Topic: Help - Lost Bitcoins 49.5 BTC (Read 249 times)

... and he's gone.

Something else is weird about this story.

The address 13uzBESjqTT87ak4uAipKUoP8EuVHcQk2e is an old blockchain.info wallet address and not a mycelium wallet address. I'm not going to say how I know this, but other OG's can probably recognize this fact, too.

I hope that I'm not off-topic, and also somebody with more knowledge than me will have to check/validate the idea.
Is it possible that - in a way or another - OP's friend did sweep/consolidate to something like "the segwit equivalent of the original paper wallet"?!

Some description is on Reddit, although there a change was involved: https://www.reddit.com/r/Bitcoin/comments/b67sm2/how_does_mycelium_handle_partial_paper_wallet/ejir3kx/?context=3

Even with that, it is still possible that he accidentally "sweep" the paper wallet's private key to another wallet.
4033ac94f79db922d327d82f154d686194ed54cded3b2221340484c09421e7bc had sent all of the available UTXO of that address that could mean that it was swept.

Those newer transaction's input was from a newly received transaction after that incident:

• e8a181a2728d7034904b33881370bdf5405e73d7180b028211ed9b9b414fb9a1 - received 0.006 BTC
• change of b69ac4b06ce76e3144271e7017ad37aec8916bdc7cf77ac17541e075290a1120 - 0.0050761 BTC

Plus, if it was stolen, it should be spent by now.

My guess is it's still in one of his forgotten wallet with "sweep private key" feature.
Or someone with access to his paper wallet had swept it to a watch-only wallet, so he can't spend it; or it's spendable but just waiting for something.

His private key must have been compromised through that.
But it's still unspent after two bull runs...

If he got the information from blockchain.com (used to be blockchain.info), "relayed" only means Bitcoin full node with IP 138.68.64.155 relay/share the transaction to blockchain.com. It's very likely the node receive that transaction from another node.

Hi guys,

Thank you for all replies here is some information and what I concluded

I asked him to check email history and he forwarded all emails sent to mycelium support .

First he was using cold storage to send his bitcoin and he bought a new phone and it is unrooted installed just mycelium and a few apps from the play store  and he stored the private key in the lastpass application.

For the other two transactions sent to that address, yes my friend sent them. He just sent low amount to see ( I don't know what he was thinking he was doing ) .

These transaction are done by my friend :
https://www.blockchain.com/btc/tx/b69ac4b06ce76e3144271e7017ad37aec8916bdc7cf77ac17541e075290a1120
https://www.blockchain.com/btc/tx/eac69ba4bc143a58908e68e3a2b8dc25704c9332923cb8a56b1eeeb33968a887

As I said I don't know what he was thinking about

To correct some information:

He didn't touch the phone the day before when he found his wallet had vanished. So it is clear that someone uses his private key. the moment when the coins moved his phone was OFF.

He did something good by copying the transaction information :

Summary
Size 2736 (bytes)
Received Time 2016-12-13 04:36:43
Included In Blocks 443230 ( 2016-12-13 04:36:53 + 0 minutes )
Confirmations 234 Confirmations
Relayed by IP 138.68.64.155 (whois)
Visualize View Tree Chart
Inputs and Outputs
Total Input $ 38,620.06
Total Output $ 38,618.27
Fees $ 1.79
Estimated BTC Transacted $ 38,618.27
Scripts Hide scripts & coinbase



I noticed that this IP 138.68.64.155 belonged to the digital ocean company and the location was Germany. The coincidence is that mycelium use also used Digital ocean back to that time and also the location was Germany ! Is it a coincidence?


I have read a lot of stories about stolen coins through mycelium and I feel that there was a backdoor on their app and when this affects some members and not all members then I suspect that mycelium team is behind this theft and they are also anonyme!

Do you still have contact with your friend? If you brought him here or told him to reply to the questions asked above, you'll increase your chances of recovering them. So, if you really want that money, do your best and help us understand the whole case in a disgustingly detailed way.

The keys of your money are most likely not compromised by a hacker, because they've remained untouched since 2016. I'm pretty sure that a hacker wouldn't keep them on their known address, but mix them instead. They'd have also spent them all these years.

As NeuroticFish said in the first reply, some money were sent bunch of weeks afterwards to that address. Does your friend remember of making three transactions from 13uz during that period?

What do you mean by  “he only imports the private key”. Has he written the private key(s) anywhere?

Honestly, your friend's memory may not be 100% accurate at this point in time... The additional transactions for the smaller amounts were after the 49.5 BTC transaction (the 2nd was about a week later, the 3rd about a month later):

1st transaction (49.5 BTC) from 13uz to 1EF3: 2016-12-13 17:36
2nd transaction (0.00077700 BTC) from 13uz to 1EF3: 2016-12-21 13:12
3rd transaction (0.00066600 BTC) from 13uz to 1EF3: 2017-01-11 11:44


13uz also made a final send transaction 2-3 months later on 2017-03-27 07:45 for 0.00481440 BTC: https://www.blockchain.com/btc/tx/893680213545774061c9b2ff3e0ab08e126a03e3a1f188cdbbb6f4a0aa6597b2


It seems highly unlikely that if your friend made these transactions, that they did not notice they were missing 49.5 BTC at that time!!?!

This is something useful. This may indeed mean that your friend's money may not be stolen, although it again doesn't add up, since if he would have sent smaller amount, the transaction would have been looking different.
That transaction looks like either a consolidation of funds, or seep (as nc50lc said!), either a hack. And in the previous or next few days there were no transactions from that address.

It's quite sad that you are asking here this late; back those days your friend could have been more certain about what he did, hence be more helpful for tracking the funds.


However, if it's not a hack (I'm not 100% convinced, but let's get more optimistic, at least.) then it's a consolidation or sweep.

Although I didn't follow those, I remember some stories (I don't know how real) about sweeping a paper wallet that ended into disaster, funds being sent to odd/unknown addresses.
Again, I don't know those well, but maybe it rings a bell to somebody familiar with the topic.

First I'd try to see though what other addresses are in that wallet, since there are more transactions going to 1EF3DDBaPzbpJ5cXHVW2gZkyG1Jd4FotFW and they look intended, while the change goes back to 13uzBESjqTT87ak4uAipKUoP8EuVHcQk2e.

It doesn't look like a change address at all because it's the only output of that "49.5BTC" transaction.
It's more like a consolidation or sweep transaction.

There's a possibility that he swept it (sweep) instead of "import" because the transaction had sent all of the address' available coins at that time to that address.
If that's the case, it should be in the wallet where he used "Sweep".
One scenario that it might happen is: when he's trying to import it to another wallet like Electrum, but since import is disabled for a standard wallet, he used sweep instead which sent all of his balance to one of that wallet's address.

Wherever it is now, it looks like it's not in his paper wallet nor Mycelium anymore because he said he didn't recognize the address and he can't find the balance in Mycelium.
With that, try to remember any other wallets that he might have used specially those with "sweep" function, then look for any related backup.

Is the Android phone still intact? Assuming it's not virus, bug or hacker fault, one possibility is Mycelium send remaining Bitcoin to change address (which generated by Mycelium).

He told me that he may attempt to send bitcoin the day before or the same day but not sending the full 50 BTC

The owner isn't someone familiar with bitcoin / I asked him about the last two transactions to 1EF3DDBaPzbpJ5cXHVW2gZkyG1Jd4FotFW with low amount and he told me that the transfer was initiated by him .

If he didn't initiate any send action there, I don't see how it could be a glitch in Mycelium.
Unfortunately, from what I read, my conclusion is that somebody else got access to the private key of 13uzBESjqTT87ak4uAipKUoP8EuVHcQk2e and stole the coins by sending them to 1EF3DDBaPzbpJ5cXHVW2gZkyG1Jd4FotFW.

On the other hand, I see multiple send actions from 13uzBESjqTT87ak4uAipKUoP8EuVHcQk2e to 1EF3DDBaPzbpJ5cXHVW2gZkyG1Jd4FotFW, even with change back to 13uzBESjqTT87ak4uAipKUoP8EuVHcQk2e, hence I think that something is missing from the story.

delete this please