Only beginners will bite this one. Although it is a good warning and might come in handy for new users.
The website tells it all. It is simply electrum.org.
I guess we just need to be careful with every clicks we make.
For sure just one registry it will all end up with them. This is really bad.
Topic: New Fake Electrum Wallet BEWARE! (Read 2260 times)
If you can, please make this a sticky or make a new thread out of it, people NEED to be warned.
I got robbed of 45.8 BTC (and BCH so total = 150000$) after installing the executable from electrum-wallet.com.
I was running multisig but both on the same PC. First i ran the portable electrum.exe from electrum-wallet.com but when it did not load my wallets *NOTE : the ones that had BTC in them ,it loaded just fine any other wallet ) - I don't want to hear opinions on my stupidity
After it didn't work i downloaded last version of electrum from electrum.org
I'm wondering how the F is it possible that after 2 years of this thread no one has taken down and/or announced the US. authorities fbi etc about it.
I'm in Romania and have no wish to deal with this legally, which will probably get me nowhere.
I am willing to split the rights on the BTC with whoever is capable of recovering them via detective+legal means.
This is the transaction : https://www.blocktrail.com/BTC/tx/78d44db46445d3097996fc644c1221eeead31added5c35cf1b7938737e3b49db
As i said , I don't want to hear opinions on my stupidity, this is mostly a warning and hopefully a way for someone to make a healthy 75000$.
I got robbed of 45.8 BTC (and BCH so total = 150000$) after installing the executable from electrum-wallet.com.
I was running multisig but both on the same PC. First i ran the portable electrum.exe from electrum-wallet.com but when it did not load my wallets *NOTE : the ones that had BTC in them ,it loaded just fine any other wallet ) - I don't want to hear opinions on my stupidity
After it didn't work i downloaded last version of electrum from electrum.org
I'm wondering how the F is it possible that after 2 years of this thread no one has taken down and/or announced the US. authorities fbi etc about it.
I'm in Romania and have no wish to deal with this legally, which will probably get me nowhere.
I am willing to split the rights on the BTC with whoever is capable of recovering them via detective+legal means.
This is the transaction : https://www.blocktrail.com/BTC/tx/78d44db46445d3097996fc644c1221eeead31added5c35cf1b7938737e3b49db
As i said , I don't want to hear opinions on my stupidity, this is mostly a warning and hopefully a way for someone to make a healthy 75000$.
NO, no no!!! I did NOT mean the md5. That can be written on the forged website.
I meant the PGP signature. The PGP signature *HAD* to have come from the actual Electrum developers. THAT'S what you need to verify.
To the right of the link to download, you'll see another link that says "sig" or "signature", which will lead you to either a .asc file or a .sig file.
You then use PGP software (usually in the form of GPG) to verify that the signature is correct and from either the key:
9914864DFC33499C6CA2BEEA22453004695506FD
or the key
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
You need to learn how to use GPG for that. It's a pain in the ass to learn, but once you learn it, it is extremely useful. It's that same software people use to encrypt their e-mail. Google and find Youtube videos about setting it up. It takes time to learn, and that sucks, but you'll be glad you know it once you do.
The PGP signature, unlike a hash, can only be created by the developers. So even if the website is hacked and the hackers put up new md5's for their evil files, they still can't make fake PGP signatures.
Yeah, I get it now. I still don't know how to use PGP, I once tried to make a PGP key for me but got lost halfway. And I have been postponing it since coz it involves a lot of reading. But I guess I have to do it soon if I want to be safe.
The official electrum wallet site has https, the fake one does not.
Is that possible, can a hacker host files to someone else's domain with http?
Verify PGP sigs!!!
Sorry for the stupid ques but how does one exactly do that with the downloads?
First question: nope, with or without SSL/TSL, you're connecting to the same website. He probably confused with a phishing someting like el3ctrum or electrun.
Second question, he probably meant the md5 hash for checksum, it's always said on the official website so that you can guarantee that you're downloading the right version.
NO, no no!!! I did NOT mean the md5. That can be written on the forged website.
I meant the PGP signature. The PGP signature *HAD* to have come from the actual Electrum developers. THAT'S what you need to verify.
To the right of the link to download, you'll see another link that says "sig" or "signature", which will lead you to either a .asc file or a .sig file.
You then use PGP software (usually in the form of GPG) to verify that the signature is correct and from either the key:
9914864DFC33499C6CA2BEEA22453004695506FD
or the key
6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
You need to learn how to use GPG for that. It's a pain in the ass to learn, but once you learn it, it is extremely useful. It's that same software people use to encrypt their e-mail. Google and find Youtube videos about setting it up. It takes time to learn, and that sucks, but you'll be glad you know it once you do.
The PGP signature, unlike a hash, can only be created by the developers. So even if the website is hacked and the hackers put up new md5's for their evil files, they still can't make fake PGP signatures.
First question: nope, with or without SSL/TSL, you're connecting to the same website. He probably confused with a phishing someting like el3ctrum or electrun.
Yeah, I wasn't really sure that that could happen but I thought maybe some hackers developed something new. Thanks for clearing it up. He added in the OP now that the site is different.
Second question, he probably meant the md5 hash for checksum, it's always said on the official website so that you can guarantee that you're downloading the right version.
If you go to the official download page for Electrum, next to each download link you will see a PGP signed signature from one of the devs.
As for the MD5 hash, you can get it by right clicking on the file and choosing "properties". A window should appear with some tabs on the top. Click on the "checksums" tab to see the MD5 hash:
Note however that the encryption behind MD5 hashes isn't completely resistant to forgeries, i.e. it is possible to construct collisions that result in two different files having the same MD5 hash.
As for the MD5 hash, you can get it by right clicking on the file and choosing "properties". A window should appear with some tabs on the top. Click on the "checksums" tab to see the MD5 hash:
Note however that the encryption behind MD5 hashes isn't completely resistant to forgeries, i.e. it is possible to construct collisions that result in two different files having the same MD5 hash.
I see, so the only way to be safe while downloading Electrum is to make sure to download from the original site because the hacker can't possibly upload the forged MD5 hashed version at the original site.
And the PGP signature contains the MD5 Hash, so one can verify that even that is from the original site owner.
thanks for the warning but i don't see any info. no link to fake site to report and no confirmation on where the malicious file is being advertised.
Thanks for the warning. I would definitely report this to the webhost so they can take it offline.
The official electrum wallet site has https, the fake one does not.
Is that possible, can a hacker host files to someone else's domain with http?
Verify PGP sigs!!!
Sorry for the stupid ques but how does one exactly do that with the downloads?
First question: nope, with or without SSL/TSL, you're connecting to the same website. He probably confused with a phishing someting like el3ctrum or electrun.
Second question, he probably meant the md5 hash for checksum, it's always said on the official website so that you can guarantee that you're downloading the right version.
If you go to the official download page for Electrum, next to each download link you will see a PGP signed signature from one of the devs.
As for the MD5 hash, you can get it by right clicking on the file and choosing "properties". A window should appear with some tabs on the top. Click on the "checksums" tab to see the MD5 hash:
Note however that the encryption behind MD5 hashes isn't completely resistant to forgeries, i.e. it is possible to construct collisions that result in two different files having the same MD5 hash.
Recently there is an ad to a fake Electrum wallet which installs DarkComet TROJAN onto your computer.
The official electrum wallet site has https, the fake one does not.
Oh and the domain is OBVIOUSLY different than the official's.
Please validate file signatures.
Here's a virustotal anlysis report of the fake wallet file: here
The official electrum wallet site has https, the fake one does not.
Oh and the domain is OBVIOUSLY different than the official's.
Please validate file signatures.
Here's a virustotal anlysis report of the fake wallet file: here
Thanks for the heads up. I will send a newsletter out to my subscribers about it.
The official electrum wallet site has https, the fake one does not.
Is that possible, can a hacker host files to someone else's domain with http?
Verify PGP sigs!!!
Sorry for the stupid ques but how does one exactly do that with the downloads?
First question: nope, with or without SSL/TSL, you're connecting to the same website. He probably confused with a phishing someting like el3ctrum or electrun.
Second question, he probably meant the md5 hash for checksum, it's always said on the official website so that you can guarantee that you're downloading the right version.
The official electrum wallet site has https, the fake one does not.
Is that possible, can a hacker host files to someone else's domain with http?
Verify PGP sigs!!!
Sorry for the stupid ques but how does one exactly do that with the downloads?
Was only yesterday i downloaded electrum for the first time believe it or not, i checked the signature though so all was good. If everyone done this then the fake wallet would be useless but of course not everyone pays attention to what they download, which is crap because then the hackers will keep going while there are people to steal from.
Just another reminder why we need to be extra careful online, scams everywhere!
Verify PGP sigs!!!
Thanks for the warning, one is never too careful online...
This should rather be share on the Beginners Section too , just to make them aware of it!
THank you for sharing it
THank you for sharing it
Never download any kind of wallet beyond their official website if you don't want to lose your money.
Thanks for the warning, I always download the official software from the real site and not from an unknown thread or site. Beware !
Thanks for the warning us.
This official thread https://bitcointalksearch.org/topic/electrum-20-release-973768 by ThomasV
How to report that fake electrum wallet?
This official thread https://bitcointalksearch.org/topic/electrum-20-release-973768 by ThomasV
How to report that fake electrum wallet?
Jump to: