Electrum 4.0.0 : Serious Error !!!

[Boutag]

Hello, I tried to send 0.00005 BTC, but when sending it sends all amount off my wallet to an unknowen adress !!! And it did not ask for password when sending !!! it is like a version stoling all my Bitcoin... Can someone explain or help me please. Thanks.

[OlyaGreen]

@Ernie-FR

I think the little message at the opening of the site electrum.org (which is totally confusing cause taking this litteraly means you will never be able to update to any level higher than the current) is a pretty lame way out. I read no regret or excuses about the pain that's being caused. ARE YOU HUMAN AT ALL ?

I'm sure >90% of users do not read this warning. It is important that every new user reads this message with understanding at least once. I have proposed the following change on IRC.

NO ONE follows Electrum website, or reads the website. Seriously, how many of you did?? Got a tip for Electrum 'team': try posting on social media at least occasionally, or rather EVERY DAY, to give your 'precious' users a chance to notice this fuck up. I lost 10k, and I'm getting it back.

Same here I have just lost 1.22 bitcoin. That was all my saving. Most like Electrum create this bug and stole our bitcoins

'Most like Electrum create this bug and stole our bitcoins' -

Unlikely, but one of the possibilities, yes. Considering their absolute negligence.

[Brocstephen]

There’s a difference between risk (inherent to bitcoin and most basically all investments) and outright negligence, which I would argue is what occurred. It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither, and here we are many months later with this still a huge problem.

On Jul 6, 2019, at 12:13 PM, ldz1 notifications@github.com wrote:

@OlyaGreen: Maybe bitcoin is not for you. There is a classic banking, which takes responsibility for your money. Bitcoin and its community does not take that responsibility. If you do not inform yourself about some things, then you may lose money. I'm so sorry.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[The-Compiler]

It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither

They did a lot: https://github.com/spesmilo/electrum/issues/5452#issuecomment-505141428

[OlyaGreen]

'It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither, and here we are many months later with this still a huge problem'.

YES.

On Mon, 15 Jul 2019 at 09:09, Brocstephen notifications@github.com wrote:

There’s a difference between risk (inherent to bitcoin and most basically all investments) and outright negligence, which I would argue is what occurred. It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither, and here we are many months later with this still a huge problem.

On Jul 6, 2019, at 12:13 PM, ldz1 notifications@github.com wrote:

@OlyaGreen: Maybe bitcoin is not for you. There is a classic banking, which takes responsibility for your money. Bitcoin and its community does not take that responsibility. If you do not inform yourself about some things, then you may lose money. I'm so sorry.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3VYKGFCJFGPIXZSEMTP7QPB7A5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ434AY#issuecomment-511294979, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3WUE7O2GJQNVHEHSLTP7QPB7ANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[Brocstephen]

In this case “a lot” as you say, wasn’t nearly enough. The fact this problem remains is a clear demonstration of this. I have not seen a single mention of this problem in anything other than very niche bitcoin forums. That’s not nearly a wide enough audience to get the message across. Why isn’t this in the news, I see other bitcoin hacking/network problems come up all the time in my news feed. When I posted this to my own social media accounts people were incredulous, none of them had heard. In my opinion all there efforts haven’t improved the situation at all. If anything I think they’re trying to actively prevent people from finding out how incompetent they’ve been.

On Jul 15, 2019, at 2:22 AM, Florian Bruhin notifications@github.com wrote:

It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither

They did a lot: #5452 (comment)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Brocstephen]

Did they even ever figure out a way to remove the malware that causes this problem in he first place? Since I have yet to find one and have no idea how I got the malware initially. I need to buy an entire new computer/completely wipe an existing one , on top of all my lost BTC just to be able to make BTC transactions. So in addition to all the financial hardships this has cause myself and so many other it’s also a huge inconvenience.

On Jul 15, 2019, at 2:33 AM, Stephen Brockman brocstephen@gmail.com wrote:

In this case “a lot” as you say, wasn’t nearly enough. The fact this problem remains is a clear demonstration of this. I have not seen a single mention of this problem in anything other than very niche bitcoin forums. That’s not nearly a wide enough audience to get the message across. Why isn’t this in the news, I see other bitcoin hacking/network problems come up all the time in my news feed. When I posted this to my own social media accounts people were incredulous, none of them had heard. In my opinion all there efforts haven’t improved the situation at all. If anything I think they’re trying to actively prevent people from finding out how incompetent they’ve been.

On Jul 15, 2019, at 2:22 AM, Florian Bruhin notifications@github.com wrote:

It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither

They did a lot: #5452 (comment)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Brocstephen]

I posted almost exactly what I just said 4+ months ago at the beginning of this email thread. The problem had already been going on for months at this point. This has been going on for over 1/2 a year at least maybe closer to 9 months. And from the reports I continue to see it appears nothing change in that entire time, even if people are doing “a lot” of work.

“...They allowed a major, known problem that was loosing people massive amounts of money to go on for months and months and months. That kind of negligence is simply inexcusable.” -That was in March

On Jul 15, 2019, at 2:23 AM, OlyaGreen notifications@github.com wrote:

'It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither, and here we are many months later with this still a huge problem'.

YES.

On Mon, 15 Jul 2019 at 09:09, Brocstephen notifications@github.com wrote:

There’s a difference between risk (inherent to bitcoin and most basically all investments) and outright negligence, which I would argue is what occurred. It would be one thing if they patched this problem immediately and did as much as possible to inform the community about the problem but Electrum did neither, and here we are many months later with this still a huge problem.

On Jul 6, 2019, at 12:13 PM, ldz1 notifications@github.com wrote:

@OlyaGreen: Maybe bitcoin is not for you. There is a classic banking, which takes responsibility for your money. Bitcoin and its community does not take that responsibility. If you do not inform yourself about some things, then you may lose money. I'm so sorry.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3VYKGFCJFGPIXZSEMTP7QPB7A5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZ434AY#issuecomment-511294979, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3WUE7O2GJQNVHEHSLTP7QPB7ANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/ — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[OlyaGreen]

Guys, anyone who fell victim, please contact Berlin officer who's investigating the case at LKA245@polizei.berlin.de

They're collecting witnesses' reports.

[Brocstephen]

Even if it happened outside of Germany?

On Jul 18, 2019, at 8:19 AM, OlyaGreen notifications@github.com wrote:

Guys, anyone who fell victim, please contact Berlin officer who's investigating the case at Markus.Reussner@polizei.berlin.de

They're collecting witnesses' reports.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[OlyaGreen]

Yes. Please do not hesitate to contact them, as they're collecting the deets of all the attacks ever happened to give them a full picture. Also, the steps Electrum has undertaken to prevent this are under scrutiny.

On Fri, 19 Jul 2019 at 01:31, Brocstephen notifications@github.com wrote:

Even if it happened outside of Germany?

On Jul 18, 2019, at 8:19 AM, OlyaGreen notifications@github.com wrote:

Guys, anyone who fell victim, please contact Berlin officer who's investigating the case at Markus.Reussner@polizei.berlin.de

They're collecting witnesses' reports.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3RTXF7MZZCSGCLW7IDQAD4NLA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2KD3WY#issuecomment-513031643, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3WMC2WACKZW52WRHZDQAD4NLANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[OlyaGreen]

Regardless of your location, guys - please also report to European Cybercrime Centre, and Joint Cybercrime Action Taskforce at Europol

On Fri, 19 Jul 2019 at 08:46, Olga Grinina olga.i.grinina@gmail.com wrote:

Yes. Please do not hesitate to contact them, as they're collecting the deets of all the attacks ever happened to give them a full picture. Also, the steps Electrum has undertaken to prevent this are under scrutiny.

On Fri, 19 Jul 2019 at 01:31, Brocstephen notifications@github.com wrote:

Even if it happened outside of Germany?

On Jul 18, 2019, at 8:19 AM, OlyaGreen notifications@github.com wrote:

Guys, anyone who fell victim, please contact Berlin officer who's investigating the case at Markus.Reussner@polizei.berlin.de

They're collecting witnesses' reports.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3RTXF7MZZCSGCLW7IDQAD4NLA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2KD3WY#issuecomment-513031643, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3WMC2WACKZW52WRHZDQAD4NLANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[ecdsa]

In this case “a lot” as you say, wasn’t nearly enough. The fact this problem remains is a clear demonstration of this.

@Brocstephen you do not know what you are talking about. We did patch the vulnerability immediately, and that was in December last year. The fact that there still are vulnerable users is not under our control. We are a software distributor, not a service provider. We give control to the users, that implies there are things that we do not control. It is childish to think we can control everything.

Why isn't the phishing attack in the news, you ask? because it was in the news six month ago, and it is no longer news today. We cannot force the media to report about the same thing continuously, that's not how they work. The administrators of the Bitcoin reddit and of bitcointalk have been very nice to display sticky posts about the phishing attack for several months. These might be "niche" forums to you, but these are the main Bitcoin forums. And they have been more helpful than the media.

The recent victims of the phishing attacks are users who do not follow us on twitter, who do not read bitcoin forums such as reddit or bitcointalk, and who do not read bitcoin-related media often enough to have seen it when it was in the news. It is very difficult to reach those users, that's why we also try to protect them through server-side software updates, which are described in the other post.

[OlyaGreen]

What do you mean by 'through server-side update'? How was that supposed to work to alarm against the fake malicious update?

'It is very difficult to reach those users, that's why we also try to protect them through server-side software updates, which are described in the other post.

On Fri, 19 Jul 2019 at 11:55, ThomasV notifications@github.com wrote:

In this case “a lot” as you say, wasn’t nearly enough. The fact this problem remains is a clear demonstration of this.

@Brocstephen https://github.com/Brocstephen you do not know what you are talking about. We did patch the vulnerability immediately, and that was in December last year. The fact that there still are vulnerable users is not under our control. We are a software distributor, not a service provider. We give control to the users, that implies there are things that we do not control. It is childish to think we can control everything.

Why isn't the phishing attack in the news, you ask? because it was in the news six month ago, and it is no longer news today. We cannot force the media to report about the same thing continuously, that's not how they work. The administrators of the Bitcoin reddit and of bitcointalk have been very nice to display sticky posts about the phishing attack for several months. These might be "niche" forums to you, but these are the main Bitcoin forums. And they have been more helpful than the media.

The recent victims of the phishing attacks are users who do not follow us on twitter, who do not read bitcoin forums such as reddit or bitcointalk, and who do not read bitcoin-related media often enough to have seen it when it was in the news. It is very difficult to reach those users, that's why we also try to protect them through server-side software updates, which are described in the other post.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3RBDRF5UXWX3XMDX43QAGFSVA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2LFW4I#issuecomment-513170289, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3TW77ZZ4O4AOPAFIMDQAGFSVANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[OlyaGreen]

Guys, everyone who fell victim of this and had their funds stolen - please share your twitter handles and/ or emails with me. We're working on the action suit.

[SomberNight]

@OlyaGreen

What do you mean by 'through server-side update'? How was that supposed to work to alarm against the fake malicious update?

See https://github.com/spesmilo/electrum/issues/5452#issuecomment-505141428 particularly points (2) and (4)

[eapereira]

this address bc1qjmyxwhyjxqjwfyspptvyjhr6kreehxjveec3md has more than 14 millions USD

[SomberNight]

AFAICT it has received around 27.5 BTC so far; which is around 290k USD atm

[eapereira]

that's the end of bitcoin for me

[digicoins2u]

All my bitcoins were stolen on Thursday 8/8/2019 and I lost a LOT!!! So pissed off I got caught out by the same way as a user above regarding the "upgrade to version 4.0.0" https://user-images.githubusercontent.com/48363506/54077356-06110700-42af-11e9-86e3-ef38cd1a1944.JPG

The fact this STILL happened when it has been known for so long has really put me in a bad mood and can't see me brightening up for a while after this!!!

The thief address for me 16iw6auavtSz792tdKJythaHwmELS7pisJ

[amitie10g]

Again, please report any fake website to the hosting provider, or otherwise, to Privacy Protect, if they use that service.

[ecdsa]

@digicoins2u the police are trying to shut down the DNS entries of malicious servers that are hardcoded in old versions of the client. they are also trying to follow the stolen coins.

[digicoins2u]

Has anyone ever heard of or used this site hxxps://www.getitback dot tech Seems too good to be true regarding retrieval of Bitcoins!

[SomberNight]

Has anyone ever heard of or used this site hxxps://www.getitback dot tech Seems too good to be true regarding retrieval of Bitcoins!

All these services are scams.

[eapereira]

Maybe could help.

On Wed, Aug 14, 2019 at 5:02 PM ghost43 notifications@github.com wrote:

Has anyone ever heard of or used this site hxxps://www.getitback dot tech Seems too good to be true regarding retrieval of Bitcoins!

All these services are scams.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ABFO262UJLJPIXRQ5ODONBLQERQGFA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4J6FAQ#issuecomment-521396866, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO262VWEMJQ4FPZWGDJ23QERQGFANCNFSM4G4XOENA .

[eapereira]

Talk to the people in this company to see how they can recover your money, but I believe here is no way to track it back.

Here is some painful lessons learned, use a close proprietary wallet or build your own wallet!

On Thu, Aug 15, 2019 at 8:52 AM digicoins2u notifications@github.com wrote:

Maybe could help. … <#m-1169116011712329747> On Wed, Aug 14, 2019 at 5:02 PM ghost43 @.***> wrote: Has anyone ever heard of or used this site hxxps://www.getitback dot tech Seems too good to be true regarding retrieval of Bitcoins! All these services are scams. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#5183 https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ABFO262UJLJPIXRQ5ODONBLQERQGFA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4J6FAQ#issuecomment-521396866>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO262VWEMJQ4FPZWGDJ23QERQGFANCNFSM4G4XOENA .

Help how?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ABFO265HMYZHHOCIVNKLBGLQEU7OJA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4LTPEY#issuecomment-521615251, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO2632LU4DKIQP7RZUOQTQEU7OJANCNFSM4G4XOENA .

[digicoins2u]

Talk to the people in this company to see how they can recover your money, but I believe here is no way to track it back. Here is some painful lessons learned, use a close proprietary wallet or build your own wallet! On Thu, Aug 15, 2019 at 8:52 AM digicoins2u notifications@github.com wrote: … Maybe could help. … <#m-1169116011712329747> On Wed, Aug 14, 2019 at 5:02 PM ghost43 @.***> wrote: Has anyone ever heard of or used this site hxxps://www.getitback dot tech Seems too good to be true regarding retrieval of Bitcoins! All these services are scams. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#5183 <#5183>?email_source=notifications&email_token=ABFO262UJLJPIXRQ5ODONBLQERQGFA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4J6FAQ#issuecomment-521396866>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO262VWEMJQ4FPZWGDJ23QERQGFANCNFSM4G4XOENA . Help how? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#5183?email_source=notifications&email_token=ABFO265HMYZHHOCIVNKLBGLQEU7OJA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4LTPEY#issuecomment-521615251>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO2632LU4DKIQP7RZUOQTQEU7OJANCNFSM4G4XOENA .

As said by @SomberNight they are scammers! I worked it out by pretending to use them

[NikitaNO]

Today I lost 1.8 BTC. Those were all the savings I got. The scenario was the same as described here: some prompt displayed to upgrade the Electrum. I did it, and after that all of my BTC were lost. Is there any way to recover those? Please let me know.

[NikitaNO]

@OlyaGreen is there a way to contact you? I'd like to assist you with investigation!

[ecdsa]

@NikitaNO please report the theft to the police

[OlyaGreen]

@NikitaNO https://github.com/NikitaNO Very sorry to hear that, resonates with me big time. Please hit me up on Telegram @olyagreen - we will talk.

On Sat, 24 Aug 2019 at 13:39, ThomasV notifications@github.com wrote:

@NikitaNO https://github.com/NikitaNO please report the theft to the police

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3S2HDXJ5T7XPS2Z5N3QGEMXLA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5B6MFY#issuecomment-524543511, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3TN3NCLY6ENXWSKVILQGEMXLANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[digicoins2u]

Guys, everyone who fell victim of this and had their funds stolen - please share your twitter handles and/ or emails with me. We're working on the action suit.

Hi @OlyaGreen ,

I sent you a message on Telegram and wondering if you or not?

[digicoins2u]

Today I lost 1.8 BTC. Those were all the savings I got. The scenario was the same as described here: some prompt displayed to upgrade the Electrum. I did it, and after that all of my BTC were lost. Is there any way to recover those? It's a scam and I don't know how to pay for medicines now. Please let me know!!!

Lost nearly as much as you mate just recently, horrible thing to happen to anybody!!!

[OlyaGreen]

yep, I confirm the receipt. Will answer shortly, hang on please.

On Tue, 27 Aug 2019 at 18:14, digicoins2u notifications@github.com wrote:

Today I lost 1.8 BTC. Those were all the savings I got. The scenario was the same as described here: some prompt displayed to upgrade the Electrum. I did it, and after that all of my BTC were lost. Is there any way to recover those? It's a scam and I don't know how to pay for medicines now. Please let me know!!!

Lost nearly as much as you mate just recently, horrible thing to happen to anybody!!!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ALH7T3VB3DJG7FRD5F2342TQGVHHPA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5IJHXY#issuecomment-525374431, or mute the thread https://github.com/notifications/unsubscribe-auth/ALH7T3VIMX2Z4WWAKBJN3RLQGVHHPANCNFSM4G4XOENA .

--

-- Olya GreenContent & Communications | Emerging tech & Blockchain Read on: https://www.technomads.wtf/ https://www.technomads.wtf/

[OlyaGreen]

Hello everyone

I still keep receiving the reports from people getting hacked every week, and been in talks with an external advisor developer working for a major crypto project in the space who suggested doing an independent audit of Electrum's source code.

This can be of great help for identifying the pre-requisities of this attack in terms of figuring out why this has been happening for so long without duly executed fix.

He charges a certain fee for the audit, of course, so I'd like to know who of those victimized will be willing to contribute to this independent investigation. Please let me know!

[SomberNight]

This can be of great help for identifying the pre-requisities of this attack in terms of figuring out why this has been happening for so long without duly executed fix.

@OlyaGreen I can tell you right now that we did everything we (several people intimately familiar with the codebase and its architecture) could come up with in terms of mitigations. Absence of a full fix is not because of lack of trying, rather, it's because it's impossible. Best case scenario, there might be better mitigations.

independent audit of Electrum's source code

Code audits are welcome though.

[eapereira]

For now on I will only use a proprietary or a wallet built by my own!

On Wed, Sep 4, 2019 at 3:36 PM ghost43 notifications@github.com wrote:

This can be of great help for identifying the pre-requisities of this attack in terms of figuring out why this has been happening for so long without duly executed fix.

@OlyaGreen https://github.com/OlyaGreen I can tell you right now that we did everything we (several people intimately familiar with the codebase and its architecture) could come up with in terms of mitigations. A full fix is not because of lack of trying, rather, it's because it's impossible. Best case scenario, there might be better mitigations.

independent audit of Electrum's source code

Code audits are welcome though.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/5183?email_source=notifications&email_token=ABFO262D4GIG3PCV55HNXSLQH752XA5CNFSM4G4XOENKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD54RQZQ#issuecomment-528029798, or mute the thread https://github.com/notifications/unsubscribe-auth/ABFO266ZW7XH26W73B3SXX3QH752XANCNFSM4G4XOENA .

[digicoins2u]

Hello everyone

I still keep receiving the reports from people getting hacked every week, and been in talks with an external advisor developer working for a major crypto project in the space who suggested doing an independent audit of Electrum's source code.

This can be of great help for identifying the pre-requisities of this attack in terms of figuring out why this has been happening for so long without duly executed fix.

He charges a certain fee for the audit, of course, so I'd like to know who of those victimized will be willing to contribute to this independent investigation. Please let me know!

I'd love to help but am skint having been robbed! I am in debt because of it actually.

[ecdsa]

Electrum developer here. Users who have been phished should file a police report with their local authorities, and forward the information to us or to the German police (LKA Berlin), who are working with us on that case. DO NOT send money to random users who claim they are going to help you recover your funds, or that they are going to use this money in order to perform an audit of our code. All the information about the vulnerability used in the phishing attack is known already, so that kind of audit is pointless. Scammers are just trying to get more money from you.

[digicoins2u]

Electrum developer here. Users who have been phished should file a police report with their local authorities, and forward the information to us or to the German police (LKA Berlin), who are working with us on that case. DO NOT send money to random users who claim they are going to help you recover your funds, or that they are going to use this money in order to perform an audit of our code. All the information about the vulnerability used in the phishing attack is known already, so that kind of audit is pointless. Scammers are just trying to get more money from you.

If I had enough money I would sue the ass off the Electrum owners for allowing more people be scammed once they knew there were already people scammed and not addressing the issue, MUPPETS!!!

[andrey1903S]

Они позволили серьезной, известной проблеме потерять людей огромные суммы денег на месяцы и месяцы и месяцы

Архитектура децентрализована. Никто не может решить проблему, поскольку никто не контролирует систему. Децентрализация имеет свои плюсы и минусы.

Мы потратили значительные ресурсы на попытки смягчить проблему, см. # 5084 (комментарий), но это все, что можно сделать: смягчение.

I installed ELECTRUM 3.3.8 today and transferred BTC it from the EXMO exchange to my wallet 16ugJSDpxBmJCj2WdyzMZpjWK8aDAy7K33, the funds were confirmed at 18: 32 and at the same second were sent to another wallet, although I did not do it. And the blockchain showed that there were three transactions. I have a password in my wallet without it, you can not send funds. Maybe it's a program error?

[CherryDT]

If I had enough money I would sue the ass off the Electrum owners for allowing more people be scammed once they knew there were already people scammed and not addressing the issue, MUPPETS!!!

Guys, I understand you are angry, but just to make this clear again:

Electrum developers did what they could and it is simply not possible to do any more than this.

So stop calling them names. They did not deserve it.

There are criminals who are abusing the decentralized architecture and a small bug in 1-year-old Electrum versions trying to scam people. These are the bad guys, not the Electrum devs.

FAQ:

• "But I'm getting the alert in my trusted Electrum software!"
  • Yes but this is because malicious Electrum servers are sending it to you as a fake "error message". The fact that it is so flashy and has links is result of an issue where HTML was allowed in this "error message", but this was fixed a long time ago, so you were running an outdated version...
• "But how can malicious servers even exist? Was Electrum hacked?"
  • Because the architecture is decentralized. This means, there is no "Electrum service" that is "owned by Electrum, Inc.", like it would be with Facebook, Twitter, etc., and the Electrum devs don't have agency over what other servers are doing. All the servers on the network are run by different individuals or companies and are not controlled by a central entity. (Otherwise it would be a) against the spirit of decentralized cryptocurrency services and b) costing someone a lot, and Electrum would likely cost a monthly fee to cover for it...)
• "But if I cannot trust the servers that I'm connecting to, how can I trust that my coins are safe at all?"
  • Because this is technically not a vulnerability but a social engineering attack. A server cannot steal your coins because you hold your private keys and they never leave your computer, it's like entrusting someone with an already-signed money transfer order (with fixed recipient) - the worst the server can do is lie to you or deny service, which is what happened here. The only reason you lost your coins is that you did what the attacker asked, so without this human component, the only effect would have been that your transaction would have been not sent. Therefore, a system with third-party servers is not inherently insecure.
• "But if you say it is a bug in Electrum that I even saw this malicious message, it is the devs' fault after all!"
  • Technically yes but bugs can and will always happen and you cannot expect that a software is bug-free. No software in the world is. And nobody can know how bugs will be abused either. What's important is that the devs react on issues and fix them, which did happen here (Electrum 3.3.3 fixes the problem by not displaying this message to the user anymore, plus there were many additional creative mitigations done as described here).
• "But if it was already fixed a long time ago, why did it still happen to me?"
  • Because you were using an older version from before it was fixed.
• "But why wasn't it updated automatically? When I'm using app XYZ it also automatically updates... we are not in the 1990s..."
  • Part of the spirit of cryptocurrencies is that they are decentralized. It also means that you are not blindly trusting a single party. (Of course this means it is on you to ensure that parties that you do trust are actually trustworthy.) And part of this is the trust that if you are installing a certain piece of software, you know what it does and it won't change without you knowing (you could manually inspect Electrum's source code and build the version yourself if you wanted to, then you wouldn't even have to trust any downloaded EXE file). An automatic update mechanism would break this trust. Imagine what could happen if the update server was hacked. A scammer could take over all Electrum clients at once! Yes it's true that also the Electrum website can get hacked, but you can also check on GitHub, and if a hack like this would happen, you would find warnings about it somewhere.
• "But it could at least offer updates and ask to update manually!"
  • True, this is what some other forks of Electrum did, and Electrum now did it as well! (but again, it won't help if you don't already have one of the newer versions that support it.) However it also isn't clear that this is the best choice, because not everyone will be happy with Electrum pinging a central server all the time, it could be used to track usage as well.
• "But then how should I have known about the issue and the legit update?"
  • By taking a bit of responsibility over the choice of software you are running. Conciously download software from trusted sources (there were tons of warnings at the official channels), remember what those sources are, check for updates there regularly and keep verifying the trustworthyness of the source, and don't click on links without verifying their legitimacy! Just like in phishing mails. Don't trust anyone blindly! Today's world is full of "dead simple" apps which do every bit of thinking for you, but this comes at the cost of forcing you to blindly trust the devs. (And it happened often enough that updates were forced on people which didn't make everyone happy... adding ads, tracking, making free features paid, etc.)

[ZoranSpirkovski]

I find that most of the people here were mindlessly clicking on links. It's hard to imagine what is necessary to get people to take their security seriously. I played around with the idea of enforcing users to use GPG verification for the software, but that might be too much of a deterrent for new users. Phishers can still push fake GPG keys and successfully scam people, so that's not much of a solution.

One thing that can improve security is to create a 30-60sec timeout view on the installer, where all of the known scams are explained in detail. Many of these people received fake error messages and simply assumed that whatever website was being shown was correct.

Just my two-cents, as I'm researching stuff about Electrum.

EDIT: just realized that the issue has been solved. (Electrum 3.3.3 fixes the problem by not displaying this message to the user anymore, plus there were many additional creative mitigations done as described here).

[adOrtinez]

Hi there,

Among all these we-all-know-but-as-there-is-scumbag-people-sometimes-you-get-robbed ADVISES, is there something that we could do?

I did a small investigation with IPs, python scripts, hash etc.. and I'd like to report it more than just going to the police (that I did) or writing it on a blog..

BTW, I they scammed me 1.7btc using this site: http://electrumdrive.fyi/ And yes, it looks like pretty obvious it's not the official, but sometimes you are tired and you do not imagine that you'll be robbed in from of your house (to use a similar situation in real life).

Anyway, instead of common sense advises and useless moanins, please, let me know if there's a way to catch these scumbags that (as I saw in the hash) have been stole about 56btc + 61btc with 2 different accounts during last year. This is the account where they sent my money: bc1qcygs9dl4pqw6atc4yqudrzd76p3r9cp6xp2kny and the hash 8364841abdb753c5f1251d1909ee02ad54f30ab9f46f249b1d16de20bf3c66d4

Thanks for the help in advance and best luck.

Regards,

[amitie10g]

Hi there,

Among all these we-all-know-but-as-there-is-scumbag-people-sometimes-you-get-robbed ADVISES, is there something that we could do?

I did a small investigation with IPs, python scripts, hash etc.. and I'd like to report it more than just going to the police (that I did) or writing it on a blog..

BTW, I they scammed me 1.7btc using this site: http://electrumdrive.fyi/ And yes, it looks like pretty obvious it's not the official, but sometimes you are tired and you do not imagine that you'll be robbed in from of your house (to use a similar situation in real life).

Anyway, instead of common sense advises and useless moanins, please, let me know if there's a way to catch these scumbags that (as I saw in the hash) have been stole about 56btc + 61btc with 2 different accounts during last year. This is the account where they sent my money: bc1qcygs9dl4pqw6atc4yqudrzd76p3r9cp6xp2kny and the hash 8364841abdb753c5f1251d1909ee02ad54f30ab9f46f249b1d16de20bf3c66d4

Thanks for the help in advance and best luck.

Regards,

Have you reported the domain to the abuse entities or the FTC?

[adOrtinez]

Have you reported the domain to the abuse entities or the FTC?

@Amitie10g Thanks for the tip, I didn't know them or their organization

I can use it even if I'm not a US citizen (consumer) or it's because electrum is from the States? And, what is the FTC? makes any difference to let them know?

Thanks for the quick response. Regards,

[amitie10g]

Have you reported the domain to the abuse entities or the FTC?

@Amitie10g Thanks for the tip, I didn't know them or their organization

I can use it even if I'm not a US citizen (consumer) or it's because electrum is from the States? And, what is the FTC? makes any difference to let them know?

Thanks for the quick response. Regards,

At least, a report could help to get information about the owners of the domain, and then take criminal compliant against they.

[adOrtinez]

At least, a report could help to get information about the owners of the domain, and then take criminal compliant against they.

Sure, let's see if we have a Mt. Gox in here and at least we have something back.. :DDD Thanks again for the help!

[markd315]

the version of malware that got me was slightly different from the one pictured above. It refused to let me send any transactions until I "Upgraded."

No, that's how it works. It's about the server you are connected to. The server does not relay the tx, and it sends back the error. You just need to select a different server.

The behavior of the client is obviously what's being exploited here, users are conditioned to trust pop-ups that come from within non-browser applications.

It's totally irresponsible to surface arbitrary text and links to the user from your cryptocurrency client, and I would agree that it's basically "inexcusable".

^ Applies to versions prior to 3.3.3 but the devs can be blamed for this. I will not use or recommend the software, even after having spent time writing tax calculators for it.

[sefrem]

Joning the club here. Lost $1k yesterday due to the same "update to 4.0" popup. That was my first attempt to send btc from my wallet (installed it 2 and a half years ago) so i had no idea if this behaviour was normal or not but was too relaxed to check i suppose. The downloaded client was from electrumfules.world. As i see there are people falling for this scheme for a year and a half now. That is too long for it just being some 'evil hacker'. That is what electrum does i believe as a little sidejob or smth. Hope those people above will sue you good.

[CherryDT]

Sorry to hear that, but how can you say it's "too long" to be a malicious third party? If the bad guys would pay, say, $100/month (which is high) for cloud infrastructure to run the Electrum nodes needed for this scam, then your case already paid them 1 more year of scamming, and I would assume that more people get scammed than just 1 per year, so I don't see any reason (from their perspective) why they should stop the scam operation when it still works and makes them money... Even if it had been 10 years already.