Biggest risks?

[highfarmer]

I am wondering, what are the biggest risk on the way from importing/sweeping bitcoins from a wallet to another (lets say bitcoin core or electrum to bitstamp/Binance), is it pre-installated malware, someone tracing the transfer (is that even possible?) or something else?

[jackg]

Yeah there's a possibility malware could check your clipboard or what they're doing to extract the key in core.

If you're worried about security and. have more than one device you can sign the transaction offline and voradcast it once back online. Or if you only have one machine you could do the same thing in safe mode without networking as it may disable some applications that previously may have been able to run.

[khaled0111]

^^
The problem with the clipboatd hijacker malware is that it runs offline and doesn't require any Internet connection to be executed (at least the one my pc is infected with doesn't).
Also, signing the transaction offline won't help if you copy paste the receiving address to create the transaction on an infected device.

[jackg]

The problem with the clipboatd hijacker malware is that it runs offline and doesn't require any Internet connection to be executed (at least the one my pc is infected with doesn't).
Also, signing the transaction offline won't help if you copy paste the receiving address to create the transaction on an infected device.

Sweeping in electrum opens a "preview"(/"advanced") transaction window, it's interally coded? So a clipboard virus could only be used to steal the private key and not tamper with the address the funds are sent to afaik?

I didni't think there was an option to pick which address it was swept to.

[khaled0111]

I believe my reply was poorly worded, hence the misunderstanding. Sorry about that.
I was referring to the process of creating an unsigned transaction on an online wallet (watch-only) then signing it on an offline wallet.
In case of sweeping, not sure, but I believe you're right as the receiving address won't be stored in the clipboard. I'll test it out on my infected pc and let you know what I get.

[highfarmer]

Yeah there's a possibility malware could check your clipboard or what they're doing to extract the key in core.

If you're worried about security and. have more than one device you can sign the transaction offline and voradcast it once back online. Or if you only have one machine you could do the same thing in safe mode without networking as it may disable some applications that previously may have been able to run.

Is that possible to do in electrum?

^^
The problem with the clipboatd hijacker malware is that it runs offline and doesn't require any Internet connection to be executed (at least the one my pc is infected with doesn't).
Also, signing the transaction offline won't help if you copy paste the receiving address to create the transaction on an infected device.

Do you know how you got the malware? What is the name of it? Is it very effective - a.k.a know what it is looking for and send the information right away and is it looking for every kind of bitcoin-related things?

I believe my reply was poorly worded, hence the misunderstanding. Sorry about that.
I was referring to the process of creating an unsigned transaction on an online wallet (watch-only) then signing it on an offline wallet.
In case of sweeping, not sure, but I believe you're right as the receiving address won't be stored in the clipboard. I'll test it out on my infected pc and let you know what I get.

Would be very appreciated!

[highfarmer]

By the way, what would you say is the most secure when it comes to importing a wallet:

Bitcoin Core
Electrum
Another option (mobile wallet or something else)

[nc50lc]

By the way, what would you say is the most secure when it comes to importing a wallet:

Bitcoin Core
Electrum
-snip-

It isn't too dependent to the client that you're going to use.

Those two options are both "secure" in a way how they store your keys.
But when it comes with security when importing keys, it will mostly depend on how you'll do it.
The best way to import sensitive data like a prvKey is to use an offline machine when you need to copy-paste the keys, then transfer the wallet file to an online computer if you're planning to use it "normally".

That way, your keys won't be displayed in plain text and stored in clipboard while connected to the internet.

Note that your private keys will be temporarily stored in your RAM every time you need them (like signing a txn) after you typed your password; a malware may be aware of that.
You can use a cold-storage set-up to avoid that: (cold storage setup)

[amishmanish]

Or if you only have one machine you could do the same thing in safe mode without networking as it may disable some applications that previously may have been able to run.

Could someone please provide an explanation on the steps for this?

Also, what is the opinion about potential attack vectors on wallet softwares like Electrum even though these are open source. For example, there was a malware attack which had led to users funds being compromised in an earlier version of electrum. The forum had warning about it.

Considering that Bitcoin core is the safest, how should one go about using Bitcoin Core for a wallet.

One final question, signing offline and broadcasting later so as not to expose your private key to the memory of internet, what wallets support this apart from Bitcoin core?

[jackg]

Could someone please provide an explanation on the steps for this?

It's been a while since I've used the sweep function but it's likely in file (or wallet) and it just brings up a window to paste a private key in and then you set fees and other info and it sends the transaction.

Also, what is the opinion about potential attack vectors on wallet softwares like Electrum even though these are open source. For example, there was a malware attack which had led to users funds being compromised in an earlier version of electrum. The forum had warning about it.

Previous versions of the software were released which allowed servers to send custom messages. An attacker managed to run their own server and send a message (the message only occured when sending a transaction but if you click the link you apparently got sent to a phishing site (I didn't get the message myself so...)

Considering that Bitcoin core is the safest, how should one go about using Bitcoin Core for a wallet.

One shouldn't blindly trust a wallet for its safety purely because they *think* it's safe.

Open source software itself is able to undergo stegonographic attacks to try to change its source code without a maintainer spotting. Electrum has their original dev coding it, bitcoin core doesn't that's got to be a good vector of attack of someone misses something and pushes a commit just labelled as "primitive update with library" or something.

One final question, signing offline and broadcasting later so as not to expose your private key to the memory of internet, what wallets support this apart from Bitcoin core?

All the good ones... (don't think I know one that doesn't).

[o_e_l_e_o]

Also, what is the opinion about potential attack vectors on wallet softwares like Electrum even though these are open source. For example, there was a malware attack which had led to users funds being compromised in an earlier version of electrum.

It's worth noting that the malware attack on previous versions of Electrum did not directly lead to funds being compromised. All it did was show users an arbitrary message, which included a link to a scam site. The user had to manually click the link, fail to check the URL, download the software on that site, fail to verify the download, install the software, and open their wallet with it, to actually lose coins. It was the equivalent of following a link and downloading a file from an random email you were sent without doing any due diligence. If you followed the widely publicized correct method of only downloading from electrum.org and verifying your download against ThomasV's keys, then you could never fall victim to this particular attack vector.

Having said that, that's not to say there is not an as-of-yet-undiscovered attack vector somewhere in Electrum's code which could be exploited at a future date. However, if you set up an airgapped wallet, with a watch only wallet on your online computer, then almost any potential attack is rendered useless, provided you pay attention to what you are signing. Your private keys cannot leak since they are only stored on your airgapped device, and any malware which tries to make a transaction or alter your clipboard will be rendered useless as a transaction cannot be signed without you manually transferring it to your airgapped computer to do so.