A bug in old versions of legit electrum is being exploited by scammers to send people phishing messages. Users are advised to not follow any links in electrum error messages. The developer Somber Night summarizes the situation best:
To users: when you broadcast a transaction, servers can tell you about errors with the transaction. In Electrum versions before 3.3.3, this error is arbitrary text, and what’s worse, it is HTML/rich text (as that is the Qt default). So the server you are connected to can try to trick you by telling you to install malware (disguised as an update). You should update Electrum from the official website so that servers can no longer do this to you. If you see these messages/popups, just make sure you don’t follow them and that you don’t install what they tell you to install. The messages are just messages, they cannot hurt you by themselves.
If you see such a message and it’s stopping you from spending your bitcoins just switch to a different server. Also update to the latest electrum from the official site.
In Electrum 3.3.4 and later the phishing messages are no longer shown but Electrum servers can still stop you from spending your coin. So once again you should simply switch to a different server.
2 thoughts on “Beware of phishing messages in Electrum”
Cannot Download “ThomasV’s signature.”
Reading “How to verify your Electrum download.” states:
2. Download Electrum and also ThomasV’s signature for the file you downloaded. Save both to the same folder.
But electrum.org only shows one link for each Electum file [Signature] and it links to some text which looks like 3 signatures:
(BEGIN…END / BEGIN …END / BEGIN…END)
and nothing to indicate which one might be ThomasV’s–besides they look too short. Are these -hashes- of Signatures? What am I doing wrong? I know nothing. Just trying to download and verify Electrum. Thank you.
If those instructions are not from you, my apologies.
I’ve updated the guide to reflect changes on the electrum download page.