Topic: I am one of the people who had my BTC stolen from electrum wallet (Read 293 times)

Clearly. And it's the ultimate legal protection for the developers when problems like OP's happen.


LOL! Unfortunately the real world is more harsh than in that dream of his.
So let's just suggest OP focus on the future, buy a hardware wallet and try to keep his funds (much) safer.


Edit: closed properly the quotes

Most software users don't read the license before using it. I can't even blame them: there are far too many disclaimers and warnings everywhere.

We couldn't have open source software without this clause.

Even large software companies aren't liable for bugs in their software. How many people have been a victim of security problems on Windows? And how often has Microsoft paid compensation for this?

The only way to really cover wallet security, is by keeping it offline. It's impossible to guarantee bug-free software.

Even if they would have arrested the bad guys, and even if all funds were recovered, your seed phrase was compromised. The bad guys could have spread it around, and other people could potentially claim to be the original owner too.

That sounds like the real world to me

I would also mention that here is no universal list of users who were hoaxed by the hacked Electrum which makes it nearly impossible for someone to repay every single person, even if they wanted to. Also people can pretend to have lost money on Electrum just to get a slice of the pie.

Maybe you should start a Patreon or GoFundMe or something like that but only claimants are allowed to subscribe, I don't know to be honest.

@Jimmyboy4545, sorry for your loss, and I understand your frustration.  Unfortunately, unless the perpetrators are caught and prosecuted, and the stolen funds are recovered you're unlikely to see your money again.

As for the accountability; the only person who can be held accountable is the scammer (or scammers) himself.  Simply by using Electrum you've agreed to their Terms of Use, which, like all experimental, open source software absolves the developers (volunteers) from unforeseen malicious use of the software by others.  This does not mean it's your fault, and I don't think anyone here is claiming that it's your fault.

However, this brings us to the crux of the matter:  Bitcoin is different than any other fungible commodity we've ever used.  Bitcoin itself is experimental, it's based on experimental software which is constantly evolving to improve security and usability.  Light clients like Electrum are no different.  We need to be aware of this when we choose to use crypto currencies, and take the precautions necessary to ensure our safety.

There are measures we can take to mitigate our risk, and prevent scenarios such as this one from affecting us.  Running your own Bitcoin and Electrum servers might seem like an extreme measure, but it goes a long way to ensure that all your transactions are conducted via services that are controlled by only you.  And, that's what bitcoin is all about in the first place; putting us in control of our wealth.  Unfortunately, by using alternate clients (anything other than bitcoin core) such as Electrum, we tend to sacrifice security for convenience.

They actually did do this. There is a list of blacklisted servers available here: https://electrum.org/blacklist.json. The code for ElectrumX was updated so that any honest servers running this new code would repeatedly pull this list and blacklist any servers on it, not showing them to other servers or to clients. The problem with this is that it is trivial for an attacker to take their blacklisted server offline and just start it up again from a new IP address. It was an endless game of cat and mouse, which is why the Electrum code was very quickly updated to remove the ability to send arbitrary messages altogether.

Probably the alternative option is to untick "select server automatically" and choose it manually from the list suggested. Should any server send you a message you will blacklist it right off the bat.

I meant blocking the server from appearing in the available server's list under network settings on Electrum. Not shutting it down entirely. That way you wouldn't be able to connect to it from the Electrum client. But maybe they can't even do that in order to remain as neutral as possible and not to have any influence on the network and prevent possible manipulation.   

The whole point of the feature in the first place was for servers to be able to feed back any errors regarding a transaction a user was trying to broadcast. It wasn't a fault or a bug that such a feature existed. It was changed so that now the messages servers send to you can only come from a hardcoded list, rather than being arbitrary: https://github.com/spesmilo/electrum/issues/4968#issuecomment-455557296

No, they couldn't. They could have shutdown any servers they themselves were running, but that would just reduce the number of honest servers and make it more likely someone would connect to a malicious one. They have no power to shut down someone else's server.

First of all, I am sorry you lost money because you were tricked into downloading a fake piece of software. I would like to highlight that your were tricked and misguided. Let's now take a look at what went wrong and how to share the blame.

If was a problem, but it has now been rectified. Such server messages can't be sent anymore.

Electrum's fault was allowing such messages to be displayed to those connected to malicious nodes. That shouldn't have been possible because we as users, don't need to be reading messages from those owning Electrum servers. You fault was not checking where that link leads. If you did, you would see that it directed you to a site that is not the official Electrum site. You downloaded and installed Electrum from an unofficial website. That's your first mistake. The second one is that you didn't verify the installation files you downloaded. If you had done that, the verification would have failed because the app wasn't signed by Electrum's real developer.

The blockchain was not hacked. Electrum wasn't hacked. Malicious entities took advantage of a feature that allowed them to make messages visible to those connected to their servers. The message wasn't sent to you by Electrum. It was sent by those who were hosting Electrum nodes.

Unless you got affected early on before Electrum became aware of the problem, the developers did post information about the issues on their homepage. You just didn't see it.

Electrum is not a for-profit company that makes money on your use of their free and open-source applications.

They could have done that, and I agree with you on that. As soon as you opened the app, you should have seen a warning of some sorts that there is an on-going phishing campaign, and that you shouldn't trust or click on links that instruct you to download new software updates. When it comes to freezing transactions. Electrum is a non-custodial wallet. That means they don't have access to your keys or ways to prevent you spending your coins. They could have blocked all servers, making Electrum unavailable and basically a dead app, but what would be the point in that?

@Jimmyboy4545, no matter what has already been written on the subject, part of the responsibility for what happened is definitely on those who programmed Electrum and didn’t find this vulnerability in time to prevent this kind of thing from happening at all. Of course, because of all the above, these people do not bear any criminal or misdemeanor responsibility, but they are morally responsible because they made bad software available to end-users, and vulnerability in that software has resulted in hacking probably thousands of users.

Of course, everyone will say it's your fault because you believed the message that came to you through the original software, and that you should have verified Electrum files before installation - but I believe you and most hacked users didn't know there was a way to verify files before installations.

The key thing after all is, never blindly believe in something, even when it seems legitimate - verify and check several times before any action that may be considered critical.

The correct way to download Electrum (or indeed, any software) has always been to download it from the official website and to verify the download against the developers' signatures or the provided hashes before installing it. You did not do this, but followed a link to a fake website and failed to verify the download.

There was a notice front and center of the official website, which you obviously found as soon as you visited the official website. And given that the wallet is non-custodial, the developers do not have the ability to freeze transactions.

You can notify law enforcement, but yes, unfortunately the chance of you getting any of your money back is incredibly small.

Thank you guys for your input.

I have now been reminded that electrum is open source.
I understand where you are coming from, I appreciate your comments.

I get where you are coming from when you say "If you receive a malicious message via whatsapp, it's not whatsapp's fault".
But you read everywhere to only download or update software/apps via the proper website or app - that's exactly what I did - the notice to update came via the app whilst doing a transaction. If you opened an app like photoshop on your computer or phone and it asked you to update before you could use it again, most people would follow the link because they trust photoshop, and if it crashed your computer, you would blame photoshop for not warning people.

As soon as it happened at the time, I researched and found out immediately that this was an on going problem - so why didn't the developers have a notice front and centre warning people, or even freeze transactions until the problem was rectified?

Anyway, I understand that the money is gone and I can't blame anyone because there is nobody to blame and the legal stuff covers any liability.
The blame comes back to me for trusting the wallet too much in the first place. You would think that a crypto wallet would have that sort of thing covered.

My real hope was that someone would reply and say "They've found a way to trace the transactions and the people who got duped can put their names on a list to receive some of their money back" - but I know that is like living in cloud cuckoo land.

But I live in hope.

Thanks again guys.

If you receive an email telling you to go download some scam software, your email provider is not responsible.
If you receive an SMS message telling you to go download some scam software, your mobile carrier is not responsible.
If you click on a link to download some scam software, your browser is not responsible.
If you receive a WhatsApp message telling you to go download some scam software, WhatsApp are not responsible.

I am sorry that you were scammed OP, but I'm afraid that you and you alone are responsible for the software you download on to your computer.

Exactly. I'll be quoting from the exact license file of Electrum (excuse the caps, it's original).


Sorry OP, but you've probably have agreed to that when started using Electrum.

Almost all open source software is released under licensing that normally states "absolutely no warranty is provided for the software". Assuming maliciousness of spv server nodes wasn't something electrum needed to do until the problem arose and was resolved.

It is sad so many users lost their funds to the scammers but ultimately it's the scammer that's to blame for the funds being taken. It's probably something a lot of users unfamiliar with open source software or even how electrum works could've fallen for, the innocent/reliable electrum servers were also victims of ddos attacks too while the scam was at its peak.

Thank you for your reply.
Yes, now I remember, this is as far as I got the last time I looked into this.
There is completely zero accountability.

Thank you very much for sending the links, I appreciate it.
I will follow them.

It's just so upsetting.

The problem is Electrum is not a company or an entity, it's an open-source project that's being maintained by volunteers.

If you want to hear-out the developers currently working on the project, you can reach them in Electrum's repository in GitHub:
Repository - github.com/spesmilo/electrum | Contributors - github.com/spesmilo/electrum/graphs/contributors

Hello,
I am one of the people who had my BTC stolen from my electrum wallet. (In 2018).
I see this as a fundamental problem with the wallet.
I was sent an error message during a transaction, it asked me to update the wallet.
I am sure that you know the rest of the story and what I am talking about!
Surely, this has to be a the electrum wallet's fault!
How can this be my fault? I was in the electrum app, the message appeared in the app.
The electrum wallet blockchain was hacked - I followed the instructions sent to me by the app.
I received no warning or prior knowledge (at the time) of this kind of thing happening, - you would think that a warning message would be front and centre when conducting transactions.
How can the blame be put on me? - I understand that things have changed, and everyone is incredibly careful when making transactions and updating etc, but I was sent the link to upgrade the wallet through the actual wallet itself.
My problem is with the fact that electrum take absolutely no responsibility for what happened - like 'shrugs' shit happens.
Is electrum ever going to do anything to help those poor people who got duped through what I see as completely their fault?
Does anyone know what the current situation is? Are there any plans to help us or do the right thing?
Any news from anyone or any updates on this situation would be greatly appreciated.
Thank you for your time.