Although, if you can trick someone into downloading your malware, it's probably just easier to steal their Bitcoins directly with fake keys/seeds or sending to your own address rather than attempting to go down the ransomware route.
Some users are still really easy to cheat in a way to ask them to enter theirs seed in fake Ledger/Trezor site, or in a way to download fake wallet/browser extension. The ransomware attack is a bit more sophisticated though, and could fool even the more experienced users - but such an attack does not have to have the sole purpose of reaching the user's BTC, but can only be carried out to harm someone out of pure malice.
Also, I don't believe that the instance of coin loss in your 3rd reference is related to something like this given
the evidence I found...
And in the 2nd reference... it looks like the "missing" coins might have eventually moved in this transaction (some 2 months after the original transaction):
https://www.blockchain.com/btc/tx/b89f1fd84eb1c64dd77acbe05625c91438585ecb696cb3debf7033a88995a412Not sure if that was the original owner or a thief/hacker tho!
Or if that was the UTXO from the "bad transaction" as the OP seems to have removed TransactionIDs from and/or deleted posts and hasn't logged in since March... would be interesting to know if it was the OP... and if so, did they figure out where the coins went and how they recovered them??!?
I agree that both cases leave reasonable doubt, each in its own way - and the question is whether we will ever find out what really happened. It is possible that in both cases the seed is actually compromised, or that it is a specific vulnerability that we do not yet know about.
In case this happens to someone, which tools are best to try brute force of key index - since user who is lost coins in combination Electrum+Nano S failed to find anything even though it generated millions of addresses?
Probably just create a Python script that simply starts generating addresses from a specified index... given a seed or xpub. Could probably used parts of btcrecover (or the seedrecovery module in btcrecover) as a starting point.
Then you'd start getting into complicated probability stuff that I don't really understand when it comes to the "generate sequential or random indexes?" argument...
If you have trouble doing this, then imagine other users who should brute force their key index if a hacker is hide their coins. But most importantly, there is a possibility that the situation can be fixed if something like this really happens to someone - and most of us still think that hardware wallet is a device that cannot be manipulated in this way, which is obviously wrong thinking.
