Topic: BTC funds dissapeared from my Electrum Wallet (Read 297 times)

I can't stress it often enough. DO NOT copy/paste mnemonic recovery words on an online digital device where multiple applications could've access to clipboard. Even worse, where you have an app installed that retains a clipboard history. THAT is bad crypto wallet security.

Try as hard as possible to avoid digital storage and transfer of your mnemonic recovery words. You should know why.

Another recommendation is to always carefully document when, for what purpose and derivation path you create a new wallet. Add this documentation to the offline saved mnemonic recovery details of your wallet. You should also better not delete any recovery details of any wallet you've created. You never know when you may need them again.


Now to OP's mystery case. Electrum wallets are HD wallets, ie. all present and future keys in that wallet are predetermined by the hierachical determinism process of key derivation used by the wallet. (Same applies to standard BIP-39 HD wallets).
Therefore you can't add foreign private keys to a HD wallet where the foreign private keys don't belong to the HD wallet. You therefore can only sweep coins controlled by foreign private keys to addresses of your HD wallet. Sweeping here means you create a transaction that moves all UTXOs controlled by the source ("imported" foreign) private key to an address of your Electrum wallet (you don't actually import the foreign private key as this is not possible because you can't recreate this foreign private key from your wallet's mnemonic recovery words).

The reason why Electrum wallet only offers to sweep foreign private keys instead of adding them to the wallet file is simple: derivation path, optional mnemonic passphrase and mnemonic recovery words is all is needed to recover a wallet, but this recovery process couldn't cover and take care of imported foreign private keys and derived public keys and public addresses from them. Therefore foreign keys can only be swept / emptied into a wallet.

IF OP swept the UTXO of 0.08284172BTC of address bc1q99qq2awpvu72mrs7gng84dkzyxcxk3q5gfwkx8 to address bc1q5chaqcn56sk2fq29z3cl37n5pfzhh06e2gx5uz which is part of any of his at the time of swept used wallets, then OP should better know which wallet that was. If OP thinks he did the sweep himself, then I'm a bit puzzled he doesn't seem to know in which wallet that actually happened. As the swept coins are confirmed, they would certainly add to the balance of the used wallet (unless wallet balance sync with connected Electrum server(s) is screwed). But who am I to judge...

There is of course an attack vector possible: some malicious malware that exchanges bitcoin addresses that show up in the clipboard.


I have various other recommendation to bore you with and which are not easy to accept:

• better not use your daily "computer and online shit" device for your crypto wallet stuff
• while MacOS is likely a safer choice than Windows, apps from the fenced fallen fruit garden store are not guaranteed to be safe (I'm aware that on MacOS you're not limited to Apple's app store; my intend isn't to bash Apple here)
  
• cloud storage is likely never safe in the context of crypto coin wallets

You say you "have saved the seed somewhere".

So can you just try this: file -> new/restore -> standard wallet -> i already have a seed -> type your seed

If you sweep the private key(s) into the same wallet, the fund should be sent back to the same wallet. Since the fund has been moved from your wallet, that doesn't seem to be the case.


Did you check the default directory?
Where is the Electrum datadir located?


There is no difference.
You can import/sweep any number of private keys.

Well I'm not quite sure I do understand.

The way I see it. I have opened the wallet containing the funds. Exported the private keys. Then probably by mistake I have used the sweep private keys (on the exact same wallet which had the funds). I don't think I've created a new wallet nor do I remember having any seed. I assume in order to sweep I was supposed to use the private keys for the current wallet (the one which had the funds right?).

I can't find any wallet file. When you export the private keys, there's a long list of keys. I saw that you can import the wallet using only private key. Does it make any difference if you use all the private keys or only one of them? I can't remember if doing that sweep I have used a specific key or all of them...

For sweeping, you need the private key. If you do so, you have surely exported the private keys from the original wallet.


If that's the case, now you need the seed phrase of the new wallet (the one in which you swept your private key) it its file to access the fund.


See if you can find the new wallet file.

I believe I have swept the private keys somehow. Wasn't I supposed to use the original wallet keys of the actual wallet from which I have initiated the sweep?

So basically if I remember right this might be a very possible scenario.

I had the funds in some wallet -> transferred to this new wallet which was created from scratch. Then I have saved the seed somewhere. Then I believe I have use the SWEEP on this wallet and pasted some private keys. I'm not sure which private keys or how did I do it. So what can I do in this situation?

This is starting to make sense now...

And yes I believe I have exported those keys. That being said how can I access that wallet where the funds went after sweeping private keys?

You can't sweep a seed phrase. You can only a sweep private keys. Do you remember exporting any of private keys from your wallet?
If you swept your private key, the fund should have moved to a new wallet and it's normal that it's not displayed in the original wallet.

I know it might sound foolish but I believe that I might have been in this scenario:

If you've used the "sweep" functionality in Electrum to import private keys, it's important to understand that this process typically involves transferring the funds from the imported address to a new address controlled by the wallet. This means that after sweeping the private keys, the funds associated with those keys are no longer stored at the original address but have been moved to a new address within your Electrum wallet.

So if I have the seed and the private keys but I'm still unable to see the funds, what I'm supposed to do?

After a lot of digging, I discovered that the transaction was made at 18:42 (while I was home). And since there's no history of nothing I remember I have imported some private keys and I might have used Sweep. I don't know this for a fact but I'm trying to figure out if I have indeed used sweep and why I'm unable to see the funds.

So assuming I have used the sweep functionality is there anyway to figure out why the funds are not visible? I was reading somewhere that doing a new sweep (even if there's a new fee) might help.

I know that it sounds like I'm losing it but I've been thinking and I believe it is worth trying. I have nothing to lose, I've already considered the funds gone or stolen.

Also I read that my funds might be in a change address. I'm not sure how to check that if that's the case.

he says he stored the seed words in a text file on his server. one should never store the seed like that.

your hacked bitcoins have not moved since March 9, so they were most likely sent to a wallet and not an exchange. When these coins are moved, you may have a chance to try to track them.
Double-check that you have downloaded the correct wallet by verifying the signature.
Search the ESET antivirus logs for any activity at that time or search the logs of your computer.
If there is no activity, most likely your seeds have been discovered and it is best for you to consider creating a new wallet.

No one can tell for sure when the transaction was first broadcast. The time you see on blockexplorers is the block timestamp (when the block was mined) not the time when the transaction got broadcast.
Blockchain.com says the transaction was first seen 30 minutes earlier which might be accurate given the fee rate that has been set which is more than enough for a fast confirmation at that time.
The most likely scenario is that someone got access to your wallet seed and used it to restore the wallet and move the coins. Only you can figure out how this happened.
Sorry for your loss!

I can imagine how frustrating this is for you, but did you back up your seed phrase on paper? There are people who back up their seed phrase on paper and store it in locations around their house, only for the seed phrase to be exposed somehow and the funds stolen, is this something that can possibly be put into consideration as one of the ways your funds stolen.

I have never exported nor saved my wallet's private keys. I know that for a fact. Just to double-check, I have searched all my computer clipboard history (I have an app called ClipMenu that saves the last X entries or so). I have also checked the history commands on my MacOS, virtual machine, Linux server, and so on. Nothing.

 So we get back to the seed phrase... How that happened, it's still a mistery. I mean I'm more frustrated right now that I have no clue how it happened rather that I have lost all the funds...

What I said in my previous post was only a guess. We don't know what exactly happened. We don't know whether  someone had access to your seed phrase or it was a hack.


Your password encrypts your wallet file locally. Anyone who has access to your seed phrase or your private keys can steal the fund without any need to your password.
The thief would need your password if he has access to your wallet file and don't have your seed phrase.

Also note that brute forcing the seed phrase or private keys is impossible.

This is my guess too. Someone probably had access to your seed phrase and made that transaction manually.
If your wallet had been hacked, it wouldn't take 2 days to steal the funds.

---

It's not clear to me how the wallet has been hacked. Someone generated wallet private keys and then brute force passwords until he managed to find the right one? Can you elaborate a little more in regards to the hacked wallet?


Let's assume my computer is somehow infected with a keylogger, any malware whatever. I'm using it daily with my bank account, Paypal, eToro whatever. I have emails, invoices, etc. It's really hard to believe that someone, even if it had access to my computer, waited and waited hoping that someday I'll have a BTC wallet on my computer and he can steal the seed phrase. I'm not saying it's not possible but...

Is there any way that the time on the BTC transaction is wrong? (I mean at 20:42 I was not home). But it's that 20:42 my actual time?

They are scammers. Don't trust them, if you don't want to lose more money. Bitcoin transactions are irreversible and no one can recover your fund.


This is my guess too. Someone probably had access to your seed phrase and made that transaction manaully.
If your wallet had been hacked, it wouldn't take 2 days to steal the fund.

I know they are lost for good. I still can't understand how it happened. I've already been contacted by someone pretending to be from PayBack-LTD. They provided a lot of explanations, some YouTube channels of their company etc. They want to pay $1500 upfront to recover my funds and 10% of the recovered amount. If nothing is recovered, then the $1500 paid is not refundable.

Sounds like a pretty good deal for them right?

I have scanned my computer with a ton of antivirus and anti-malware software, same my Linux server, and installed everything from ObjectiveSee as in malware monitoring tools. I have the firewall enabled on my iMac, the same goes for my Linux server. I've been working with Linux servers for years; no one ever hacked into any of my servers.

The curious thing is that the wallet is on my iMac, the seed phrase was saved on that Linux virtual machine on an encrypted partition (which unfortunately remained mounted). What's really curious: I generated the wallet on the 7th of March and got the funds in there. They were transferred/stolen almost 48 hours later. I haven't done anything unusual during this time, not installed any new software, nothing. So I would say that either my Linux server got hacked which I totally doubt or somehow someone was able to steal my iMac clipboard history (I have copied/pasted the seed phrase from iMac to Linux). So wallet was on one machine, and the seed was on a different machine. The wallet was protected with a password. I never save the passwords that I use for personal stuff and that I can remember in the clipboard nor do I copy/paste them. So I would say the seed was somehow stolen, used to recover the wallet, and transfer the funds.

What happened now, is unreal (not because it happened to me, I know a lot of people got scammed). Unreal because I'm not a noob when it comes to security. But I guess I was not careful enough! But it is what it is so I have to find a way to get over it.

Sorry for your loss, and It is worth mentioning that if anyone contacts you privately that they can help recover your funds, do not believe them as the person is probably a scammer. There is actually no way to recover those funds and it may be best to take it as a lesson to store your funds offline, either in a hardware wallet or an airgapped wallet and add extra layers of security such as a passphrase or setting up a multisig wallet.

Several years ago, there was a virus called ElectroRAT. If you say that you have been using a server on a virtual machine for several years, could a similar virus somehow hide in your system and wait for the right moment to connect to your crypto wallet? It’s just that all your actions show that you are careful when using the computer, but if there was remote access, your actions could be monitored by virus software.

https://intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/

Unfortunately, that's close to impossible. That address has only been used once so far, to receive coins, so there are no blockchain traces that could lead to any information about the owner. Note that wallets (and addresses) can be created completely offline and the blockchain does not save any information of them, unless you make a transaction.  So all you can do now is track where the coins will end up next.