Electrum update: A trader lost 1400 BTC

[Lucius]

I’ve seen too many of these type of stories, nobody should be keeping that amount of coins on a platform like Electrum.

Electrum is not a platform, it is an open source desktop/mobile wallet "released under the MIT License", and the main reason why people use it is that it is free and fairly easy to use. What most people don't know is that such software is subject to code changes and that anyone with a little understanding of programming can make a fake wallet and distribute it over the Internet.

No matter how secure the crypto wallet was, keeping 1400 BTC inside just one wallet is a stupid move - if I had 10% of it I would divide it into at least 5 different and independent wallets, and thus diminished the risk of losing everything in one bad move.

[Finestream]

No matter how secure the crypto wallet was, keeping 1400 BTC inside just one wallet is a stupid move - if I had 10% of it I would divide it into at least 5 different and independent wallets, and thus diminished the risk of losing everything in one bad move.

Wrong move by the owner of the funds, able to owned 1400 btc which is around $16 million but does not know how to secure the funds. If we made sure to diversify our funds when investing to minimize the risk, how can a person allowed himself to store his bitcoin in one address only?

I think putting your money in an exchange is quite safer than in electrum wallet with that amount since with exchange, they have more secured system and if the exchange is hack, I'm sure you will be compensated somehow as long as the exchange is regulated.

[buwaytress]

Known issue, this was made very public with a lot of sites, including this forum. As with most software, you always want to update to the very latest stable version, and Thomas was really quick to fix the vulnerability and release a patched version. Unfortunate, but yeah, with owning Bitcoin, comes a lot of responsibility. Hard lesson.

Note: Guy didn't seem too depressed... or I'm just not catching the emotion?

[gentlemand]

I think putting your money in an exchange is quite safer than in electrum wallet with that amount since with exchange, they have more secured system and if the exchange is hack, I'm sure you will be compensated somehow as long as the exchange is regulated.

That's hideous 'advice'.

Most of the time it's you that gets hacked, not the exchange. Your exchange account will be drained and there's nothing you can do and it's certainly not the exchange's problem.

I also wouldn't want to put an exchange's own insurance to the test if it was hacked, not that many have proper policies anyway.

[serjent05]

So basically this guy was using a ver old version of Electrum which he would have downloaded from some unofficial source and this made the hackers able to steal his funds from his wallet. This is completely the user's fault since he should have installed the latest version of Electrum and that too from an official source.

I don't think the person downloaded his electrum wallet from unofficial source.  Electrum wallet, from time to time were reported being exploited by hackers and this is not the only case that someone lost BTC from electrum wallet upgrade. 

https://cointelegraph.com/news/electrum-faces-another-fake-wallet-attack-users-reported-to-lose-millions-of-dollars

Possibly the same strategy is applied in this case.


We must be vigilant in everything we do that involves Bitcoin.   That is why, whenever an upgrade notice appears in Electrum wallet, I always check their main site and see if the upgrade is really needed  or not. 

[thesmallgod]

So basically this guy was using a ver old version of Electrum which he would have downloaded from some unofficial source and this made the hackers able to steal his funds from his wallet. This is completely the user's fault since he should have installed the latest version of Electrum and that too from an official source.

I don't think the person downloaded his electrum wallet from unofficial source.  Electrum wallet, from time to time were reported being exploited by hackers and this is not the only case that someone lost BTC from electrum wallet upgrade. 

https://cointelegraph.com/news/electrum-faces-another-fake-wallet-attack-users-reported-to-lose-millions-of-dollars

Possibly the same strategy is applied in this case.


We must be vigilant in everything we do that involves Bitcoin.   That is why, whenever an upgrade notice appears in Electrum wallet, I always check their main site and see if the upgrade is really needed  or not. 

I also share your belief. The owner specifically said the update came from their server. On less, it is being hijacked. Electrum is very vulnerable and it would be better if the dev of that project could present a lasting solution or better close down. Electrum is not the only DEX wallet but the constant vulnerability of the electrum might be an indication that the project need to be redesign with a full and latest security to prevent bridge 

[o_e_l_e_o]

I don't think the person downloaded his electrum wallet from unofficial source.  Electrum wallet, from time to time were reported being exploited by hackers and this is not the only case that someone lost BTC from electrum wallet upgrade.

There are zero reports of an Electrum wallet downloaded from the official source and properly verified resulting in a user losing funds (unless there was other malware on the computer, in which case, that has nothing to do with Electrum). Every one of these cases is because someone has visited a random link, downloaded some unknown software, not verified it, and then installed it.

The owner specifically said the update came from their server.

An Electrum server is not the same thing as the official Electrum site. Anyone in the world can run an Electrum server.

electrum might be an indication that the project need to be redesign with a full and latest security to prevent bridge

If people are unable to follow very simple instructions which are the first thing you read when you visit electrum.org - "Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures." - then there is nothing else that can be done. This is like blaming the writers of BIP39 for people typing their seed phrases in to random websites.

[figmentofmyass]

i thought old versions (which allowed the malicious download messages) no longer worked because updated servers DOS them? i remember the old version became totally unusable back when this bug was patched. i guess the attacker must still be running lots of servers. crazy.... i thought this exploit was long gone.

I hope he didn't put all his eggs in one basket.

If I had 1400 bitcoin in an electrum wallet, I would also have at least 1000 in some other wallet and apart from that a lot of money in fiat, stocks, mutual funds etc.

yeah, it's prudent to spread around your holdings. code bugs and exploits are always possible with any wallet.

the real lessons IMO: 1. always go to the official source and verify that the update is legit before downloading/installing, and 2. keep your private keys offline.

the victim should have used his master pubkey to make a watching-only wallet on his online machine, then used an offline machine to sign transactions. this type of exploit cannot target an airgapped machine. if your watching-only node can't push transactions or is getting spammed with weird messages, that's a warning to look for an update through official channels.

[wxa7115]

Actually no, I disagree that software wallets are unsafe. If you are understand how they work, you can store a million bitcoins. If you are paranoid like me, go buy a useless laptop (worth of 50$) and do it cold storage. You can't get "hacked" this way.

Yep, his grandchildren will be like "GRANDPA WE COULD HAVE A BILLION DOLLARS RIGHT NOW" (oops speculation).

You can still install malware on an airgapped software wallet or somebody could clone your hard drive. A hardware wallet can still be hacked if you have physical access to the device but it is not as easy. If you have 1400 BTC your best options would be a hardware wallet, preferably one that can function offline like Coldcard, or an encrypted paper wallet. It's almost no effort and low cost for that additional security.

I don't know how much does a hardware wallet cost but I consider this the best way:

Buy a 50$ laptop and a fresh usb. Download electrum latest version and install it on the cold storaged laptop. Verify the signature of electrum. Create a seed, save it on a paper (and memorise it). Then burn the laptop and/or destroy it. This way you can be 100% sure that the laptop won't "fool you". Save the paper on a book or whatever.

It's not that I consider hardware wallets unsafe, I just like having bitcoins without trusting the hardware company.

I don't get how you can get a malware with the way I mentioned.

Hardware wallets even the cheapest ones are a little bit more expensive however I agree with you, a person that installed in a computer with no Internet access one of the many different flavours of Linux which he downloaded and verified himself and that installed a wallet like electrum there and verified the wallet as well and then wrote down his seed words in a piece of paper could store a lot of money safely as long as he followed the same steps over and over again.

Hardware wallets are convenient but they are unnecessary for the ones that know how to take the right precautions, but in this particular case it would have helped this person as it is obvious he could not secure his coins properly.

[meanwords]

Hardware wallets even the cheapest ones are a little bit more expensive however I agree with you, a person that installed in a computer with no Internet access one of the many different flavours of Linux which he downloaded and verified himself and that installed a wallet like electrum there and verified the wallet as well and then wrote down his seed words in a piece of paper could store a lot of money safely as long as he followed the same steps over and over again.

Hardware wallets are convenient but they are unnecessary for the ones that know how to take the right precautions, but in this particular case it would have helped this person as it is obvious he could not secure his coins properly.

I think the issue here is that the merchant is ignorant from securing his coins. If he doesn't know how to distinguish fake wallets to a real one, it's most likely that he isn't aware from the fact that there are hard wallets that will help him secure his coins. He's probably also afraid to use wallets that is unknown to him.

Ignorance can really bite a person hard.

[yazher]

More likely this is the case, I guess those scammers have found something crucial information on how to get some BTC on ignorant electrum user. we must stay vigilant and we need to spread this incidence so that the other member will be aware and take safety precautions to save their bitcoin if they using an Electrum wallet. However, there are no official statements on how this happened. whatever it is, we need to take the first step to double-check our systems and update some of our anti-viruses.

[w0lf0.]

No matter how secure the crypto wallet was, keeping 1400 BTC inside just one wallet is a stupid move - if I had 10% of it I would divide it into at least 5 different and independent wallets, and thus diminished the risk of losing everything in one bad move.

Wrong move by the owner of the funds, able to owned 1400 btc which is around $16 million but does not know how to secure the funds. If we made sure to diversify our funds when investing to minimize the risk, how can a person allowed himself to store his bitcoin in one address only?

I think putting your money in an exchange is quite safer than in electrum wallet with that amount since with exchange, they have more secured system and if the exchange is hack, I'm sure you will be compensated somehow as long as the exchange is regulated.

If you really want to keep all those bitcoins in a single address i agree with you it would be much safer to have them on an exchange that has several security systems to offer in addition to having them on Electrum. The weird thing about this guy is that he doesn't even seem so sad or depressed about losing 1400 bitcoins 

[o_e_l_e_o]

More likely this is the case, I guess those scammers have found something crucial information on how to get some BTC on ignorant electrum user. we must stay vigilant and we need to spread this incidence so that the other member will be aware and take safety precautions to save their bitcoin if they using an Electrum wallet. However, there are no official statements on how this happened.

Please actually try reading the thread before spamming your signature.

This bug has been known about for years, has been discussed widely by the Electrum development team, has been patched since version 3.3.3 (released in January 2019), and has a banner at the top of the Electrum site warning people about it. What you have written is outright false.

If you really want to keep all those bitcoins in a single address i agree with you it would be much safer to have them on an exchange that has several security systems to offer.

This is terrible advice. Would you give $16 million to a complete stranger to keep safe for you? And let anyone who can guess your password or phish your account steal it all? What about if the exchange goes bankrupt? Or gets hacked? Or exit scams? Or an employee steals for them? Or their security is poor? Or they lock your account? Or stop serving your country? Or get shutdown by government regulations? Or get seized for shady business practices or trading? Or your account is hacked? Or your email is hacked? Or your password is reset?

Exchange are hacked all the time. Even the big "reputable" ones like Coinbase and Binance have been hacked. Storing your coins on them is not safe.

[NeuroticFish]

Ignorance can really bite a person hard.

Ignorance, bad advices like this one, the overall advertising about hardware wallets which makes people think they are fool proof, all did its part.

For big amounts of coins (where "big amount" may depend from person to person) there's only one good solution imho: cold storage (and also this, only if properly used, obviously).

[Karartma1]

Ignorance can really bite a person hard.

Ignorance, bad advices like this one, the overall advertising about hardware wallets which makes people think they are fool proof, all did its part.

For big amounts of coins (where "big amount" may depend from person to person) there's only one good solution imho: cold storage (and also this, only if properly used, obviously).

I will be always grateful to satoshi because when I first found out about Bitcoin I realized the most important thing of it all was, guess what, security!
Security for my hardware, for my finances, for my digital life etc.
While studying Bitcoin I had to study several other things that, otherwise, I would have never thought they would even exist in the first place.
Long live bitcoin

[Botnake]

CZ must be wrong by saying beware of Electrum's official update because no one will get hack if that is official, probably that was use by hackers to steal the information of the wallet and the user was dumb enough to store 1400 BTC in one wallet only. Lesson learned but the hard way, and hopefully we can learn from this costly mistake of this particular trader, we can't afford to still make mistakes when this has been happening already even before.

Always be careful of "PHISHING" this is a very effective tool of scammers for non educated individual.

[bob123]

[...] and the user was dumb enough to store 1400 BTC in one wallet only.

It is not the fact that it was stored on a single wallet. That itself is perfectly fine.
The problem were how the wallet was secured (it wasn't) and how careless the person was, not how the funds were spread.

[...] we can learn from this costly mistake of this particular trader [...]

Why do you assume he was a trader?
Not touching the wallet for multiple years doesn't indicate he was actively trading.

[Artemis3]

According to a tweet shared on the CZ Binance twitter page, a trader has lost around 1400 BTC due to electrum software updates. Some other users of electrum wallet also complained that the message about update comes directly from the electrum server.

https://github.com/spesmilo/electrum/issues/5072#issuecomment-683356052

Does this person not understand that anyone can run an electrum server, and they could make that server send idiotic messages? Whats next, when he gets a message in the browser to format windows, will he do it too?

I'm technically opposed to the client from showing any server messages, precisely because of these fools. In fact it shouldn't even autoupdate or show update available. This is a horrible windows practice, a system without official repositories.

I'll say more: the windows version of Electrum should be removed. If you cannot bother to learn using a proper os like Linux, you shouldn't be messing with Electrum, let alone moving those quantities of money...

In Linux, you usually don't care if there is a new version of anything. Your distro package maintainers curates the packages (which are also signed), and you will eventually update it using your distro official package manager; instead of going to web pages and risking downloading a fake. Yes, in Linux distros, there is usually an army of people verifying the software they upload into their official repositories, it has been like this for decades. Its one of the reasons (but not the only one) malware is much less common there.

Can you please stop blaming Electrum from user mistakes? And if you handle any non trivial amount of money can you please stop using windows and maybe even spv wallets and run your full node with Core? I mean, 1400₿?, windows? electrum? seriously?

Make sure you also keep your gold ingots and cash under your bed, totally safe, no thief would ever find it...

[goldade]

I believe this is the user's fault and not Electrum's. Why would one keep that much amount of bitcoins in one wallet and not access it since 2017? Why would someone with much coins not get updated about his wallet before moving such coins? Doesn't he know that a lot of updates would have been made in the space of 3 years?
Secondly, pushing the blame on Electrum is unreasonable. His wallet must have been infected with a malware when he was asked to make the update causing him to lose that much amount of bitcoins.

[Finestream]

I think putting your money in an exchange is quite safer than in electrum wallet with that amount since with exchange, they have more secured system and if the exchange is hack, I'm sure you will be compensated somehow as long as the exchange is regulated.

That's hideous 'advice'.

Most of the time it's you that gets hacked, not the exchange. Your exchange account will be drained and there's nothing you can do and it's certainly not the exchange's problem.

I also wouldn't want to put an exchange's own insurance to the test if it was hacked, not that many have proper policies anyway.

I think that has to be improve on the exchange side, there's no sense of them getting regulated if the government can't enforce them to safeguard our assets, since they are a centralized exchange, they should act like a bank where their depositors accounts are insured up to a maximum amount. I know this will happen in the future as they can't always be not held responsible if our money is hack, it's their platform, not ours, so it's their responsibility.