I just had all my bitcoins stolen and I don't understand how it happened

[HCP]

Else, I'd urge @theymos and @admins (administration) to please display these things as warnings in the News part (top left of your page under avatar) as it'd actually save many of them and even us if we remain unaware until scammed.

Theymos did... when this was actually "news"

There was a link to an announcement regarding the Electrum phishing vulnerability posted in the "News" bar at the top of the page. This was all the way back when this first blew up at the end of December 2018... it's now August 2019, this is not "news" anymore.

"Be Your Own Bank (Security Department)"

[1714757770]

1714757770

[1714757770]

1714757770

[1714757770]

1714757770

[1714757770]

1714757770

[pereira4]

Even signatures don't guarantee anything, the MIT server where they store them could have been compromised, the people involved could have been compromised... etc

This is why you want to ideally run a full client and validate your own transactions, otherwise you are basically running a webwallet.

That isn't secure either. Even running a full client isn't enough. Bitcoin Core can be compromised in that scenario too. The problem here isn't with the validation of the transaction. I don't agree with that either. The difference between SPV clients and Web wallets is huge; SPV clients still do give you full control over your private keys. IMO, SPV clients gives its user the balance between convenience and security.

If you want to protect against the scenario that you've described, you have to review and build the client from scratch. This isn't something everyone can do.

If you are serious about Bitcoin then SPV wallets aren't much different from a webwallet. Obviously no software is free from MITM attacks, but all things equal, a full node is the way to go. Im a bit of an extremist in this case. Why bother at all if you don't get the real thing. As Luke JR would put it, if you aren't running a full node you aren't using Bitcoin.

[HCP]

If you are serious about Bitcoin then SPV wallets aren't much different from a webwallet. Obviously no software is free from MITM attacks, but all things equal, a full node is the way to go. Im a bit of an extremist in this case. Why bother at all if you don't get the real thing. As Luke JR would put it, if you aren't running a full node you aren't using Bitcoin.

What about if you run your SPV wallet by connecting it to your own full node?

Bitcoin Core+electrs+Electrum+Nano S

[Boriss]

..... As Luke JR would put it, if you aren't running a full node you aren't using Bitcoin.

If that was absolutely true then you would never go out from your house or a flat and use your bike or motorcycle instead we would all live our life under the iron doom and if we need to go out to our friend or to our jobs we would order armored vehicle. This is the same statement as that every bitcoiner must run a full node. Don't get me wrong I agree with the statement about  armored vehicle being more secure then a bike, but it's just not possible for majority of people and especially for something that we try to achieve and that is better adoption on the bigger scale.

[Pmalek]

I believe we should start up a campaign (not speaking about signature campaign) where we should make newbies aware of such vulnerabilities to save them from becoming a victim for those hackers who just want free money and don't really wanna work for it.

I am afraid that wouldn't change much.
If you browsed through all of these threads that were opened where members had issues involving their wallets many of them have one thing in common:
Users are not sure what they are doing but they do it anyway before understanding the risks involved.

Usually it goes like I didn't use my Electrum wallet for 2 years and when I opened it I needed to download Electrum 4.0 which I did. After that all my coins were gone.

It is like people are afraid or in too much hurry to ask questions and they usually do it when it is too late.

[o_e_l_e_o]

It is like people are afraid or in too much hurry to ask questions and they usually do it when it is too late.

They don't even need to ask the question. Type "Electrum 4.0" in to any search engine you like, and you will be bombarded with links to "Phishing attempts", "Serious errors", "Malware", "I got scammed", and similar. Literally 5 seconds of time is all it would take to do a quick web search and avoid this issue entirely.

Before "upgrading" to version 4.0.0, these users have, at some point, downloaded the legitimate version of Electrum, so they have been on electrum.org which tells them not to download from any other site and to always verify the signature before installing. If you give people crystal clear instructions on how to do things safely, and they still ignore them all and download and install software from random links which pop up on their screen, then nothing short of physically showing up at their house and doing it for them is going to protect their coins.

[DarkDays]

The patch seemed to be legit and led directly to the electrum website.

Unfortunately not.

The one and only original electrum site is https://electrum.org/.

The message which was shown to your came from a malicious electrum server you were connected to.
And it linked to a (faked) github repository with no source code, and only a (malicious) binary available to download.


Unfortunately, you have been a victim of the phishing campaign. Your funds are gone.

That is way too much of an elaboration made for a guy who just lost  0.73 bitcoins and all he had to say was this

Thanks..  

Speak about an underwhelming response!! (it could be shock lol)

This is why I ask people to always double-check everything before installing any new binary file or anything disguised as an official patch. I've even adviced some professionals to completely do away with Electrum for the time being.