Topic: Electrum Wallet drained after login (Read 338 times)

This is one of the options , no doubt about it. Although it seems to me that if the OP is a player, and gambling is conducted from the same device where he stored his seed phrases and passwords, then there is nothing surprising about where he could get a bunch of viruses from. Just one phishing link is enough; the RAT virus that was detected in him monitored all file openings. And the keylogger quickly transferred his wallet password to the right place. It is surprising that Windows, gambling, and finances for many still exist as something harmless, publicly available, used together, and in the literal sense.

The hackers often obfuscate their malware and that's the reason why most anti-virus software and scanners can't find the malware in a system. Of course after reading your posts and reading most of the posts in this thread, I also came to the conclusion that your computer was infected with a malware and that's the reason why your wallet was drained.

I also suggest you to always keep your wallet and wallet related information in a separate system because these days hackers try their best to steal Bitcoin. I would also suggest you to try storing your Bitcoin in cold wallet as that's much safer than the hot wallets. Personally, I also use Electrum wallet on Windows and so far I haven't faced any issue. I must say that I have separate system where I connect my wallet and kept it there and it has been safe for me. However, my holdings are still in a wallet that not connected to internet.

Funny but yeah all the same source. All of the .exe files were installed on the same date at the same time. Crazy, isnt it? Anyway, thank you guys for helping me figuring things out. I think I am going to switch to a hw wallet but so far not sure which model I chose.

Mind sharing why this ensures that the BIOS has not been tampered with?  I have never heard of this option.  Downgrade and then re apply the latest?  Is it about the signature verification?

-----

Is it the 'cloud' Service they started offering a while ago or is it something entirely different?  I just realized how stupid things are with the Ledger.  You could pay them to store your Seed onto their Servers but I am pretty sure there is no way you can see the Seed yourself!  I think it was impossible to see the Seed again if you lost your piece of paper holding it, or forgot where your washers were buried at!

If you your device is fully secured, and you are very sure that no malware attack will affect your device as you said, then you have revealed your private key with someone or someone have access to your private key without you knowing about it, and the person has done it by sending out all your Bitcoin to his wallet.

It is still possible to have malware attack even in the latest windows because must of these antivirus are not fully secured and some of these windows defenders do get outdated before our notice which can also attract malware.
Next time, make sure you save your seed phrase to in a secured and reliable place because it is very possible that the Bitcoin was stolen by someone who have access to your private key.

Wow, with such bunch of malware lurked in various corners of   you machine it is hard to expect the safety for your stash. It's not a matter of "if" but "when" you wallet had to be emptied ^{it is inevitable}.  I only wonder what concrete malware had its fingers in the pie. Besides, it is hard to believe that all of them came from the same malicious source. Probably there was something like competition between different intruders.

Thanks for sharing this here. With the newly installed PC, make sure you do not download anything from unknown sources. The scammers are getting smart and some of their malware can skip the antivirus just like some of the antivirus didn't detect anything in your PC. In this case, Malwarebytes helped you to find the malware. But who knows, there might be other malware out there that Malwarebytes cannot detect.

So, the idea is not to download anything from unknown sources. This is the 2nd case I have seen in the last couple of months where a member complained about getting drained after opening their Electrum wallet, even though it was downloaded from an official website.

Thanks already did that. Right after the transaction I scanned with the tools one by one and plugged the network cable after to prevent myself. In fact I am posting with the new installed pc.

So it was a spyware or keylogger, or some script that executed right after you entered your passwored.
They were monitoring you, and waiting for you to allow them access, and they took advantage of it.
I'd ran a deep scan of your pc before anything else. Best bet, format your drive

I know there is no login, but you can protect your wallet with a password which you have to insert every time

There is no login option with Electrum wallet, but if you are using wind0ws OS than there is a chance your computer was infected with some malware or keylogger.
Something like this can happen if your seed words got leaked and compromised, either you kept then online, or in digital format on your computer, you should never do that.
Keeping backup offline and using hardware wallets are the good way to improve protection for your coins.

Probably some trojan or mallware you got from some p0rn site. Just kidding... But the method is the same. Either your keys were leaked, or you installed a compromised electrum wallet.
Or as i said, you have a STD on your pc that looks harmless, but is waiting for you to open your wallet

No. Not Ledger. They've done a lot of oddities, the last one being a "feature" to recover the seed off the HW (and no, not in the moment is generated).
If you don't want to take chances of getting surprises in their (closed source) software, avoid Ledger.
I've done the same, I have now my Ledger no longer used, no longer useful. I've bought a Trezor (in my case Trezor Safe 3) and for now I'm happy with the purchase.

Try to avoid disclosing how much coins you might have. It's not needed to do it here.

Ledger crap is closed-source firmware where nobody knows what's going on. For years Ledger's marketing fools kept spinning the mantra "your private keys or seed can't leave the device". Guess what they've implemented in their firmware for their stupid Seed Recovery subscription service? The firmware of currently supported Ledger hardware crap has code to allow the (encrypted) extraction of your wallet's seed secret to Ledger Live and from there to multiple involved companies that Ledger chose for their Seed Recovery service! This is bonkers, to say the least!

To the folks who say, you don't have to use and pay this recovery service, you're safe, I would reply and emphasize that the code to extract your Ledger's seed is in the firmware. It's kind of a backdoor and because the firmware is closed-source, you can't inspect if and how it's implemented properly and safely.

YMMV, but I would choose a hardware wallet that has reproducible and open-source firmware and accompanying wallet software.

As I'm a shitcoin minimalist, I've chosen a BitBox02 for myself. I would be fine with a Trezor Safe 5 or (better) a Foundation Devices Passport 2 or their newest device isn't bad either. A Krux wallet is nice too, and purchasing the hardware for it doesn't leave a trace associated with crypto coins.

I don't know man! I'm not an expert in this field. You can check this post if you have the time (Show off your hardware wallet) or ask anyone from there. They seems to be using hardware wallets, showing pictures to others and sharing their personal experiences with HW's. They can answer you better, more practically. Lastly, whatever do you do your own research.

Thats a missunderstandig. I had Windows defender and spybot running to check my PC after the transaction happened. Both didnt find anything so I installed avast. Same result, than malwarebytes. I am not that stupid but I was sure that something was totally wrong. As I mentioned only malwarebytes was able to detect the things I've written above.


Thanks man! I've spliited my crypto on different wallet including kraken. This here was "only" ~20% of my BTC holdings. I know it's little consolation, but it could have turned out much worse. In fact, I'm am thinking about buying a Ledger, can they still be recommended without hesitation?

Did you by any chance click on any link or download an update? Maybe there might have been a fake update prompt and once you download any of such updates, you become a victim. If this is not the case, you should be very careful next time when clicking links or downloading anything and ensure that you always download updates from Electrum's official website only.

Since you said the transaction happened 10 minutes before you noticed it, I would have assumed that someone who knows you must have had access to your seedphrase which he used to initiate the transaction. Anything must have happened, so be extremely careful next time.

Along with your innovations and a new and clean system, you must determine the level of security on the computer that provides crypto transactions.
You write that you have been using this wallet for quite a long time, but what was in the interval of that time? Does someone have access to your computer? Children, games, surfing—this will be an open window for entering various junk viruses.
Also, a licensed system, firstly, without various types of "left" activation keys. If you follow your link showing what malware was on your computer, then "AsyncRAT is a remote access trojan (RAT), which allows attackers to remotely control computers in an infected network."
Someone waited an hour to send your funds to themselves.

Linux is better but if using Windows with a hot wallet for small fund, it's acceptable.
It is acceptable to use hot wallet on mobile devices too.

Bottom line is with biggest part of your capital, store it in safer OS like Linux and cold storage wallets, hardware wallets.

Recommended wallets.

Best wallets.

Two guides for using Electrum wallet more carefully and safer with basic steps: download it from official site, verify it before using, backup the wallet, test the backup in recovery step before funding it.
[GUIDE] How to Safely Download and Verify Electrum.
The paranoid user's security guide for using Electrum safely.

Sorry to hear that mate! I'm guessing you are using Windows right? It's pretty easy to break into it. I have been a victim of ransomeware malware and clipboard virus a couple of time, and it really sucked. I think it's time for you to change OS and shift to a Linux distro.

Better if you use a hardware wallet or an airgapped device, if you don't intend to move your assets that frequently.


Who uses multiple antivirus software at the same time on the same system anyway!?. They would have been able to work properly, conflicting with each other. Bad idea cause it'll make the system much heavier and slow!

This can't be repeated often enough: do NOT use your daily computer for crypto wallet stuff, especially when you're using Windows!

Get a cheap used laptop; install latest firmware¹; wipe storage and install a Linux distro (encrypted filesystem for additional safety against thefts, but do NOT loose your encryption passphrase!); avoid browsing funky websites with this machine, it's OK to visit mempool.space for transaction fee estimation with it; avoid reading your mails on this device; avoid installing browser extensions on installed browsers; avoid to install or experiment with software on this device; install only the very minimum and necessary software to verify genuine wallet software or anything you might need for using a hardware wallet.

Always, without exception from beginning until the latest update, verify wallet software that it's genuine and download only from verified genuine source. Do not trust search engine query results as top hits may be paid hits by attackers.

Electrum: https://electrum.org
Sparrow: https://sparrowwallet.com/
Bitcoin Core: https://bitcoincore.org   ---   bitcoin.org isn't the primary site for Bitcoin Core



[¹] If it's on latest firmware, check if you can downgrade to previous firmware and re-apply latest firmware. This should ensure that your BIOS firmware isn't tampered.

It's not just the windows that should be genuine but also other apps that you are using as you might have downloaded an app that you regularly use when it's modified by hackers that it works the same way but it executes something like downloading software that you won't be aware or doesn't have notification that you are downloading something or it shows as updating the app. That's why it's better to download the genuine one rather than the pirated one.

No I had not. After Windows Defender hasnt detect anything, I downloaded avast and malwarebytes afterwards.

Have you considered using another computer with a freshly installed Operating System for Bitcoin and Bitcoin only?  Preferably one with a freshly installed and properly verified Linux Distribution.  Windows is WAY more likely to become infected than a Linux Distribution is.

Unfortunately, sometimes there will be a few victims before somebody finally reports the infected file and the companies finally start recognizing it as malicious.  Maybe you were the victim of a fresh malware.  Also.  Did you have all Spybot, Windows Defender, Avast and Malwarebytes installed and running at the same time?  It sounds like a disaster that was waiting to happen!

If you still want to continue using Windows for your Bitcoin holdings, make sure the copy you are installing is genuine.  Running a pirated copy of Windows can also put you at risk.

Malwarebytes isnt pretty specfic but it has detected the following:
- Trojan.Crypt.MSIL
- Trojan.Script
- Malware.Heuristic.2512
- Malware.AI.4087337973
- MachineLearning/Anomallous.97%

The first two were located at the Startup folder and file in the user folder as ISCOMPLETED.vbs and .exe

Malwarebytes also blocks access from InstallUtil.exe located in the .NET\Framework folder trying to connect to 95.211.208.153:8808 which is some asyncrat thing: https://threatfox.abuse.ch/ioc/1263302/

Could you say us how this malware has been called by Malwarebytes? It's very concerning if other anitvirus softwares are not able to detect it. You are not the first one reporting a hack from an Electrum wallet those days. I hope a malicious malware is not spreading like a wild fire. Anyway crypto users should always be carefull and using a cold wallet when they start to hold some quite large amounts of cryptos.  

There's a possibility that your seed phrase is stolen by other people through malware. There are malwares that do that where it records your keystrokes and sent it to the hacker. After the hacker have access to your seed phrase is they can import it to a different wallet. It could also be a different malware that your device is infected with as explained by other forum members. So it's better you should not download anything you see on the internet as to avoid getting malware online.

I could only think that your device is infected, the moment you open the electrum app with internet connection trigger an autorun saved from your device that completes the transfer. Better to reformat and install a new OS on your device, Windows 10 have reformat settings so it can help to retain your windows product key while everything is almost new.

The funny thing is that Spybot, Avast and Windows Defender didnt notice anything wrong. Only malwarebytes was able to finde the malware. However, I am currently reinstalling my PC. So that should not be the problem anymore.
the most disgusting about it may be the fact that someone "real" has been waited for the right moment to attack.

I guess anything is possible, especially on Windows systems that are susceptible to malware attacks. Personally, Ive had electrum as a hot wallet on my PC for years without any problems. Have you been able to scan the system with a good antivirus and antimalware program to see if it detects anything?

That’s most likely what happened.
If your device is infected with a malware then the hacker may have full control over it and will have access to all your files including the wallet file.
However, if you have used a strong password to encrypt your wallet then the hacker can’t do anything with the encrypted file and he will have to wait for you till you open the wallet and type the password.

As you already know, there isn’t much you can do to get back that money without knowing the identity of the hacker but what you need to do is to stop using that wallet and create a new one on a clean device.

Indeed, if you had coins for months and now they were transferred, it's either your computer infected, either you've updated your Electrum from a wrong/malicious place.


I will come with some guesses.
They can scan for what processes are open. If Electrum comes up, the trojan can send "home" various info, including your keystrokes (i.e. your seed if you enter it, or your wallet password). If you have the wallet file in a standard location, that can also be sent.
Of course, if the trojan is the electrum itself (hence the question where it was downloaded from, was it verified), then it's even easier to steal.


Make sure you never use that wallet/that seed again. I recommend you either get a hardware wallet, either learn cold storage (cheapest is an USB stick with Tails OS you can boot from, with no internet ever, but it's not so easy/straightforward). Also make sure you generate your wallet offline and the new seed never goes online.

Its a Win10 machine, the wallet (as portable version) was downloaded from the orignal website and I used it for years without any problems. My wallet was also passwort protected which is why I am asking myself if malware just waits till the wallet has been opened.

Dont get me wrong, there is nothing I can do now but I dont want to make the same mistake twice. So I want to know how that was possible and if this could be a real scenario. i had the wallet since 2017.

You PC could have been infected with malware via downloading and insta some random apps. Which operating system have you been using?

Did you download the electrum app from the official source and even verify the signature?

Hey community,

I have a problem with my Electrum wallet and keep wondering how this could have happened.

Today, I opened my Electrum wallet for the first time since in a few month and noticed that a transaction was made, resulting in an empty wallet. It definitely wasn’t me.

I’m not sure if I opened Electrum and left it running for a few minutes while completing other tasks before fully checking the program. The transaction happened 10 minutes before I noticed it. If I followed the BTC chain correctly, my BTCs were transferred to a Robinhood wallet, so it clearly wasn’t me.

I know the money is gone, and I’ll have to live with that. However, I keep asking myself: how could this even happen? Is this a real Trojan attack where they scan for open wallets?

Maybe someone can help me understand how this could have occurred.

Thanks a lot!