The details surrounding this hack can be found here, but we’d like to take the opportunity to show you how to run your own copy of MyEtherWallet on your own computer, thereby becoming immune to such and similar attacks (by running MEW locally, all files are accessed from your computer, so there is no DNS intermediary which can be hacked).
MEW is a simple web application which connects to the blockchain. It’s easy enough to download it from Github.
How do we know the Github version is safe?
What’s on Github is the publicly accessible source code repository of MyEtherWallet. Not only do Github break-ins not happen on a level more serious than simple DoS attacks, but it’s also trivial to verify the code you download.
Problems occurring with downloads from Github are extremely rare and mathematically impossible.
After downloading, double click the file to unpack it, then find the file
index.html in the resulting folder. Double click that and it will open in your browser.
This will open a local version of MEW which will also be obvious by the path in the URL bar: it will now start with
file:// which means it’s being read from a file on your hard drive, not the internet.
You now have a copy of MEW that’s as safe to use as your own computer is.
Are Ledgers Safe?
The question that comes up rather often during this hack’s fallout is whether or not Ledger devices are safe to use with MEW. The answer is “it’s relative”.
Because of the nature of the attack, it’s easy for attackers to change the destination address behind the scenes while generating your transaction. If you keep an eye on Ledger’s screen during the generation stage of the transaction, it will output an address on screen that should match the one you’re sending to – the one you put into MEW. If they match, it’s safe.
Still, we recommend running a local copy of MEW as per instructions above.