How to avoid Electrum Hack?

[jupiter9]

Hi! I'm new and i would like to install Electrum. But when i was reading Electrum threads i found out that Electrum had a very clever hack. How to avoid that? I'm noob at this, i don't have any computer skills. Just some basic knowledge. Am i safe just to download the newest version of Electrum? Is the hack only found on the older versions?

[1714185616]

1714185616

[1714185616]

1714185616

[1714185616]

1714185616

[jackg]

Yeah the "hack" (phishing attack) only affected electrum versions before 3.3.4. Any new versions are safe to download and install from the electrum.org website.

You can also learn how to verify signatures of the release on that site too which is recommended to keep your funds safer (you only have to do it once when you install and each time you upgrade).

[HCP]

You can also learn how to verify signatures of the release on that site too which is recommended to keep your funds safer (you only have to do it once when you install and each time you upgrade).

And there is a very thorough, step by step guide (with screenshots) on how to verify the digital signatures of Electrum releases for Windows available here: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/

And it also provides guidance for verifying the signatures on Linux, Android and MacOS

[pooya87]

keep in mind that this is not an Electrum specific problem and what you are referring to as "electrum hack" was not a hack at all. the problem is a common among every software one that means whenever you download the fake application instead of the real one you are at risk. and that was the problem, people were downloading the fake Electrum version from a fake website and installed that without checking its validity.
so obviously the solution to fight this problem is checking "authenticity" of what you download and that check is done using PGP signatures as others explained.

[jupiter9]

keep in mind that this is not an Electrum specific problem and what you are referring to as "electrum hack" was not a hack at all. the problem is a common among every software one that means whenever you download the fake application instead of the real one you are at risk. and that was the problem, people were downloading the fake Electrum version from a fake website and installed that without checking its validity.
so obviously the solution to fight this problem is checking "authenticity" of what you download and that check is done using PGP signatures as others explained.

Ok, thank you all. I understand it's because downloading the fake application but many didn't notice that because it was very well designed. Because i'm a noob at this things i wanted to ask you how to avoid that. So if i download the latest version i should be fine? Or at least it was safer before to download the newest version?

[HCP]

Yes... download the latest version... currently 3.3.8 from https://electrum.org/#download

Then follow the instructions as outlined above to make sure that you verify that you have indeed downloaded a "real" version of Electrum and not a fake one, by verifying the digital signature of the downloaded file.

[Pmalek]

Just make sure that you never click on any links in Electrum or in any other software that can lead to you downloading a fake version that will result in loss of funds. Same thing goes for emails. Don't expect free money and use your sound judgement. You have to work for your money in real life so don't believe those who promise you free money online.

Always double check any information you are not sure about on official sources and only rely on official sources. Electrum website in this case. Ask on the forum before doing something you might regret.   

[Lucius]

jupiter9, if you have a clean device (PC or smartphone), and you download from official site+verify files, then you may consider yourself relatively safe. You should know that Electrum is a very popular crypto wallet, and hackers are constantly looking for ways to steal users' coins.

For some small amounts of coins, a desktop wallet is something that can be recommended, but if you have plans to be your own bank and keep a few hundred or thousands of dollars worth crypto, my advice is to invest in hardware wallet. Price for Ledger Nano S is just around $45 in the next few days.

[BitMaxz]

Additional to the above posts:

Not only verifying and downloading the Electrum to official website is the way to avoid from hack the other thing you need to avoid are don't share the backup seed to someone or upload your wallet file publicly and don't deal with newbies if ever you ask a help related to your Electrum wallet in the future don't take newbies offer to help you about your wallet they are most likely scammer so be careful.

And always keep following https://twitter.com/ElectrumWallet to get latest updates about the Electrum wallet they always post in twitter if there is electrum wallet vulnerability issues.

[RapTarX]

As long as hackers are there, they will find a way to hack your wallet unless you are not much aware about that. I had tried to highlights the most probable way hackers use to hack. You can follow the this as a basic for avoiding the probable hack.
Probable precaution of using Electrum- https://bitcointalk.org/index.php?topic=5183671.msg52423155#msg52423155

[rdluffy]

Be careful because from time to time some people have their BTC stolen using Electrum, because you have to understand some things

I'm not saying Electrum is not safe, but you have to take some precautions to be safe, I suggest you to start using Electrum with a small amount of BTC to understand about, after some time you can use with more BTC

It's basic stuff, like never download from another site, verify the signature, never upgrade with pop-ups windows, always check the adress when you use CTRL C + CTRL V etc

[Pmalek]

Electrum is perfectly safe as long as it has ONLY been downloaded from the official website, the user has verified the signature and has a clean, malware/virus free machine. It is even better in connection with a hardware wallet since no private keys are revealed that way. The user only has to focus on checking that the receiving/sending address in the software is the same as the one being displayed on the screen of the hardware wallet. 

[bob123]

Be careful because from time to time some people have their BTC stolen using Electrum

This doesn't just apply to electrum, but to every software wallet as lont as it is not completely offline - cold storage.

There are quite a few wallets which have some security vulnerabilities and therefore are less secure than electrum.
The 'problem' with electrum is, that it is one of the most used wallet and therefore is an attractive goal for phishing campaigns.

If you keep your software and OS up-to-date and use your brain properly, the chance of losing money is extremely low.

[rdluffy]

Be careful because from time to time some people have their BTC stolen using Electrum

This doesn't just apply to electrum, but to every software wallet as lont as it is not completely offline - cold storage.

There are quite a few wallets which have some security vulnerabilities and therefore are less secure than electrum.
The 'problem' with electrum is, that it is one of the most used wallet and therefore is an attractive goal for phishing campaigns.

If you keep your software and OS up-to-date and use your brain properly, the chance of losing money is extremely low.

I said this because we are on a thread talking about Electrum...
I agree with you, the same problems occurs to every wallet, nothing in world is 100% safe, even hardware wallets or offline wallets, there always some risks that we want to minimize

use your brain properly - this is the best tip

[naska21]

Hi! I'm new and i would like to install Electrum. But when i was reading Electrum threads i found out that Electrum had a very clever hack. How to avoid that? I'm noob at this, i don't have any computer skills. Just some basic knowledge. Am i safe just to download the newest version of Electrum? Is the hack only found on the older versions?

First and foremost,  before installing Electrum make sure you have downloaded the official distributive by checking its PGP signature as well as the  fingerprint of the relevant PGP key. 

[jupiter9]

I downloaded electrum wallet. But my receiving adress doesn't begin with the number 3 like other users have their segwit adress. Why is that?

[Rath_]

I downloaded electrum wallet. But my receiving adress doesn't begin with the number 3 like other users have their segwit adress. Why is that?

That's because Electrum supports native SegWit (bc1... addresses) which lets you save even more money on fees while giving up backwards compatibility (some services don't support it yet). You can trick Electrum into generating nested SegWit addresses (3...). You can learn more about it here.

[The Cryptovator]

Am i safe just to download the newest version of Electrum? Is the hack only found on the older versions?

We can't say you are safe till you verify signature. So first thing you need visit real electrum website www.electrum.org then download/install and verify signature. When verify signature means you are safe for now. There is instruction on download page how should you verify it.

More thing is, perhaps you might encounter popups for update electrum and that's how hack has been happend fee days back. Someone from the server send this popups somehow. So I will suggest don't follow such as popups in future. If there is update popups then directly visit their original official website and install latest version if there is any. That's how I were updated my old version of electrum. Hope you have got my point.

On addition, you might think about buy any cold wallet if you are wondering to hold big amount of bitcoin.

[bob123]

More thing is, perhaps you might encounter popups for update electrum and that's how hack has been happend fee days back.

Please stop calling it a 'hack'.
There was no hack at all.

There was a (low severity) vulnerability which allowed the electrum server to send a custom message to the client. That's all.
This was just a plain simple phishing attack.

And the majority of people who fell for it, would have also fallen for a (badly written) phishing email.

Someone from the server send this popups somehow.

The server always could send messages back to the client in case something happened (e.g. broadcasting transaction failed).
The vulnerability allowed the server to send any custom message, which resulted in the phishing message spread by a lot of malicious server.


@OP
Only download electrum from the official site and verify the signature. This keeps you safe from malicious versions not signed by the developer of electrum.
Then, if you keep your PC clean, you are fine.

[pooya87]

Someone from the server send this popups somehow.

The server always could send messages back to the client in case something happened (e.g. broadcasting transaction failed).
The vulnerability allowed the server to send any custom message, which resulted in the phishing message spread by a lot of malicious server.

as a SPV client Electrum always relies on full nodes (aka Electrum servers). one of these dependencies is the error messages that they return. the problem was on client side where it lazily handed over that message to GUI to show and GUI happened to be able to detect extra formatting and then represent a pretty message with extra formatting if it had any!
now, messages are hardcoded in client side so it first checks the received message against that and show it to the user. but there is a new problem now. not all error messages that core sends are known and sometimes you get an error message that isn't hardcoded in Electrum so user may now see an "Unknown message error" message.