This can't be repeated often enough: do NOT use your daily computer for crypto wallet stuff, especially when you're using Windows!
Get a cheap used laptop; install latest firmware1; wipe storage and install a Linux distro (encrypted filesystem for additional safety against thefts, but do NOT loose your encryption passphrase!); avoid browsing funky websites with this machine, it's OK to visit mempool.space for transaction fee estimation with it; avoid reading your mails on this device; avoid installing browser extensions on installed browsers; avoid to install or experiment with software on this device; install only the very minimum and necessary software to verify genuine wallet software or anything you might need for using a hardware wallet.
Always, without exception from beginning until the latest update, verify wallet software that it's genuine and download only from verified genuine source. Do not trust search engine query results as top hits may be paid hits by attackers.
Electrum: https://electrum.org
Sparrow: https://sparrowwallet.com/
Bitcoin Core: https://bitcoincore.org --- bitcoin.org isn't the primary site for Bitcoin Core
[1] If it's on latest firmware, check if you can downgrade to previous firmware and re-apply latest firmware. This should ensure that your BIOS firmware isn't tampered.
Topic: Electrum Wallet drained after login - page 2. (Read 338 times)
No I had not. After Windows Defender hasnt detect anything, I downloaded avast and malwarebytes afterwards.
It's not just the windows that should be genuine but also other apps that you are using as you might have downloaded an app that you regularly use when it's modified by hackers that it works the same way but it executes something like downloading software that you won't be aware or doesn't have notification that you are downloading something or it shows as updating the app. That's why it's better to download the genuine one rather than the pirated one. The funny thing is that Spybot, Avast and Windows Defender didnt notice anything wrong. Only malwarebytes was able to finde the malware. However, I am currently reinstalling my PC.
Have you considered using another computer with a freshly installed Operating System for Bitcoin and Bitcoin only? Preferably one with a freshly installed and properly verified Linux Distribution. Windows is WAY more likely to become infected than a Linux Distribution is.Unfortunately, sometimes there will be a few victims before somebody finally reports the infected file and the companies finally start recognizing it as malicious. Maybe you were the victim of a fresh malware. Also. Did you have all Spybot, Windows Defender, Avast and Malwarebytes installed and running at the same time? It sounds like a disaster that was waiting to happen!
If you still want to continue using Windows for your Bitcoin holdings, make sure the copy you are installing is genuine. Running a pirated copy of Windows can also put you at risk.
No I had not. After Windows Defender hasnt detect anything, I downloaded avast and malwarebytes afterwards.
The funny thing is that Spybot, Avast and Windows Defender didnt notice anything wrong. Only malwarebytes was able to finde the malware. However, I am currently reinstalling my PC.
Have you considered using another computer with a freshly installed Operating System for Bitcoin and Bitcoin only? Preferably one with a freshly installed and properly verified Linux Distribution. Windows is WAY more likely to become infected than a Linux Distribution is.Unfortunately, sometimes there will be a few victims before somebody finally reports the infected file and the companies finally start recognizing it as malicious. Maybe you were the victim of a fresh malware. Also. Did you have all Spybot, Windows Defender, Avast and Malwarebytes installed and running at the same time? It sounds like a disaster that was waiting to happen!
If you still want to continue using Windows for your Bitcoin holdings, make sure the copy you are installing is genuine. Running a pirated copy of Windows can also put you at risk.
Could you say us how this malware has been called by Malwarebytes? It's very concerning if other anitvirus softwares are not able to detect it.
Malwarebytes isnt pretty specfic but it has detected the following:
- Trojan.Crypt.MSIL
- Trojan.Script
- Malware.Heuristic.2512
- Malware.AI.4087337973
- MachineLearning/Anomallous.97%
The first two were located at the Startup folder and file in the user folder as ISCOMPLETED.vbs and .exe
Malwarebytes also blocks access from InstallUtil.exe located in the .NET\Framework folder trying to connect to 95.211.208.153:8808 which is some asyncrat thing: https://threatfox.abuse.ch/ioc/1263302/
which is why I am I want to know how that was possible and if this could be a real scenario. i had the wallet since 2017.
I guess anything is possible, especially on Windows systems that are susceptible to malware attacks. Personally, Ive had electrum as a hot wallet on my PC for years without any problems. Have you been able to scan the system with a good antivirus and antimalware program to see if it detects anything?
The funny thing is that Spybot, Avast and Windows Defender didnt notice anything wrong. Only malwarebytes was able to finde the malware. However, I am currently reinstalling my PC. So that should not be the problem anymore.
My wallet was also passwort protected which is why I am asking myself if malware just waits till the wallet has been opened.
However, if you have used a strong password to encrypt your wallet then the hacker can’t do anything with the encrypted file and he will have to wait for you till you open the wallet and type the password. the most disgusting about it may be the fact that someone "real" has been waited for the right moment to attack.
There's a possibility that your seed phrase is stolen by other people through malware. There are malwares that do that where it records your keystrokes and sent it to the hacker. After the hacker have access to your seed phrase is they can import it to a different wallet. It could also be a different malware that your device is infected with as explained by other forum members. So it's better you should not download anything you see on the internet as to avoid getting malware online.
I could only think that your device is infected, the moment you open the electrum app with internet connection trigger an autorun saved from your device that completes the transfer. Better to reformat and install a new OS on your device, Windows 10 have reformat settings so it can help to retain your windows product key while everything is almost new.
which is why I am I want to know how that was possible and if this could be a real scenario. i had the wallet since 2017.
I guess anything is possible, especially on Windows systems that are susceptible to malware attacks. Personally, Ive had electrum as a hot wallet on my PC for years without any problems. Have you been able to scan the system with a good antivirus and antimalware program to see if it detects anything?
The funny thing is that Spybot, Avast and Windows Defender didnt notice anything wrong. Only malwarebytes was able to finde the malware. However, I am currently reinstalling my PC. So that should not be the problem anymore.
My wallet was also passwort protected which is why I am asking myself if malware just waits till the wallet has been opened.
However, if you have used a strong password to encrypt your wallet then the hacker can’t do anything with the encrypted file and he will have to wait for you till you open the wallet and type the password. the most disgusting about it may be the fact that someone "real" has been waited for the right moment to attack.
which is why I am I want to know how that was possible and if this could be a real scenario. i had the wallet since 2017.
I guess anything is possible, especially on Windows systems that are susceptible to malware attacks. Personally, Ive had electrum as a hot wallet on my PC for years without any problems. Have you been able to scan the system with a good antivirus and antimalware program to see if it detects anything?
My wallet was also passwort protected which is why I am asking myself if malware just waits till the wallet has been opened.
That’s most likely what happened. If your device is infected with a malware then the hacker may have full control over it and will have access to all your files including the wallet file.
However, if you have used a strong password to encrypt your wallet then the hacker can’t do anything with the encrypted file and he will have to wait for you till you open the wallet and type the password.
As you already know, there isn’t much you can do to get back that money without knowing the identity of the hacker but what you need to do is to stop using that wallet and create a new one on a clean device.
Maybe someone can help me understand how this could have occurred.
Indeed, if you had coins for months and now they were transferred, it's either your computer infected, either you've updated your Electrum from a wrong/malicious place.
how could this even happen? Is this a real Trojan attack where they scan for open wallets?
I will come with some guesses.
They can scan for what processes are open. If Electrum comes up, the trojan can send "home" various info, including your keystrokes (i.e. your seed if you enter it, or your wallet password). If you have the wallet file in a standard location, that can also be sent.
Of course, if the trojan is the electrum itself (hence the question where it was downloaded from, was it verified), then it's even easier to steal.
I know the money is gone, and I’ll have to live with that.
Make sure you never use that wallet/that seed again. I recommend you either get a hardware wallet, either learn cold storage (cheapest is an USB stick with Tails OS you can boot from, with no internet ever, but it's not so easy/straightforward). Also make sure you generate your wallet offline and the new seed never goes online.
You PC could have been infected with malware via downloading and insta some random apps. Which operating system have you been using?
Did you download the electrum app from the official source and even verify the signature?
Did you download the electrum app from the official source and even verify the signature?
Its a Win10 machine, the wallet (as portable version) was downloaded from the orignal website and I used it for years without any problems. My wallet was also passwort protected which is why I am asking myself if malware just waits till the wallet has been opened.
Dont get me wrong, there is nothing I can do now but I dont want to make the same mistake twice. So I want to know how that was possible and if this could be a real scenario. i had the wallet since 2017.
You PC could have been infected with malware via downloading and insta some random apps. Which operating system have you been using?
Did you download the electrum app from the official source and even verify the signature?
Did you download the electrum app from the official source and even verify the signature?
Hey community,
I have a problem with my Electrum wallet and keep wondering how this could have happened.
Today, I opened my Electrum wallet for the first time since in a few month and noticed that a transaction was made, resulting in an empty wallet. It definitely wasn’t me.
I’m not sure if I opened Electrum and left it running for a few minutes while completing other tasks before fully checking the program. The transaction happened 10 minutes before I noticed it. If I followed the BTC chain correctly, my BTCs were transferred to a Robinhood wallet, so it clearly wasn’t me.
I know the money is gone, and I’ll have to live with that. However, I keep asking myself: how could this even happen? Is this a real Trojan attack where they scan for open wallets?
Maybe someone can help me understand how this could have occurred.
Thanks a lot!
I have a problem with my Electrum wallet and keep wondering how this could have happened.
Today, I opened my Electrum wallet for the first time since in a few month and noticed that a transaction was made, resulting in an empty wallet. It definitely wasn’t me.
I’m not sure if I opened Electrum and left it running for a few minutes while completing other tasks before fully checking the program. The transaction happened 10 minutes before I noticed it. If I followed the BTC chain correctly, my BTCs were transferred to a Robinhood wallet, so it clearly wasn’t me.
I know the money is gone, and I’ll have to live with that. However, I keep asking myself: how could this even happen? Is this a real Trojan attack where they scan for open wallets?
Maybe someone can help me understand how this could have occurred.
Thanks a lot!
Jump to: