Topic: Bitcoins from my Electrum wallet disappeared (Read 138 times)

Don't trust antivirus, I tested it a year ago and it is still valid.

ref: https://bitcointalksearch.org/topic/reminder-dont-trust-antivirus-5475148

I'm sorry, but in the context of free open-source Electrum wallet this is nonsense. And you should actually read the MIT License for Electrum wallet (version as of Feb 21^st, 2024):


Clicking on a download link in such a push notification for an update download of Electrum would still be a violation of what Electrum devs recommend how and where to download updates and of course users should check update's GPG signatures! Never skip the verification steps!!

If users fail to comply, it's user's fault, not fault of developers.

---

Almost every page of the Electrum website displays the following warning:

This warning is there for a good reason and Electrum users should not skip to verify GPG signatures. I have doubts that OP did verify GPG signatures when he executed his yearly updates of his Electrum wallet software.

From reading the thread, I'm not sure how his wallet got compromised. Usually there are details and clues missing to pinpoint the real reason. For a hot wallet to receive coins, it doesn't need to be a hot wallet with private keys. A watch-only hot wallet would've been safer.


Some details, maybe worth to explore in more detail:

The Electrum wallet was created in 2014 (no details by OP if the mnemonic recovery words were stored safely offline-only in 2014).

A separate laptop was used for the wallet, which is good when this laptop hasn't been used for daily internet shit.


Confusing to me:
Why had the mnemonic recovery words to be displayed and written down again in September 2022, when the laptop apparently got decommissioned and sold (without any internal storage device, I assume)? Was there no prior backup?

Under which conditions were the recovery words revealed? Was the device still online or later online?

It's strange that after selling the laptop, a few months later in December 2022 the wallet was emptied. I don't say there's a causality.

As the attacker seems to have robbed other wallets, the probability is high that OP downloaded a malicious Electrum software and didn't verify that GPG signatures were solely from genuine Electrum developers. Or of course it could be some malware that targeted genuine Electrum wallets.

I couldn't find any detail if OP's Electrum wallet was encrypted with a wallet encryption passphrase. If yes and with a long and strong encryption passphrase, then stealing the wallet file won't be enough for the attacker. A keylogger would be needed to obtain and exfiltrate the unlocking wallet passphrase.

You explained this to me very empathetically and kindly. Thank you.

The problem with this reasoning in this case is that electrum is not a company... It's just a couple of dev's that wrote an open source application 100% for free, but iirc, they've always been very clear that they are not responsible if any loss of funds would occur.

Don't get me wrong, this occurrence is a drama and we should not resort to victim blaming, but asking compensation from a couple open source developers that invested tons of their time for free, in order to provide the community with a free, open source, full featured SPV wallet is simply "not done"... If you want to be able to get compensation from wallet developers, i guess you'll have to find a wallet that clearly states they will reimburse their users in case of a vulnerability. This being said: i don't think such a wallet exists, and if it would ever exist in the future, i'm pretty sure it would not be free, and it would come with a ton of hoops a user would have to jump trough to prove the company it was their fault in case a vulnerability was ever exploited.

Electrum is open source, theoretically you *could* verify the complete sourcecode for any errors, then compile it and use it.. I know, nobody will ever do this, but theoretically you could do this.

Once again: not victim blaming here... The thief is the only culprit, and even if it would ever turn out the OP could have done something to prevent the theft (like using a more up to date version of electrum, or verifying the signature, or....), the only one to blame is the one that took the op's funds.

This is where the issue would have arisen from and the most probable answer to the mystery.

When these types of attacks happen and users of the wallet or service are that time lose their funds, the company should be held liable for it. Their customers do not have to loss for their failure. The companies should be able to pay some compensation to the users if this a possibility.

I'm sorry for your lost I believe the mistake you made was that you kept updating your Electrum. There is a chance you downloaded the fake upgraded version of Electrum from another source, or you fell victim to a phishing link in an Electrum push notification asking you to upgrade to the latest version and forcing you to visit a fake Electrum website. The 3.3.4 version below are compromised at that time.

To avoid these attacks, I do not keep updating Electrum to the latest version except for online PCs; my original wallet, which I created, is in cold storage.

No, no one brute forced your seed phrase.
The outgoing transaction shows that there were multiple victims and that means that you either used a fake version of electrum or your device was infected with a malware.

It may worth mentioning that your password encrypts your wallet file locally and anyone who has access to your seed phrase can steal your fund without any need to your password.

Sorry for your losses op but like I said earlier, everyone here has given different possible flaws that the scammer or hacker probably used to get hold of your seed or keys and moved your coins. It could be any of the speculations others have made. None of these users were there with you so it's left for you to actually figure out what really happened.

As a Matter of fact if you ask me I'll suggest you forget the option of trying to retrieve those coins because there is a very high chance the person may have sold it off shortly after he stole them. These kind of stories are the reason why it's important to have a watch only wallet for you cold storage too.

That is the obvious answer but for the life of me I can't see how... And I can't understand what I did wrong and how could I prevent it...
I am devastated. That's way more money than I earned for all my life. And I'm over 40

This is a serious case of a compromised wallet. If you take a good look at the transaction hash you will find that there were multiple inputs Including the coins you claimed you lost and all consolidated to a single output. Others have made different speculations on how the coins probably got stolen and the fact is either way you had your keys or your seed phrase compromised one way or the other.

I think this isn't a small scale stuff because even I looked up the hash on blockchair, there was a total output of over 9BTC and it seems it was moved around a couple of times too. This transaction was done around 2022 and these coins are totally gone if you ask me because last I checked scammers and thieves don't HODL.

The wallet was downloaded from official site in 2014. I always triple check this kind of things and was updating it once in a year or so.
It was on a separate laptop which was used only for this. In September 2022 I removed the only HDD from that laptop and sold the laptop. Since then this HDD was in my shelf, to which only I have access to.
Today I did not checked the HHD, just downloaded new Electrum from official site, entered seed and realized that everything was stolen on 2022-12-22.
I only suspect that someone somehow was able to brootforce the seed, but to brootforce it with password? How is that possible?


OP downloaded a fake electrum wallet
nope

-P downloaded a real electrum wallet, but an old one...
nope

OP's laptop contains malware that either stole his seed, his wallet, created a transation or just replaced receiving addresses when the OP created a transaction himself
-aptop was running windows 10 with antivirus installed. Can't be sure that it didn't have undetected malware, but I did everything to make sure it didn't

OP fell for a phishing scam. In other words, he told the seed phrase to a thirth party thinking it was some "real" entity (i use quotes since there are no "real" entity's that should ever need your seed phrase)
nope

Somebody had access to op's laptop
I'd say nope, but I can be sure in it as any other guy

OP saved his seedphrase in the cloud
nope

Somebody had access to the physical copy of op's seedphrase
I'd say nope, but I can be sure in it as any other guy. Also the seed phrase was written backwards and with some other code. And no one even knew I had the wallet.

Somebody had access to OP's wallet filen either because it was stored on an online medium or because they had physical access to the drive (plus, potentially a weak passphrase to encrypt the wallet)
Highly unlikely. File was on offline HDD

OP created the seed phrase manually, or used some seed phrase generator with low entropy or some other vulnerability
If I remember correctly, I took the seed phrase from Electrum

I don't remember the exact dates (late 2019, or early 2020 perhaps,) but a few years back servers were able to send messages and there was at least one server operated by a scammer who was sending pop up messages directing people to download a malicious version.  The Electrum team has removed the ability for servers to send messages to the client, so this type of thing is less likely to happen again. 

Based on the OP's claims of how he's been keeping his seed secure, that's one possibility of how he got hacked.

just some possibility's:

• OP downloaded a fake electrum wallet
• OP downloaded a real electrum wallet, but an old one... There were some potential attack vectors in really old versions
• OP's laptop contains malware that either stole his seed, his wallet, created a transation or just replaced receiving addresses when the OP created a transaction himself
• OP fell for a phishing scam. In other words, he told the seed phrase to a thirth party thinking it was some "real" entity (i use quotes since there are no "real" entity's that should ever need your seed phrase)
• Somebody had access to op's laptop
• OP saved his seedphrase in the cloud
• Somebody had access to the physical copy of op's seedphrase
• Somebody had access to OP's wallet filen either because it was stored on an online medium or because they had physical access to the drive (plus, potentially a weak passphrase to encrypt the wallet)
• OP created the seed phrase manually, or used some seed phrase generator with low entropy or some other vulnerability

From experience on this forum, i know that downloading a fake wallet, getting phished, using a laptop with malware or storing seed or wallet file in the cloud are the most common ways of getting robbed

How could this have happened?

He sounds like he just downloaded the wallet and did nothing else with it. Assuming that he used an old laptop that was only for that purpose. He should provide more details.

I followed that address and unfortunately it ended up with a scammer's address hacked Electrum wallets, it seems that you downloaded the wallet from an unofficial source or downloaded Malware to your device, anyway your wallet was part of that hack.

I searched a little and did not find similar complaints 2022-12, but there is a slightly similar case that happened in 2023 https://bitcointalksearch.org/topic/ive-been-hacked-electrum-432-5433643

The attacker compromised multiple wallets not just yours. He then swept all the coins from those different wallets in one transaction.

Hello everyone.
I created a wallet in 2014 and since then till 2022 I have been transferring to it bitcoins that I mined myself. In September 2022 I saved the wallet to my offline hard drive, wrote down the seed phrase on paper and haven't checked the wallet since. Now I installed Electrum again, entered the seed phrase and saw that all my 1.3 BTC are gone on 2022-12-22 16:44:48 UTC. I'm devastated. Those were the coins I was hoping to pass on to my children.
I'm writing here just to have someone confirm this. I just don't understand why the transaction details show 9.91605758 BTC
a81ea7ec8ebcdeb587cf970c6424bda7ce52df15f79c6bb3744851368b2161c6
The seed phrase and password have never been compromised (unique password was only in my head and seed phrase is only on paper), so I don't understand how this could have happened.