Probable Precautions using Electrum

[RapTarX]

Electrum is one of the best software for users who don't want to download the whole blockchain with hundreds of Gigabytes. You can run a bitcoin core wallet without storing the whole blockchain with prune mode, however, you are still required to download (synchronize or get up-to-date) from the beginning till now.
Running an Electrum wallet is as easy as one, two, three. But-
It includes a lot of threats, risks unless you are enough aware of all the possible threats. Here I will include some of the probable threats of using Electrum so that you don't have to be a victim of the hacker.

1. Check URL Before Downloading
Before you download the Electrum software, make sure you are downloading from the official website--> electrum.org, don't download from any other site. A list of known fake phishing electrum sites can be found here-

• https://bitcointalk.org/index.php?topic=3096414.0
• https://bitcointalk.org/index.php?topic=5126880.0
• https://bitcointalk.org/index.php?topic=5105192.0

2. Don't Update if You Get a Pop-up, Applied for version 3.3.4 and lower
You may get a pop-up notification to update your electrum, if you get that pop-up, avoid that and try to have fresh windows because the hacker may have access to your wallet. And, if you click on update and update electrum, you will find yourself hacked. May look like the below image or may differ from it.

3. Check Sending Address Twice
This applies for both Electrum users or non-Electrum users, however, in case of Electrum, hackers ask you to update electrum, when you update and paste an address for transferring BTC, your paste address will automatically replaced by the hackers one, that's saying, check the address before sending.

Additional Recommendation- Important

It might be worthy to expand the "Check URL Before Downloading" part by verification of the signature.
Just verifying the URL is not enough to be secured against all attack vectors.

For example:
DNS-/ARP spoofing.
If your computer is clean and secure, but your network is compromised your DNS request to electrum.org could be resolved to a different IP address.
This would result in visiting a fake-website by entering the original URL.
You would basically download malware from a fake electrum site without noticing it on the first sight.

Verifying the signature is the best way of making sure you are installing the legitimate software you intend to install. And this is a necessary step to be safe.


Additional similar attack vectors exist, which would all be prevented by simply verifying the signature of the file.

Before installing the Electrum software one need to make sure that it's an original copy. Here is a tutorial that will help the users to learn the steps to verify the signature: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

This is very important step for Electrum users. This will help to avoid any risk in the future.
Public key of ThomasV

I think that a good precaution can also be to make a backup of the seed (if not done yet) and maybe the wallet file too before an upgrade, since the system (and the antiviruses too) may cause surprises.
If only the seed is backed up, writing somewhere a few addresses should help finding out what kind of wallet the user had (Legacy 1* , 3*, native bc1*) if a restore is necessary.

Note: Don't blame Electrum like this, for your info, Electrum is an open source software.

If there are some more probable risks using Electrum, please share. I will update so that newbies don't get aware.

[1714841556]

1714841556

[1714841556]

1714841556

[1714841556]

1714841556

[1714841556]

1714841556

[1714841556]

1714841556

[1714841556]

1714841556

[bob123]

It might be worthy to expand the "Check URL Before Downloading" part by verification of the signature.
Just verifying the URL is not enough to be secured against all attack vectors.

For example:
DNS-/ARP spoofing.
If your computer is clean and secure, but your network is compromised your DNS request to electrum.org could be resolved to a different IP address.
This would result in visiting a fake-website by entering the original URL.
You would basically download malware from a fake electrum site without noticing it on the first sight.

Verifying the signature is the best way of making sure you are installing the legitimate software you intend to install. And this is a necessary step to be safe.


Additional similar attack vectors exist, which would all be prevented by simply verifying the signature of the file.

[AB de Royse777]

Before installing the Electrum software one need to make sure that it's an original copy. Here is a tutorial that will help the users to learn the steps to verify the signature: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

This is very important step for Electrum users. This will help to avoid any risk in the future.

Public key of ThomasV

Code:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE34z9wBEACT31iv9i8Jx/6MhywWmytSGWojS7aJwGiH/wlHQcjeleGnW8HF
Z8R73ICgvpcWM2mfx0R/YIzRIbbT+E2PJ+iTw0BTGU7irRKrdLXReH130K3bDg05
+DaYFf0qY/t/e4WDXRVnr8L28hRQ4/9SnvgNcUBzd0IDOUiicZvhkIm6TikL+xSr
5Gcn/PaJFS1VpbWklXaLfvci9l4fINL3vMyLiV/75b1laSP5LPEvbfd7W9T6HeCX
63epTHmGBmB4ycGqkwOgq6NxxaLHxRWlfylRXRWpI/9B66x8vOUd70jjjyqG+mhQ
+1+qfydeSW3R6Dr2vzDyDrBXbdVMTL2VFXqNG03FYcv191H7zJgPlJGyaO4IZxj+
+O8LaoJuFqAr8/+NX4K4UfWPvcrJ2i+eUkbkDJHo4GQK712/DtSLAA+YGeIF9HAn
zKvaMkZDMwY8z3gBSE/jMV2IcONvpUUOFPQgTmCvlJZAFTPeLTDv+HX8GfhmjAJY
T5rTcvyPEkoq9fWhQiFp5HRpYrD36yLVrpznh2Mx7B1Iy8Rq/7avadwVn87C6scJ
ouPu+0PF3IeVmYfCScbfxtx1FaEczm8wGBlaB/jkDEhx0RR8PYKKTIEM7T2LH2p6
s/+Ei4V7mqkcveF/DPnScMPBprJwuoGNFdx2qKmgCKLycWlSnwec+hdyTwARAQAB
tBlUaG9tYXNWIDx0aG9tYXN2MUBnbXguZGU+iQI4BBMBAgAiBQJN+M/cAhsDBgsJ
CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr1YJLf5Rw5hlhD/9T4I/sBCleS9nH
njTJqcOnG28c9C3CRYIizjEui/pKmXz9fB1N9QrCaruPUQx2UacDVCl6dKxac+7s
s3/a6lsjaRn0/2OM/sCVLScyxNPNPQs2b6jkodSNPIM8zv51g+flhwtfrO6h6B4j
IhZgSjFdvqtZd5jaly9rA0uMX045CC4K6HGnq8n4F2p31z0L0LaHBf5EcsCM0MMp
QVkY0aUrNg9uVMGXBHn3osHnOtQaODqcIbpa/OG+Tlt6pVOiDJ7i8TkpQKT7sOaM
VdL//TEoDIOC7qVCN82q2q/gtiBXbziaERVs/eU0O52aX5qUhXu3VIjXTp/riRim
R/f9BPB1dgDZbF2aPZ/rJm26v82ft7gP1Sf52E9MrAaZATTfI0/TUHXeBzN93EA9
xb6/ENAMTX74u+NjlynWPD+hl64eBzJ2ionZF1bJFTgBkMfRYnhllvleCjcq9YfX
md5HKCwtxfygBIujUQSwyUzn0f5DbVCJ7/B19bKdvHGSSBgBEjxqXWQskm2wc0In
ww63goZAGDQliKhIT8xnwOBbLkqSobq4tD9zpQyxvMA2rhy7/gfFRp7TTak7MZHf
lTJ37S5LvcWHm/ccWUZDUN7akoEDc+m6jX3uIEPMD3PQvcHhWv0amco3zDr1qb/+
rXM7TJKd7DPX0E2dRzKu6aYRMTbklbQhVGhvbWFzIFZvZWd0bGluIDx0aG9tYXN2
MUBnbXguZGU+iQI4BBMBAgAiBQJTQDaRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
AQIXgAAKCRAr1YJLf5Rw5hOBD/9o/NqHLvjhrCfy6/SblSC/udV9ujFnvhZZZprb
r8Oe6GdMwfw+ktZd2nYb09KjxXYmGoZeZKmvCb0LoMKSVWgisH1rgzDzI6UzFL4b
pV2+PqCSiWaekfnBm+oHbGgJCuAXebGXjVL8JsvhAl0HQZzTA1RX0u8TEAHOxOI5
l+mXSN+cwVZuDMpt5v+JDyPGHM/KqaXCw1WJY50mqlan6/15XHilmvY/CaxmbXNH
ZOXucmPxyCTeiQTqyhHsIBb4RxWYCaUXv9+svriotv2HZpQ110NN09ml1K1kDlNL
Zh3jNqMsbImFArbN8GikjqhRBV3K77Np4lccnsBPllQMqqQULG7UshcQTatkmTMb
j2TQ0oQWEZt0uJmnmxgz18ijs6m2fJZhlH0QYVYOwUvK6GfAFluHwOZHIXonv8Ck
uTW+P90lOB/9ZnREZeYb2wlvV6fCTMHxptIbT31kbLTzu4KEI6+ShQXT+YAKiC5S
JC9heheaeApH3wcLiZJcCKYv6ubY+3Uf/EoXcqWywwpS/nWkSpMSYjq+V9xCcGHI
MZ4vZkiZ6OS5Mu739rgGfP7Yi3pqUYLIpUa5QiNOMEhPtWbj/oH5ldaZowwgZ4MK
2Mzxex8IhFppPtZgqJfu9NZQLICpxcd2hUe3XWvB+jcvboZ1p7RO7ax3Vo9zy1fy
YEFML7Q9VGhvbWFzIFZvZWd0bGluIChodHRwczovL2VsZWN0cnVtLm9yZykgPHRo
b21hc3ZAZWxlY3RydW0ub3JnPokCOAQTAQIAIgUCVMYFygIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQK9WCS3+UcOZ7BQ//VJuRmM7kQd5DcJS76BKpMtKt
gUNV3hi2h8kNGtkIeKhpeiK+PeweFJCb0nQDiEYsg5Xd/l5ZwN34cqlhgaQ8uWBY
rmNnSYGECLrxejx6WTWHp2AtD9BXrj73HEox2abC0Bdky39aCTyuRhSzbFnV2unh
L7IarKqr5bat6ywFZWsOcaisEjWXlTSD/hYqnkRX8vnBZRnRgHyi1yOvHsXGFB3x
O+P7JUb4E7BVzVRDJzMgcBhY5vTZ4Mnc8eIplNVI1TaF2hmhmnezvRF6XNYV1Ew9
t2/HE85+DqIBikUWYPTTxJiWUOwxXP9dVOEmNTcAgVThvMN7W+WoF7//qcNKmbPI
DyGU5xb/MLNrM+MWfavtkHNqcY0+cFf27z4mOxd2eEMDVxN/Fhq0HipugMEawaZ0
G9xsF/rZBzKgpu7+SvqRqxUn36vNz59vDlBYEXSng6nJobUdNb6iHo/rpZ6ZYHKx
mzrK5ROpmKs6zpPTOn8Hw29jxx07auzEIVEa8hzZaiqTfwI9yBwzhFQwNxmNaKRE
adxosvU1VyTvaEVmMmTx227MF1qhwq9yrSXtmKZJGiHRzyL4B4vAGrf9uK9GwzS2
TlyksRdjapw6Cqp8sUB2PUzHqYNWs0wSsZuxwVt6JSD4N8vpYTTF00LONKe2oLhj
GNxpH+BV3SqMHXQl9Ki5Ag0ETfjP3AEQAL5LYJiX5S4PG891TMihejh5KVgc36/R
zgWYJkE26K855t+WdAa6spHKR1RmpTTsnaTXaC/bNxJZq+0vi9GKlw94twEueu0v
Cniinpy6AFeydveCi+qdr5XQ4hx1DY11kntGBL2wMOtrZ4oAeFnntHYcAMYaMBY5
p8gd3WVR2dgIvpOcezQBLwhoMHnN6A+JEQ27ZHcolwDO9ic+t4YAtl552DP1xKbc
T4D1JD0J6W6FbUJElOXReSjNGCuSLZZTsCzMg0P6RHwWUKtDvRKrK/M3Nh/L2EsW
5mAQnYps6a+hyVkVd9kLsogtHPE4xv33pzbDB5Yj+2zqdjYUqO/ODfkP+HjNRvyj
uHL6W3bjU6FnuJQXX4llskls4hlKDPawa3cuWnsdafouAZOxWwBlGysRZ7BaHOFE
TOlAeUN1EYfFrckcfkYzTX7NDA0S99aX730z/c9XrnqM52OO9LrSFRnYZ+K3M8z2
FFvo9/ZtqqTDH0/oH+ay0CwtowSovZUoljAQ8zmmi8CtPDFHg4srae8YxW4fetn7
QtP6rOVRwQCyP12LztC7oYGOectU5G9GkVDubNW48Vuex0/upP9RORjKN8atBroS
cmomR5hShxmgdJBy4I/TDkVFbZq/hRPSTAHgnciEC67TYhszzXP3nTn5/Ah0wCGC
d3HfiNX6G7MdABEBAAGJAh8EGAECAAkFAk34z9wCGwwACgkQK9WCS3+UcOaJRA//
dLHRBjeAkNbRsY5GNTWUZzXr3VC5vNqpwpP9rK4QTAmpl3iU5F+wsgMG78iS2XOV
+ijZA8KvishletQJoNMxS1PU4sA4Y34hYb61ptHs+PmwNpcdgjAX+mCh9xQ0816G
yIaXtxtxacJJW3K07fqKIkJjISPOyTLSd+wl1LtRE2fA67pMmpMHG8t+RPq1dp/e
3qp6L7jc6X3U+bn2m7u2cgEVbuAnSaKGoMSMnsd71Ltf1b6/DwvZz/HBttEgcgSm
PleHUVyBD4LDrcjTDK7zdEMw7b/cPBnu6CmTcogFEqvB4n9Yodo+4ij7AndUTz4J
j1p8vFlnHvhRg82MDfGUPJ+ujBjbYXROs+WAmaCQ8TgjZ3dAFNFrOqAbYu6QlY2x
fu7vj+ruc6ArdmBrOlsJFmNsxFRJfgdUug5JFIUN77GbjisHjWem8cY3szuyEke8
H2pi803CAuVtkaoNmNDHsEBieft34Zo0V+A/q2wkix3S9vyRjOKqhGrW30qxnV6Z
FexueWuO3qOQ0ZU5/TIH0kft2n45/RexeBq/Ip52zE1vEvTkQmBCfCGZmqTu+9Ro
8qsjecxVNxyVPlwhlimryiQ+dPaJYaOSfiwEEMh2MyV5c6t6qN9n6jFdiCLOlmmH
ZFA8xDodsofQEmlv+I/xyEZ7na6nxbpZVuPC3B0JFtY=
=sUYl
-----END PGP PUBLIC KEY BLOCK-----

[NeuroticFish]

I think that a good precaution can also be to make a backup of the seed (if not done yet) and maybe the wallet file too before an upgrade, since the system (and the antiviruses too) may cause surprises.
If only the seed is backed up, writing somewhere a few addresses should help finding out what kind of wallet the user had (Legacy 1* , 3*, native bc1*) if a restore is necessary.

[Lucius]

2. Don't Update if You Get a Pop-up
You may get a pop-up notification to update your electrum, if you get that pop-up, avoid that and try to have fresh windows because the hacker may have access to your wallet. And, if you click on update and update electrum, you will find yourself hacked. May look like the below image or may differ from it.

If user is using old version of Electrum (all version older then 3.3.4), it can happen to him to see pop-up window with message to update Electrum, including link to fake wallet. But that doesn't mean the user's computer is infected, it is just message displayed through legal software, so there is no need to format the disk and install new OS.

In case user is install fake wallet, the assumption is that the operating system is considered compromised, although it has not been established with certainty that there is any danger after user is remove fake wallet.

[RapTarX]

If user is using old version of Electrum (all version older then 3.3.4), it can happen to him to see pop-up window with message to update Electrum, including link to fake wallet. But that doesn't mean the user's computer is infected, it is just message displayed through legal software, so there is no need to format the disk and install new OS.

I never face this situation. Until now, I thought Electrum doesn't push any pop-up for updating a wallet. How a user can identify if it's the fake link or the original wallet? What exactly will be the message from the official pop-up? How can we distinguish between both the fake one and the original one? Please share a little more information. Thank you.

[BrewMaster]

If user is using old version of Electrum (all version older then 3.3.4), it can happen to him to see pop-up window with message to update Electrum, including link to fake wallet. But that doesn't mean the user's computer is infected, it is just message displayed through legal software, so there is no need to format the disk and install new OS.

I never face this situation. Until now, I thought Electrum doesn't push any pop-up for updating a wallet. How a user can identify if it's the fake link or the original wallet? What exactly will be the message from the official pop-up? How can we distinguish between both the fake one and the original one? Please share a little more information. Thank you.

older versions of Electrum had an exploit where the node (server) you connect to could send you a well formatted text (any text) when you tried sending a transaction to inform you of the result after receiving the transaction. result such as "successfully broadcast", "wrong signature", ...
and your wallet would just show that message to you.
the problem was that this text could be anything. so someone exploited it and sent messages containing his malicious website link and a text telling users to upgrade their wallet using THAT link.
it should be mentioned that if the users paid attention to the link or even if they verified the signature after downloading those malicious installers they would have never lost anything!

new versions don't have this problem anymore.

[Lucius]

I never face this situation. Until now, I thought Electrum doesn't push any pop-up for updating a wallet. How a user can identify if it's the fake link or the original wallet? What exactly will be the message from the official pop-up? How can we distinguish between both the fake one and the original one? Please share a little more information. Thank you.

As I say you can only see this message if you use versions older then 3.3.4, so problem is solved long time ago. Some users who not update their wallets regularly are not aware that something like this exists, and some of them become victims even today.

The key thing is to never update Electrum in any way other than by downloading it from official site, and to verify files before installing. These are the two most important steps that will prevent any attempt of hackers to scamming someone to install fake wallet.

If you are interested in what a false message looks like it is displayed in theymos post 9+ months ago when he post warning about this Electrum vulnerability.

Electrum vulnerability allows arbitrary messages, phishing

[Baofeng]

I never face this situation. Until now, I thought Electrum doesn't push any pop-up for updating a wallet. How a user can identify if it's the fake link or the original wallet? What exactly will be the message from the official pop-up? How can we distinguish between both the fake one and the original one? Please share a little more information. Thank you.

.. snip ..

If you are interested in what a false message looks like it is displayed in theymos post 9+ months ago when he post warning about this Electrum vulnerability.

Electrum vulnerability allows arbitrary messages, phishing

Or this new updated warning, lol, Electrum 4.0? Hackers are very clever indeed:

[Lucius]

Baofeng, that fake 4.0.0 version is not new, it actually appeared almost at the beginning of that phishing attack. If we look at some old posts in Electrum board from late February, and maybe even from an earlier time, we could see that some members were complaining about downloading this version.

I guess the hacker was just changing number version and playing with potential victims.

So I fell foul to the Electrum phishing scam (it had been awhile since i used it and I'm not on form atm,, don't say it  Cry ) and downloaded and installed "version 4.0.0", and to no surprise within a jiffy lost about £100 in btc (all that was in the wallet) when trying to send it.

[crairezx20]

Why the Punycode attack is not listed or mention above?

This is one of the Electrum attacks before even you see the legit URL which is electrum.org we cant see if the site is fake or not but if you copy and paste the URL to notepad it will show the true URL.

I know you can disable Punycode in firefox but I don't know how for chrome.

For safety better use firefox instead and disable punnycode get more info from this post here https://bitcointalk.org/index.php?topic=5178198.0

[Stedsm]

Why the Punycode attack is not listed or mention above?

This is one of the Electrum attacks before even you see the legit URL which is electrum.org we cant see if the site is fake or not but if you copy and paste the URL to notepad it will show the true URL.

I know you can disable Punycode in firefox but I don't know how for chrome.

For safety better use firefox instead and disable punnycode get more info from this post here https://bitcointalk.org/index.php?topic=5178198.0

Thanks for this, I never knew they could do this too. I guess Chrome doesn't have a security patch available yet after reading this article: https://superuser.com/questions/1421982/how-can-i-test-punycode-url-will-display-correctly-prior-to-purchase

So yeah, in those terms, I believe Firefox is good. What about other browsers? Are punycode attacks limited to these 2 browsers only? What about Tor browser? I didn't find anything related to this for Tor.

[crairezx20]

Why the Punycode attack is not listed or mention above?

This is one of the Electrum attacks before even you see the legit URL which is electrum.org we cant see if the site is fake or not but if you copy and paste the URL to notepad it will show the true URL.

I know you can disable Punycode in firefox but I don't know how for chrome.

For safety better use firefox instead and disable punnycode get more info from this post here https://bitcointalk.org/index.php?topic=5178198.0

Thanks for this, I never knew they could do this too. I guess Chrome doesn't have a security patch available yet after reading this article: https://superuser.com/questions/1421982/how-can-i-test-punycode-url-will-display-correctly-prior-to-purchase

So yeah, in those terms, I believe Firefox is good. What about other browsers? Are punycode attacks limited to these 2 browsers only? What about Tor browser? I didn't find anything related to this for Tor.

For now I didn't heard about Punycode in Tor browser. they mostly pointing it to two browser both chrome and firefox since more people use these two browser than the other browser I think other browsers too have this issue.

What do you think about the brave browser?

According to ethicalhacker almost all browser are vulnerable about puncycode "Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi."
But except to TOR browser, it means that tor browser is not affected by this issue.

[RapTarX]

BUMP