Topic: My coins were stolen after updating the Electrum Wallet. (Read 464 times)

It's great but when you use Electrum with a hardware wallet you don't need to do all this stuff, especially to change your operating system for just using your cryptos while you need Windows for working and doing other stuff. Your seed will never be exposed to Electrum neither to your computer whatever the situation, so even if your set up is hacked or if you've downloaded a phishing version of Electrum, the hacker won't be able to steal your seed in anyway. So having exposed 3 times his seed to a Linux environnement is already higher and less safe than anyone using a HW on whatever OS. People can find pretty cheap HW devices in 2025, they don't need to change their OS and to have to learn a completly new one for using cryptos fortunately.

I make a point of never using Windows for anything crypto related.

Instead, I use Linux.

I've had a wallet created for many years but I think I have only ever entered it onto computers a total of three times ,

Yesterday I updated my Electrum wallet from 4.5.4 to 4.5.8. This is my usual process of updating:

1. I open Kleopatra, where all three maintainers' signing keys are located and certified
2. Then I go to this page: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594 and click on the Electrum website from there (I never type it in the url box directly!)
3. After that, I download Electrum and the signature file as usual.
4. I then verify the GPG signature to make sure that they all match up
5. I use the Python bundle instead of the AppImage or another format, so when I start Electrum and it prompts me to enter my password, I
  i) open the task manager
  ii) ensure that the electrum binary that is running is at the exact path I expect it to be installed in - usually some /bin directory
  iii) check the python site_packages to make sure everything is correct

and then we're good to go!

I don't really agree with this. Definitely Windows is the OS that suffers the most attacks because of (as you said) being the most commercial OS and because it's expensive and people want to target it.

On the other hand, I reckon Linux is the best OS for bitcoiners, but let's be honest, if we want massive adoption, it can't happen without Windows users.

You can operate Windows safe enough for crypto, though I would recommend a Linux OS, too.

It's users that compromise safety by using their daily drivers for crypto. They install every shit on their system, have countless browser extensions of possibly questionable reputation, use cracked software or whatnot and click on every link that screams "click me!". I'm maybe exaggerating a tiny little bit...

Because of largest market share, Windows is the number one target platform for malware and hackers. That's probably the main reason to not use the Windows platform for your crypto stuff. It's like walking with a target board front and back over a shooting range. Not wise...

If Windows is not safe why Electrum and every crypto wallets are available on it without any warning? I don't understand. Litteraly billions of people are using Windows currently, if cryptos can't be used on it, cryptos are just dead. Or they are back to the same number of users as 15 years ago and the price that goes with it. I'm using Windows since years and I've never got one single hack personally.

Agreed. My point with mentioning that was perhaps it'll help identify the trigger factor. Since OP mentioned it happened during a wallet update and then mentioned perhaps it was a trojan.

If there's some exchange / btc seller who asks for some software to be installed and uses that as the trojan carrier it may at least help the OP (and potentially others who use / used a similar service) be safer in future.

Fully agreed the money is lost. "Not your keys not your coins ™️"

Looks like an exchange, judging from the amount of BTC it has traded (received/sent).
I don't think it will help OP though, since doing chain analysis/forensics is both painful (since they lost money) and tiring (thanks to pseudonymity).
I believe OP must simply wait in case the official request they've made brings any results and, at the same time, they should consider the money as lost, unfortunately.

Any idea who "3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN" is


3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN paid to both

 134SvJZPQC88egkhjMMTLoAfh7AGGPAW59
 19tc6mDnsrAzHMn57ULx1QsNTwEVFe3DHa

And then from both wallets btc went to bc1qqe5jnqp0jx7h2lh9ewrt0s9hh5uccmkc7fp3xe

So most likely the source of the issue may be connected with whatever mechanism was used to request btc from 3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN

I don't know how you 've ended up with this argument, but since you 've already contacted ChangeNow and they requested an official inquiry for the money loss, I guess there's nothing more to say in this topic.

Sorry for the loss.

Have a good day and best of luck!

I don’t think it’s such a big deal if I share the transaction log. The amount isn’t that large, actually.

transaction log:


My small personal investigation in the visualizer shows that the funds passed through two intermediary wallets before reaching the ChangeNOW exchange. Additionally, the final wallet received funds from other third-party wallets, which were likely hacked as well.

https://lite.crystalintelligence.com/visualization/UrkpNKhyBsmp34TP?x=-351.8907470703125&y=-226.3876953125&k=0.9372476935386658

As a result of my small investigation, I contacted the ChangeNOW exchange and informed them about the exchange of stolen funds through their platform. Their response was that they had blocked the source addresses, although I suspect these were disposable anyway. They also requested an official police inquiry.

Additionally, I reached out to Binance, notifying them that stolen BTC had been transferred to their platform. Perhaps they can flag the funds in their system in some way.

---

It wasn't as painful as it was frustrating that I didn't anticipate this scenario.

Thank you, the first thing I did was create a system image, then I formatted the disk.
The critical passwords were changed first.

Could you please share the info with everyone here?
I can assist you but there other users more experienced than me.
At the same time, I wanna do things transparently!

If you have any issue with importing images in your posts, consider uploading the picture on a file server and share the link.

talkimg.org is a great option if you can do it, but I am not sure because there are rank limitations in the forum!

i hope the bitcoin you lost wasn't a big blow for you.

how do you think you got infected? did you use torrent, or maybe you downloaded cracked software or something like that?
also just to be safe, you should change passwords, wipe the desk clean and reinstalling windows. but if you have a powerful machine, i would installing linux mint and use a virtual machine to run windows instead. and definitely get a hardware wallet (not ledger, they suck) in the future.

Windows + crypto.

Using windows was your first mistake. Do not use windows unless you really have to and use it then only to run whatever app that only works on windows.

For everything else use Linux.

Also

Use a dedicated linux machine only for making crypto transactions. Install only the official electrum/core wallet and Do not install any other app on that PC.

If you don’t follow these safety protocols you’ll have problems again in the future.

Can I send you a private message?

A screenshot or transaction log would help a lot.

However, since the website is the legit one, then it must be something else that you did that caused the loss.

Either the wallet file was compromised, or the seed phrase was compromised. Or, even more possible, the computer itself was accessed unwillingly.

If you are 100% sure that this is the case, then you have no choice but to format the disk and install a new OS. Some will tell you that in that case you should consider Linux because it is far more secure than Windows, but I think it all comes down to how someone uses their computer and what kind of online activities they have.

If you download pirated software, movies and visit websites that are risky, then you should not have any sensitive data on that computer. The question is whether a good antivirus/firewall would help in your case, but that's irrelevant now.

I think, and now I’m even certain, that there was a Trojan on my computer that activated when the wallet was launched. Unfortunately, Windows Defender didn’t detect it. This was my mistake.

You always have the option to report the case to the police, especially if it's a significant amount - who knows, maybe one day they'll catch the person behind everything, and if you don't do anything, you won't have any chance to get your coins back.

I would still be very interested to know what exactly happened in any case, and especially if you ever invest in BTC again in the future. In that case, I would recommend a hardware wallet, preferably open source and trusted by the community.

Friends, thank you for the detailed explanations. I have already come to terms with this issue. Apparently, someone else needed my money more.

If you're thinking that the servers work like a centralized server and Electrum wallets are just GUI clients that connect to them, it doesn't work that way.
Those servers are just Bitcoin Nodes where your client (Electrum) request to check for wallet-related transactions, it's all for syncing purposes, your wallet does most of the wallet functions.
If you can request for logs from the server where you're connected during that time, they can present you your addresses in relation to the IP address that you've used to connect. (not too useful)
Some of them do not even store logs.

For the control of your funds, your wallet file that's saved in your drive hodls your private keys which is what's required to sign transactions.
So the attack vectors are your seed phrase that can derive your private keys, private keys and your online machine where both can be stolen from.

If there're logs to identify which one was utilized, it isn't related to Electrum.
For example; if the wallet file is the target, the attacker doesn't even have to open Electrum.
They'll just go to ".../electrum/wallets" and copy the file, then wait for you to type your password (like opening it after the update) to steal it.
Then he don't need to use your Electrum client to send.
Make sure to preserve the state of that machine as much as possible for forensics who know how to handle computers.