Topic: funds immediately leaving electron wallet after receiving from TestNet faucet (Read 248 times)

I'm theorycrafting here but I don't see any reason to actually run a full node (or pruned node) because the goal is to monitor the mempool not to verify blocks or transactions or even keep the mempool, relay stuff, etc.
Worse case scenario is that you receive an invalid transaction and when spending that the nodes reject your tx.

What's weird? Worthless token can be exchanged equally with another worthless token. 

Exactly. You don't need to handle the entire chain, only enforce the consensus rules on mempool transactions, which requires to have verified the entire chain.

Weird, but not that surprising. In past, there are shady ICO/airdrop which give people worthless token in exchange for Bitcoin testnet.


That's good point, but i expect you could run such bot that with pruned node to lower operational cost. ZeroMQ also could be used to notify new transaction on mempool to your own script/application, which eliminate the need of wallet.dat which contain lots of address.

But it largely depends on this known list. Does it include all locking scripts whose unlocking scripts are known? Does it contain all addresses whose private keys are revealed, such as known brain wallets? Does it contain bitcoin-key-words, such as all block hashes, transaction IDs etc.? Does it contain predictable private keys such as k=1, k=2, k=3 etc.? From those, how large is the predictable private key range? It could be [1, 2^32]. Increase the exponent by 1, and you've approximately doubled the work. Then, you have a full node that must run 24/7.

A good bot should have some good infrastructure.

I wonder how much it costs to run something like that 24/7. Maybe it could be run on some sort of free VPS service considering that running such a "bot" shouldn't take up that much resources. All it takes is a list of keys, a tx signing library and a remote SPV server (like Electrum nodes) to subscribe to and listen for incoming transactions to "steal". There is no need for blockchain or blockheaders, wallet history, etc. either.

Right. With stealing testnet coins, the hacker actually warns about using a fake version of electrum. No hacker would do that.


OP already said that he/she generated the private keys through a brainwallet and used so simple words. See this post.

Which is pretty weird, because thieves aren't known for stealing testnet bitcoins.

I'm afraid you've just generated your private key improperly. Did you try out some brainwallet, or used a locking script which has a publicly known unlocking script? There are some bots that search for known private keys in the mempool and withdraw any sent coins immediately.

You have to check the authenticity of the Electrum download using GPG. There is a guide for doing that at https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594

If you did not verify the Electrum binary's authenticity, then you probably have a fake copy and that is probably why you are losing coins instantly. I always check that all the GPG signatures match before using a new version of Electrum.

Merit?
What do you mean?

No, I have over 30 years of experience developing software, it just I just started with blockchain, and the only way I know to learn it's just by doing.
this is why I'm doing the wallet from scratch (almost, I'm using the NBitcoin library, but I'm planning to replace it as soon as I have a stable wallet)

Why would you generate your wallet from brain wallet this is already discuss here it is not safe to generate from brain wallet.
If you want to generate a safe wallet then let the Electrum generate a wallet for you.
Let see if you can still experience that issue after you generate wallet from Electrum and receive testnet coins from faucet.



If you think that you are not a nrwbie what is the purpose of creating this thread? Is that for merit?

Why would you generate your wallet from brain wallet this is already discuss here it is not safe to generate from brain wallet.
If you want to generate a safe wallet then let the Electrum generate a wallet for you.
Let see if you can still experience that issue after you generate wallet from Electrum and receive testnet coins from faucet.

If you know this then maybe it is not such a good idea to create your own wallet, even if you are using an existing library because you will end up with serious security flaws that you may not even notice.
Hope you are just experimenting.

It shows that I'm a newbie :-)
Thanks

That's because you didn't mentioned it in the first place.
If so, anyone would figure that it's the problem since it's the very issue why brainwallet was discontinued.
Even if it's a complex set of phrase (actual phrase, not random words) or small set of random words, the outcome would be the same.

For reference, there's list of cracked brainwallets: https://bitcointalksearch.org/topic/collection-of-18509-found-and-used-brainwallets-4768828

I think I've figured out the problem and it's not what you think :-)
let me give you a little bit of background:
In order to crate a this particular wallet I was using "Brain wallets" (which is basically a sha-256 of a text), but I was using simple words like "black" and "white".
I think this simple "words" are part of a databases of "simple" KEYS, which could be easily generated from any source of "public common passwords".

What I think happened is that somebody is "scanning" the "memory pool" of the block chain for any money going to those addresses and immediately run a Vin on those, and they are using the TestNetwork to "test it" :-)

In order to test this "theory" this time I've created a trully random KEY and copy and pasted into the Electron wallet (via WIF) and nothin happened.

I appreciate the comments,

For those that asked for the link to the source code I didn't poste them because it's currently connecting to a "Bitcoin Explorer" that i'm developing (in conjunction with the wallet) an is in my internal network.
As soon as it's stable enough I plan to put it public

Thanks again for all the support.
Grate community !!

Did you check the private key to see if it is actually created randomly (convert to hex, it makes it easier to see)?
Maybe the code you wrote has some flaw in it when it calls the RNG and creates a non-random key which some bot is already watching to steal its funds right away.

P.S. you don't need to reinstall everything, you could just download a Linux distro like Ubuntu, burn it on a DVD or create a live USB disk and run that OS live (without installation). Then you could use VS code to compile your code for Linux inside that live OS and run it again to see if the same problem occurs.

Here is what you need to do to know the source of the problem:
Create a new wallet with Electrum not with the wallet you are developing. Send it some test coins then see if those coins will be moved.
This simple test will help you figure out whether the issue is with your device/Electrum or with the wallet you are developing.

How old your macbook is? If its old with old IOS version 10.12 below electrum will not work properly.

Why would you install Microsoft .net it seems that you are following other guides related to windows 7?

Check this "How to install Electrum in Mac OS x"

Do you have other device with Windows OS?

I don't know what you mean by this, can you elaborate?


Are you doing this through the terminal, or are you downloading using a web browser?  Either way, can you share the link where the download is coming from?


Since you mentioned "Electron," can you confirm if that was a typo?  The reason I ask, Electron Cash is the Electrum fork designed to be used with Bitcoin Cash (BCH,) not Bitcoin (BTC.)  I'm wondering if you're confused about the two.  Bitcoin Cash is not bitcoin, but the scammer behind that fork intentionally tries to cause confusion between the two coins.

First of all I really appreciate all the feedback and responses.
This is what I'll try next in order to rule out any posible compromised software/hardware.

1- I'll reinstall a fresh copy of iOS on an old mac laptop that I happened to have
2- download from Microsoft .NET dev kit.
3 - post the source code of my wallet on GitHub
4 - download on the "fresh" computer the code from GitHub
5 - compile, run and create a new "one address wallet"
6 - request some test coins.
7 - examine result.

Am I missing something with this procedure?
Could this be compromise in any way?

This will take me some time but I'll post my results as soon as I have them

Thanks

If your wallet isn't compromised and you are sure that you have downloaded electrum from the official website, maybe it's your device which is compromised.
Can you try creating a new wallet on a different device and check whether the same thing happens or not?

This is getting stranger by the minute.
I've created another public KEY, this time I didn't even look at the prive key.
i've created on the wallet that I'm developing using NBitcoin library.
I'm compiling everything from source code
Then I requested to a couple of faucets some test coins and when I'm looking into the block chain this is what I see:

The public address is "mwT5PqSoLCeojDhghhBdXFCMMwGYxb34Ge"
I've received 3 "payments" from 3 different faucets (all on the same block).
But at the same time all of them where spend and when to the same address as on the prevues testes, and all of this happened on the same "block"
and based on the timestamps at the same time.
How can this be possible?

On the bright side we can rule out "a compromised" Electrum (which by the way I did downloaded from the official site + verified the signature)

   "Transaction": [
      {
         "TransactionId": "02e8df6726862abb55f509882b0c8e461847bb4f06c30aa3bc7728fddf7af7c3",
         "n": 1,
         "value": "0.02844292",
         "scriptPubKey_address": "mwT5PqSoLCeojDhghhBdXFCMMwGYxb34Ge",
         "datetime": "2022-10-21T17:06:49",
         "Used": {
            "UsedId": "066c68d50edebc57dbb35e4a16c45cdc740c83e920b6d05c22a382904839d075",
            "UsedN": 1,
            "UsedDateTime": "2022-10-21T17:06:49",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.02821192"
               }
            ]
         }
      },
      {
         "TransactionId": "5598cb033f74571b7008548c0d2934ee5a1473d49b916cfacf432848aea8dfee",
         "n": 1,
         "value": "0.00066664",
         "scriptPubKey_address": "mwT5PqSoLCeojDhghhBdXFCMMwGYxb34Ge",
         "datetime": "2022-10-21T17:06:49",
         "Used": {
            "UsedId": "e46c907ae25eeed9cb73c3fa095c21c2e36fdb7d597d13e693f52435330fff66",
            "UsedN": 1,
            "UsedDateTime": "2022-10-21T17:06:49",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00043564"
               }
            ]
         }
      },
      {
         "TransactionId": "65ceb923844fd8761751ab8584f4170ee6760b250e2ad19dcd66f5d8a618ce8d",
         "n": 0,
         "value": "0.00010000",
         "scriptPubKey_address": "mwT5PqSoLCeojDhghhBdXFCMMwGYxb34Ge",
         "datetime": "2022-10-21T17:06:49",
         "Used": {
            "UsedId": "6efbcda30b63948fba9bcae84976dfad16769feb593275a9cc34eff035a64726",
            "UsedN": 0,
            "UsedDateTime": "2022-10-21T17:06:49",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00009488"
               }
            ]
         }
      }
   ]
}

My vote goes towards a malicious clone of Electrum and/or somebody else having your wallet's seed (btw, if you translate your writing to English to post here, you may want to fix Electrum's name; make also sure you get the original names from here, not translated ones).
Get another Electrum, make sure you get it from https://Electrum.org, also make sure you verify the downloaded Electrum. Install and play with this one.
At runtime check that you have version 4.3.2, i.e. you're using the new one.

Of course, make with this new Electrum a completely new wallet, don't restore the old.

Both of the addresses you imported into Electrum send your coins to the same address: mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j which received more than 110 tBTC!

It seems like the problem is coming from the code/plug-in you're using to generate the WIF keys. Where did you get it from?
But why would someone write a malicious code to steal testnet coins! Or des it generate mainnet addresses too?

To be sure this is indeed the cause of the problem: create a wallet with Electrum and see if the problem persist. If it does, then either your device is compromised or you're using a fake version of Electrum.

In security critical scenarios you can't really figure out what application you are running by looking at the about page. What you needed to do was to first get the digital signature of the installation file you used to install this application and then find a way to acquire the correct public key of the real author of the application you think you are running (in this case Electrum in which case pubkeys are found on github). And finally to verify the signature.

Try to create a new key from your wallet, derive the testnet bitcoin address and fund that address without importing the WIF prvKey to Electrum.
See if the funds will still be wiped out.

If it does, then there's something wrong with your wallet.
If it didn't, then it's your "Electron" or something between the WIF export->import.

This is the "about"

--------------------------
Version 4.2.2

Electrum's focus is speed, with low resource usage and simplifying Bitcoin. You do not need to perform regular backups, because your wallet can be recovered from a secret phrase that you can memorize or write on paper. Startup times are instant because it operates in conjunction with high-performance servers that handle the most complicated parts of the Bitcoin system.

Uses icons from the Icons8 icon pack (icons8.com).
--------------------------

Are you sure that you are using Electrum or electron wallet?
If its electron then you are using a fake Electrum wallet better uninstall that wallet and download the original Electrum from electrum.org.

Then make a new wallet again for testnet let see if your issue solved.

You probably made a typo, but it may worth mentioning that it's neither electron nor electors. The wallet is called Electrum.

Anyways, it's possible that your computer is infected with a malware or you are using a fake version of electrum, however I don't know why a hacker should steal worthless testnet coins.
Where did you download electrum from? Did you download electrum from its official website (electrum.org) or somewhere else?

I just did another test.
I've created a new Key from my wallet and instad of copying and pasting it into election I type the WIF (one character at a time :-) )
When I request coins from a faucet , I experience the same problem
her's the new public address:

mvj3tFakMuFx15FewGtzpdhvxtrw5trvhw

https://blockstream.info/testnet/address/mvj3tFakMuFx15FewGtzpdhvxtrw5trvhw

Any idea what is happening???
Thanks

I've crated a wallet on electors importing a WIF (just one address).
After that I've requested several coins from faucets on Testnet.
When I see the history of transactions very time I receive some coins is immediately sent to a new address.
This is the public address:

muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH

Here's a link to a test explorer with the addresss:

https://blockstream.info/testnet/address/muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH

This is a brand new address that I've created on a wallet that I'm developing and imported the WIF in electrum.

Could this bee some type of "malware plugin" that recored the WIF when I've moved from one wallet to the other?
Has somebody else seen something like this?

Here's a JSON of each Vout and Vin

{
   "Transaction": [
      {
         "TransactionId": "8457733c113568bb53eba8a6d3160f6932bf167b916a1d3c31f76e43a6b1d3ec",
         "n": 1,
         "value": "0.01922572",
         "scriptPubKey_address": "muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH",
         "datetime": "2022-10-20T19:52:28",
         "Used": {
            "UsedId": "b335d8e6f2ab6ea69677c46841aa47804433b198b313504b2c0b0e4259afc7eb",
            "UsedN": 1,
            "UsedDateTime": "2022-10-20T19:52:28",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.01899472"
               }
            ]
         }
      },
      {
         "TransactionId": "89721265fb77dac877ca687e151a20f495d6fa60737146d9a9f2ddab522d4411",
         "n": 0,
         "value": "0.00031480",
         "scriptPubKey_address": "muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH",
         "datetime": "2022-10-20T19:52:28",
         "Used": {
            "UsedId": "ebd7af5aad4c08641723c88496c7fa2f444b329473ea01ffbdc7ee61327b2fbe",
            "UsedN": 0,
            "UsedDateTime": "2022-10-20T19:52:28",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00008380"
               }
            ]
         }
      },
      {
         "TransactionId": "a4d28ef0c9c714db2b247262bf5ff8088d859ff8cad833a9456198ee9fd9d853",
         "n": 1,
         "value": "0.00050000",
         "scriptPubKey_address": "muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH",
         "datetime": "2022-10-20T19:52:28",
         "Used": {
            "UsedId": "0244a84c9f2d4a04d979e8fabe5b1e2baa4f75f3914c51619b00f00782a1e0c4",
            "UsedN": 1,
            "UsedDateTime": "2022-10-20T19:52:28",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00026900"
               }
            ]
         }
      },
      {
         "TransactionId": "c875f88f9f2ba613ec902f46588126ec6d1bb1bcedfc1ce62d006620fddb4b3a",
         "n": 1,
         "value": "0.00010000",
         "scriptPubKey_address": "muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH",
         "datetime": "2022-10-20T21:39:10",
         "Used": {
            "UsedId": "ee6243dfbe9964512a807286c32c3b1603958b559825c61fa316e0d4f5d24d9a",
            "UsedN": 1,
            "UsedDateTime": "2022-10-20T21:39:10",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00009488"
               }
            ]
         }
      },
      {
         "TransactionId": "ec3f4ab0bca77aca9a9b9ac2c035d2d2c8e3079bac121a335f2ecff0cf4e7ee2",
         "n": 1,
         "value": "0.00010000",
         "scriptPubKey_address": "muYbXen3W19pCrKapW9cEUdwvqoP7LV9ZH",
         "datetime": "2022-10-20T19:37:50",
         "Used": {
            "UsedId": "afc03d24ee2311a40ed98e97c8e3a5b5d783267a6a691c23727f0176a546fa72",
            "UsedN": 1,
            "UsedDateTime": "2022-10-20T19:37:50",
            "UsedTo": [
               {
                  "scriptPubKey_address": "mjuKUaEPi2FXEtRNZRNUxdHAf7499npQ3j",
                  "n": 0,
                  "value": "0.00009488"
               }
            ]
         }
      }
   ]
}