How to find real Electrum?

[zetzetzet]

Hi, guys!
I have a question, first of all to developer @ThomasV

I'm using now Electrum 3.0, software asked me to update.
Because of huge amount of fakes, I'm afraid to do this.

How can I verify, that https://electrum.org/#download is good and real electrum, not fake?
Developers, could you in second source, post MD5 / SHA-1 of real Electrum? Here on BTtalk or in oficial twitter?

Is this real Electrum https://www.virustotal.com/#/file/09e877b25a518eba9c4b2b874f4af980f577764065e841e9066c15d7e802610a/detection
Why it's detected by AVs as trojan?

[1713567295]

1713567295

[1713567295]

1713567295

[Lucius]

If you are on Windows check this thread with tutorial to verify signature : https://bitcointalk.org/index.php?topic=5105901.0

In general you should be safe if you download from official site, and if you verify signature. Nothing more then this can not be done, and if you follow all steps you should be good.

Regarding virustotal detection, it is in most cases false detection by some minor av engines, and I think this is also such case. There is few threads where this issue is explain in more details.

You should update to latest version, because developers fix problem with bad servers displaying links to fake wallets, but take your time and triple check every step to be sure that you have legit version.

[mindrust]

Can't you just use a pruned bitcoin core wallet instead? It is not a download and go solution like electrum but once you set it up you can use it like the way you use electrum.

Whatever you do, don't click those pop-ups.

[zetzetzet]

Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

[TryNinja]

Lucius, yeah, just seen that thread.

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

Just verify the signatures.

Electrum is commonly acussed as a trojan by a few random AV’s. But that’s just a false-positive. It happens all the time.

Here is Electrum’s “official” explanation:

"Anti-virus" software uses shitty heuristics to detect malware. PyInstaller is a convenient tool to package python apps. We use PyInstaller. Malware authors use PyInstaller. Everything that uses PyInstaller is detected as malware.

Anti-virus software have (and always had) false positives, and some of them tag Electrum as malware. This is out of our control. This does not mean that Electrum is or contains malware.

The Windows binaries are signed using the native Windows signing scheme by an entity named Electrum Technologies GmbH. They are also signed using GPG by @ecdsa (ThomasV). The GPG key fingerprint is 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6.

If you trust the developers of the project, you can verify the GPG signature, and ignore any anti-virus warnings.

If you don't trust the developers with not backdooring the binaries, you can (1) build binaries yourself; or (2) you can run from source. Some of the binaries are built reproducibly, so you can also check that those match.

More: https://github.com/spesmilo/electrum/issues/3198#issuecomment-458949319

[elda34b]

ThomasV, could you, please, write here in sticky thread MD5 / SHA-1 / signature of real Electrum 3.3.3 ?

You can already verify the sig. If you still don't trust it, you can build it from scratch as explained on the GitHub page. I'm not sure if Thomas would reply because he already gave his GPG fingerprint.

[zetzetzet]

yes, I know about sig https://bitcointalk.org/index.php?topic=5105901.0
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

[progamegamegame]

Пoмoгитe ПOЖAЛУЙCTA,тoлькo чтo cдeлaл oтпpaвкy биткoйнoв чepeз микcep,нaжaл oтпpaвить выcвeтилocь oкнo гдe былo нaпиcaнo oбнoвитe вepcию и пoдoбнoe,ccылoк нa cкaчивaния вepcий нe былo,я нaжaл oк .Я нaжимaл oтпpaвить биткoйн нa aдpec,пocлe чeгo oкнo нaжaл oк,нaчaл oбнoвлять вepcию,cмoтpю a пepeвoд yжe пoшёл,пocлe чeгo нaчaл cмoтpeть тpaнзaкцию пepeвoдa,oтпpaвкa yжe пpoизoшлa a вoт нa aдpec yкaзaнный мнoю дo cиx пop нe пpишли биткoйны пpoшлo yжe 3 чaca и нe oднoй пoдтвepждeннoй тpaнзaкции пoмoгитe пoжaлyйcтa мyжики,я нe пoймy мeня oбoкpaли или кaк?Я пo ccылкaм нe кaким нe пepexoдил,пpocтo вcплылo oкнo мaлeнькoe и я нaжaл oк и вcё!



Help PLEASE, just made sending bitcoins through a mixer, clicked send a window appeared where update was written and so on, there were no versions download links, I clicked ok. I clicked send bitcoin to the address, after which the window clicked ok, I started updating version , I look and the translation has already gone, after which I started watching the transfer transaction, sending has already taken place, but bitcoins have not yet arrived at the address I have already received 3 hours and not one confirmed transaction please help the guys, I don’t understand me or what? I didn’t follow the links by any means, a small window popped up and I clicked ok and that's it!

[CJR]

electrum.org file is not safe! it contains a trojan!


I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?

https://imgbbb.com/image/tyI0r

[mindrust]

Пoмoгитe ПOЖAЛУЙCTA,тoлькo чтo cдeлaл oтпpaвкy биткoйнoв чepeз микcep,нaжaл oтпpaвить выcвeтилocь oкнo гдe былo нaпиcaнo oбнoвитe вepcию и пoдoбнoe,ccылoк нa cкaчивaния вepcий нe былo,я нaжaл oк .Я нaжимaл oтпpaвить биткoйн нa aдpec,пocлe чeгo oкнo нaжaл oк,нaчaл oбнoвлять вepcию,cмoтpю a пepeвoд yжe пoшёл,пocлe чeгo нaчaл cмoтpeть тpaнзaкцию пepeвoдa,oтпpaвкa yжe пpoизoшлa a вoт нa aдpec yкaзaнный мнoю дo cиx пop нe пpишли биткoйны пpoшлo yжe 3 чaca и нe oднoй пoдтвepждeннoй тpaнзaкции пoмoгитe пoжaлyйcтa мyжики,я нe пoймy мeня oбoкpaли или кaк?Я пo ccылкaм нe кaким нe пepexoдил,пpocтo вcплылo oкнo мaлeнькoe и я нaжaл oк и вcё!



Help PLEASE, just made sending bitcoins through a mixer, clicked send a window appeared where update was written and so on, there were no versions download links, I clicked ok. I clicked send bitcoin to the address, after which the window clicked ok, I started updating version , I look and the translation has already gone, after which I started watching the transfer transaction, sending has already taken place, but bitcoins have not yet arrived at the address I have already received 3 hours and not one confirmed transaction please help the guys, I don’t understand me or what? I didn’t follow the links by any means, a small window popped up and I clicked ok and that's it!

If you send it as a RBF enabled transaction, you can try to send it again by paying a higher fee with different outputs but if you haven't done it before you'll probably fail to do it before your first transaction gets a confirmation. (I did it before long time ago but if I had to do it again, I wouldn't make it in time probably) You are racing with seconds right now.

You better google "child pays for the parent" and "replace by fee" right away.

This post here explains it quite well:
https://bitcoin.stackexchange.com/questions/49723/replace-by-fee-vs-child-pays-for-parent

electrum.org file is not safe! it contains a trojan!


I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?

Do not click anything. Delete that shit and never download it again. (don't delete your wallet files) Use only the core wallet.

Also fuck electrum. Just stop using that malware.

I am (was) also an electrum user but seeing these people getting scammed like this finished it for me.

[HCP]

electrum.org file is not safe! it contains a trojan!

I received the same error on my electrum wallet 3.3.2, but instead of downloading from the link, I went to download the new .exe installer for windows on electrum.org website.

As soon as I downloaded it, windows defender showed me an error of a trojan on the file.

Not sure what to do, if I leave the previous version Im exposed to phishing, but if I download the new version from the electrum.org website I get a trojan warning message from windows defender.

Any updates on this?

It is a false positive... For some reason (shitty heuristics), a number of antivirus applications detect programs that use PyInstaller as having trojans... I think it is because a number of viruses/malware apps use PyInstaller... so the antivirus incorrectly marks ALL apps that use it as being trojans

If you downloaded from https://electrum.org/#download and follow the instructions here: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

And the digital signature checks out OK, you can be confident that you have a legitimate copy of Electrum and that it is safe. Ignore Windows Defender, it is a shit antivirus.

[rokkyroad]

This is serious shit!

Is there no way to warn users before they install the hacked wallet? If the hacker can still infect older wallet versions then devs should have no trouble sending out a general warning via all servers.
People are still losing money and its total bullshit.

[TryNinja]

This is serious shit!

Is there no way to warn users before they install the hacked wallet? If the hacker can still infect older wallet versions then devs should have no trouble sending out a general warning via all servers.
People are still losing money and its total bullshit.

There is nothing infected. It’s an vulnerability that lets the servers send customized messages to Electrum wallets connected to it.

The devs are already using the same vulnerability to warn the users on the affected versions.

[Abdussamad]

yes, I know about sig https://bitcointalk.org/index.php?topic=5105901.0
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.

[zetzetzet]

yes, I know about sig https://bitcointalk.org/index.php?topic=5105901.0
But I want to check file (hash of exe).

ThomasV, today I have found 3 more threads about "hacked" electrum and phshing. Could you, please, post everywhere (here in pinned thread, in twitter) MD5 / SHA-1 / signature of real Electrum 3.3.3 ? not only sig, but also MD5 / SHA-1 of files.
In will be secure, to check this info in 2 sources (download on official website and check hashes of .exe's here and in twitter. Really more secure.
Because I don't know till now, where is real electrum.

Electrum doesn't publish hashes because even fake websites can publish hashes. Digital signatures OTOH cannot be faked. So take the time to learn to verify the digital signature. It'll serve you well in the future.

electrum.org is the correct site btw.

But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

[Abdussamad]

But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

This would be a pointless exercise. Do you even know how people end up installing fake electrum versions? Most of them google electrum and follow a link in an ad to the fake electrum site. Others are falling prey to the phishing messages in old electrum versions. Non of these people frequent this or any other community forum. If they did they would know better and would only download from electrum.org.

Now consider what happens when people who have fallen prey to fake versions come here and complain. They never visited this forum before but when they need help they seek it out. What are we to tell them? Would it serve any purpose to ask them whether they verified the hashes? The fake sites have hashes for the fake versions so there is no point in verifying hashes. As HCP pointed out hashes alone do not let you authenticate the source of the software. A digital signature of the maintainer is required for that.

Why are you and other users so resistant to learning how to verify digital signatures? It only takes a few minutes to learn how to do this. Here's a guide if you're interested.

[bob123]

But developers can post hashes of files here on bitcointalk. Or in twitter. In second source. It's 99.9% secure!
Why not to do this?
This section consist of million threads, where people complain about electrum wallet phishing

There is no need for this bullshit.

Just VERIFY THE SIGNATURE.

There is absolutely NO reason for checking the hashes. All files are signed by TomasV's PGP key.
Signatures should always be MORE TRUSTED than hashes compared with hashes posted on a website / forum.

There are quite a few tutorials available on how to get the PGP key and how to verify the signature.
If you want to be sure that you got the original electrum (and not a fake / malicious version), verify the signature or build it yourself from source.

[TryNinja]

The fake sites have hashes for the fake versions so there is no point in verifying hashes

The fake sites have signatures for the fake versions so there is no point in verifying signatures

Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

[TryNinja]

Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

what is this? Where did you have this link?

Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.

[TryNinja]

Which is exactly why you use a well known PGP key[1] (pre-setted up) with a trusted fingerprint. You don’t donwload a raneom PGP key from the website you are downloading the unknown software and use it to verify a signature.

Are you even reading what you are saying?

where is well known PGP key?

[1] https://pgp.mit.edu/pks/lookup?op=vindex&search=0x2BD5824B7F9470E6

what is this? Where did you have this link?

Go to Electrum’s real GitHub repo.

Look for it: https://github.com/spesmilo/electrum/blob/master/pubkeys/ThomasV.asc

It’s the same as the link above.

why not from electrum.org? You said just download electrum from electrum.org but why i have to download a file from github.com? Bad servers ask users download fake electrum update from github.com too

If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.

Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.

Why can’t you just do your own goddam research to confirm that what I’m saying is true?