an update etc. even before this hack happens. It only notifies me when I sent and received funds.

[ranman09]

It still sucks but it's more understandable that more would fall for this.

Agreed even if I were presented by this message out of nowhere when I am doing a natural thing for me of sending funds. I would fall for this trap. Just wondered, he said he downloaded from electrum.org? Isn't that the true website? Or is it already hacked?

I hope developers do something about this. Not all people have the time to read such discussions like this. They just do what they been doing ever since. It's been 10 years of bitcoin so I guess more got the habit of using it and have the habit in mind to always update software for better performance.

Don’t update software as soon as it’s released. I have a 30 day cooling off period for example.
The cooling off period isn’t great but it means if something is wrong, it’s probably been spotted. This potentially means I should also start verifying signatures to be more secure or at least the sha checksum.

That's a great suggestion. But I hope that becomes one of the general knowledge for software updates.

[bL4nkcode]

There's an update of electrum wallet of a fixed 3.3.2 and now it's from their official twitter and should be downloaded only from its official source https://electrum.org/#download

[BitcoinGirl.Club]

looks like he already scammed 15 BTC, sad brother, but there is nothing that will help you now

https://www.reddit.com/r/CryptoCurrency/comments/a9yji3/electrum_wallet_hacked_200_btc_stolen_so_far/

It's getting on for a 250 BTC haul now.

When it comes to updates I usually wait a few weeks just to be sure. I'd never use a computer-based wallet all the same.

All the Bitcoins are ending to this address: 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj
I feel sorry for OP and all those people who are victim of this scammer. Hopefully karma follows him/her.

I am glad that I have seen this topic before making the same mistake like OP or I would lose my coins too.

Good luck everyone. Please keep your coins safe.

[veleten]

looks like he already scammed 15 BTC, sad brother, but there is nothing that will help you now

https://www.reddit.com/r/CryptoCurrency/comments/a9yji3/electrum_wallet_hacked_200_btc_stolen_so_far/

It's getting on for a 250 BTC haul now.

When it comes to updates I usually wait a few weeks just to be sure. I'd never use a computer-based wallet all the same.

All the Bitcoins are ending to this address: 1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj
I feel sorry for OP and all those people who are victim of this scammer. Hopefully karma follows him/her.

I am glad that I have seen this topic before making the same mistake like OP or I would lose my coins too.

Good luck everyone. Please keep your coins safe.

checked my Electrum, doesn't seem to have any messages, guess it depends on a system you are running it on 
Electrum updated the wallet but they made it version 3.3.2 compared to 3.2.2 , I have no idea why would they not change the last digit as well , like 3.3.0 or 3.3.1 ?

1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj
more than 1 mil dollars amassed so far on this wallet, crazy to think that they managed to scam this amount of money

[jackg]

@veleten, I think it depends on the server you're connected to? Or maybe it's a firewall thing or something. I think electrum works by sending the error message from the server and thus a link can be sent too.

There are a few trusted peers among the network which I normally connect to, a few forum members here host a node also.

Also, those are version numbers, it's likely 3.3.0 and 3.3.1 are non stable releases and used as milestones in the production process. They are probably on GitHub but I wouldn't recommend using them as the word unstable should carry some power.

[Lucius]

checked my Electrum, doesn't seem to have any messages, guess it depends on a system you are running it on 
Electrum updated the wallet but they made it version 3.3.2 compared to 3.2.2 , I have no idea why would they not change the last digit as well , like 3.3.0 or 3.3.1 ?

1MkM9Q6xo5AHZkLv2sTGLYb3zVreE6wBkj
more than 1 mil dollars amassed so far on this wallet, crazy to think that they managed to scam this amount of money

You will only see that message if you try to send transaction and if you are connected to bad server which is used by hacker. I send few transaction with Ledger Nano S+Electrum and there is no any pop message about updating.

Electrum did not release a new version, they only change way how that message is display - so there is no direct clickable link in message, and now users can only copy/paste bad link. Last version of Electrum is from 2018-12-21 and number of version is 3.3.2.

https://download.electrum.org/

[BitcoinGirl.Club]

<snip>

<snip>

This whole thing is making me paranoid. Honestly speaking since I have seen this hacking news I am not opening my Electrum. I am waiting for the cool down period that jackg said on other thread.

[jackg]

<snip>

<snip>

This whole thing is making me paranoid. Honestly speaking since I have seen this hacking news I am not opening my Electrum. I am waiting for the cool down period that jackg said on other thread.

My suggested 30 days is probably a pessimistic one, 14 or something is potentially fine to have enough people to have tested it. I make the time longer so I don't have to fight my antivirus too...

That being said, as long as there's no major vulnerability. It's safe to use an old version, or would be in other cases, if you're trigger happy then it's not based on the current vulnerability. I'm not even sure what they could possibly do to fix the vulnerability which is my concern unless an error code is just sent but that'll have to be tested for an index out of range error and would mean less backwards compatibility. (An alternative, probably better approach is to use thomasV's Bitcoin address and the signed message beneath and then it'll be obvious for people using an old version if it's not there and newer versions could verify the signature on receiving the message).

[HCP]

... I'm not even sure what they could possibly do to fix the vulnerability which is my concern unless an error code is just sent but that'll have to be tested for an index out of range error and would mean less backwards compatibility.

The problem with attempting to "properly fix" this issue... is that all the Electrum Servers would need to be updated so that they returned something meaningful for the client to parse.

Someone posted a link in another thread about the Electron Cash "hack" that they implemented in the client... which, while effective, is not really a "proper fix".

Also, it isn't really a vulnerability in the typical sense of the word. There isn't a direct security vulnerability with an immediate threat to the user. It doesn't auto-download any malware, the user's wallet/seed/keys are not at risk etc... unless the user manually downloads the malicious client and executes it.

(An alternative, probably better approach is to use thomasV's Bitcoin address and the signed message beneath and then it'll be obvious for people using an old version if it's not there and newer versions could verify the signature on receiving the message).

How would you sign the message without the private key? You'd need the Electrum server code to have access to that to be able to sign the message...

[Lucius]

This whole thing is making me paranoid. Honestly speaking since I have seen this hacking news I am not opening my Electrum. I am waiting for the cool down period that jackg said on other thread.

It makes no sense to exaggerate in this situation, you can open your Electrum and receive/send transaction without fear that your wallet will be compromised. As HCP say, you can only be affected by this threat if you download fake wallet, and only thing you need to do is close that popup window if it appears on your screen.

[jackg]

How would you sign the message without the private key? You'd need the Electrum server code to have access to that to be able to sign the message...

The idea being that a lot of the error coded and error messages I get at least are not specific to the issue so the text could previously be signed by thomasv to determine their authority. I don't think there's ever a full fix without larger exact evaluations of the issues.