Author

Topic: My coins were stolen after updating the Electrum Wallet. (Read 464 times)

legendary
Activity: 2604
Merit: 2353
I make a point of never using Windows for anything crypto related.

Instead, I use Linux.

I've had a wallet created for many years but I think I have only ever entered it onto computers a total of three times ,

Yesterday I updated my Electrum wallet from 4.5.4 to 4.5.8. This is my usual process of updating:
[...]
It's great but when you use Electrum with a hardware wallet you don't need to do all this stuff, especially to change your operating system for just using your cryptos while you need Windows for working and doing other stuff. Your seed will never be exposed to Electrum neither to your computer whatever the situation, so even if your set up is hacked or if you've downloaded a phishing version of Electrum, the hacker won't be able to steal your seed in anyway. So having exposed 3 times his seed to a Linux environnement is already higher and less safe than anyone using a HW on whatever OS. People can find pretty cheap HW devices in 2025, they don't need to change their OS and to have to learn a completly new one for using cryptos fortunately.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I make a point of never using Windows for anything crypto related.

Instead, I use Linux.

I've had a wallet created for many years but I think I have only ever entered it onto computers a total of three times ,

Yesterday I updated my Electrum wallet from 4.5.4 to 4.5.8. This is my usual process of updating:

1. I open Kleopatra, where all three maintainers' signing keys are located and certified
2. Then I go to this page: https://bitcointalksearch.org/topic/guide-how-to-safely-download-and-verify-electrum-guide-5240594 and click on the Electrum website from there (I never type it in the url box directly!)
3. After that, I download Electrum and the signature file as usual.
4. I then verify the GPG signature to make sure that they all match up
5. I use the Python bundle instead of the AppImage or another format, so when I start Electrum and it prompts me to enter my password, I
  i) open the task manager
  ii) ensure that the electrum binary that is running is at the exact path I expect it to be installed in - usually some /bin directory
  iii) check the python site_packages to make sure everything is correct

and then we're good to go!
hero member
Activity: 560
Merit: 1060
✔️ CoinJoin Wallet
Because of largest market share, Windows is the number one target platform for malware and hackers. That's probably the main reason to not use the Windows platform for your crypto stuff. It's like walking with a target board front and back over a shooting range. Not wise...

I don't really agree with this. Definitely Windows is the OS that suffers the most attacks because of (as you said) being the most commercial OS and because it's expensive and people want to target it.

On the other hand, I reckon Linux is the best OS for bitcoiners, but let's be honest, if we want massive adoption, it can't happen without Windows users.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
~~~
You can operate Windows safe enough for crypto, though I would recommend a Linux OS, too.

It's users that compromise safety by using their daily drivers for crypto. They install every shit on their system, have countless browser extensions of possibly questionable reputation, use cracked software or whatnot and click on every link that screams "click me!". I'm maybe exaggerating a tiny little bit... Wink

Because of largest market share, Windows is the number one target platform for malware and hackers. That's probably the main reason to not use the Windows platform for your crypto stuff. It's like walking with a target board front and back over a shooting range. Not wise...
legendary
Activity: 2604
Merit: 2353
Windows + crypto.

Using windows was your first mistake. Do not use windows unless you really have to and use it then only to run whatever app that only works on windows.

For everything else use Linux.

Also

Use a dedicated linux machine only for making crypto transactions. Install only the official electrum/core wallet and Do not install any other app on that PC.

If you don’t follow these safety protocols you’ll have problems again in the future.
If Windows is not safe why Electrum and every crypto wallets are available on it without any warning? I don't understand. Litteraly billions of people are using Windows currently, if cryptos can't be used on it, cryptos are just dead. Or they are back to the same number of users as 15 years ago and the price that goes with it. I'm using Windows since years and I've never got one single hack personally.
?
Activity: -
Merit: -
I believe OP must simply wait in case the official request they've made brings any results and, at the same time, they should consider the money as lost, unfortunately.


Agreed. My point with mentioning that was perhaps it'll help identify the trigger factor. Since OP mentioned it happened during a wallet update and then mentioned perhaps it was a trojan.

If there's some exchange / btc seller who asks for some software to be installed and uses that as the trojan carrier it may at least help the OP (and potentially others who use / used a similar service) be safer in future.

Fully agreed the money is lost. "Not your keys not your coins ™️"
hero member
Activity: 560
Merit: 1060
✔️ CoinJoin Wallet
Any idea who "3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN" is

3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN paid to both

 134SvJZPQC88egkhjMMTLoAfh7AGGPAW59
 19tc6mDnsrAzHMn57ULx1QsNTwEVFe3DHa

And then from both wallets btc went to bc1qqe5jnqp0jx7h2lh9ewrt0s9hh5uccmkc7fp3xe

So most likely the source of the issue may be connected with whatever mechanism was used to request btc from 3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN

Looks like an exchange, judging from the amount of BTC it has traded (received/sent).
I don't think it will help OP though, since doing chain analysis/forensics is both painful (since they lost money) and tiring (thanks to pseudonymity).
I believe OP must simply wait in case the official request they've made brings any results and, at the same time, they should consider the money as lost, unfortunately.
?
Activity: -
Merit: -
I don’t think it’s such a big deal if I share the transaction log. The amount isn’t that large, actually.

transaction log:

Code:
82e6cdff856f272a75a1c608bf5b095391982f80361adde2422ee9bdda77373a

My small personal investigation in the visualizer shows that the funds passed through two intermediary wallets before reaching the ChangeNOW exchange. Additionally, the final wallet received funds from other third-party wallets, which were likely hacked as well.

https://lite.crystalintelligence.com/visualization/UrkpNKhyBsmp34TP?x=-351.8907470703125&y=-226.3876953125&k=0.9372476935386658

As a result of my small investigation, I contacted the ChangeNOW exchange and informed them about the exchange of stolen funds through their platform. Their response was that they had blocked the source addresses, although I suspect these were disposable anyway. They also requested an official police inquiry.

Additionally, I reached out to Binance, notifying them that stolen BTC had been transferred to their platform. Perhaps they can flag the funds in their system in some way.

Any idea who "3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN" is


3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN paid to both

 134SvJZPQC88egkhjMMTLoAfh7AGGPAW59
 19tc6mDnsrAzHMn57ULx1QsNTwEVFe3DHa

And then from both wallets btc went to bc1qqe5jnqp0jx7h2lh9ewrt0s9hh5uccmkc7fp3xe

So most likely the source of the issue may be connected with whatever mechanism was used to request btc from 3M1bA9wB3rHrhntQbCNxDnWHTp6XWU7GtN
hero member
Activity: 560
Merit: 1060
✔️ CoinJoin Wallet
I don’t think it’s such a big deal if I share the transaction log. The amount isn’t that large, actually.

transaction log:

Code:
82e6cdff856f272a75a1c608bf5b095391982f80361adde2422ee9bdda77373a

My small personal investigation in the visualizer shows that the funds passed through two intermediary wallets before reaching the ChangeNOW exchange. Additionally, the final wallet received funds from other third-party wallets, which were likely hacked as well.

I don't know how you 've ended up with this argument, but since you 've already contacted ChangeNow and they requested an official inquiry for the money loss, I guess there's nothing more to say in this topic.

Sorry for the loss.

Have a good day and best of luck!
?
Activity: -
Merit: -
I don’t think it’s such a big deal if I share the transaction log. The amount isn’t that large, actually.

transaction log:

Code:
82e6cdff856f272a75a1c608bf5b095391982f80361adde2422ee9bdda77373a

My small personal investigation in the visualizer shows that the funds passed through two intermediary wallets before reaching the ChangeNOW exchange. Additionally, the final wallet received funds from other third-party wallets, which were likely hacked as well.

https://lite.crystalintelligence.com/visualization/UrkpNKhyBsmp34TP?x=-351.8907470703125&y=-226.3876953125&k=0.9372476935386658

As a result of my small investigation, I contacted the ChangeNOW exchange and informed them about the exchange of stolen funds through their platform. Their response was that they had blocked the source addresses, although I suspect these were disposable anyway. They also requested an official police inquiry.

Additionally, I reached out to Binance, notifying them that stolen BTC had been transferred to their platform. Perhaps they can flag the funds in their system in some way.



i hope the bitcoin you lost wasn't a big blow for you.

how do you think you got infected? did you use torrent, or maybe you downloaded cracked software or something like that?
also just to be safe, you should change passwords, wipe the desk clean and reinstalling windows. but if you have a powerful machine, i would installing linux mint and use a virtual machine to run windows instead. and definitely get a hardware wallet (not ledger, they suck) in the future.


It wasn't as painful as it was frustrating that I didn't anticipate this scenario.

Thank you, the first thing I did was create a system image, then I formatted the disk.
The critical passwords were changed first.
hero member
Activity: 560
Merit: 1060
✔️ CoinJoin Wallet
A screenshot or transaction log would help a lot.

Can I send you a private message?

Could you please share the info with everyone here?
I can assist you but there other users more experienced than me.
At the same time, I wanna do things transparently!

If you have any issue with importing images in your posts, consider uploading the picture on a file server and share the link.

talkimg.org is a great option if you can do it, but I am not sure because there are rank limitations in the forum!
hero member
Activity: 510
Merit: 574
Too Little, Too Late.
I think, and now I’m even certain, that there was a Trojan on my computer that activated when the wallet was launched. Unfortunately, Windows Defender didn’t detect it. This was my mistake.

i hope the bitcoin you lost wasn't a big blow for you.

how do you think you got infected? did you use torrent, or maybe you downloaded cracked software or something like that?
also just to be safe, you should change passwords, wipe the desk clean and reinstalling windows. but if you have a powerful machine, i would installing linux mint and use a virtual machine to run windows instead. and definitely get a hardware wallet (not ledger, they suck) in the future.
legendary
Activity: 3276
Merit: 2442
I would still be very interested to know what exactly happened in any case, and especially if you ever invest in BTC again in the future. In that case, I would recommend a hardware wallet, preferably open source and trusted by the community.

I think, and now I’m even certain, that there was a Trojan on my computer that activated when the wallet was launched. Unfortunately, Windows Defender didn’t detect it. This was my mistake.


Windows + crypto.

Using windows was your first mistake. Do not use windows unless you really have to and use it then only to run whatever app that only works on windows.

For everything else use Linux.

Also

Use a dedicated linux machine only for making crypto transactions. Install only the official electrum/core wallet and Do not install any other app on that PC.

If you don’t follow these safety protocols you’ll have problems again in the future.
?
Activity: -
Merit: -
A screenshot or transaction log would help a lot.

Can I send you a private message?
hero member
Activity: 560
Merit: 1060
✔️ CoinJoin Wallet
Friends, thank you for the detailed explanations. I have already come to terms with this issue. Apparently, someone else needed my money more.

A screenshot or transaction log would help a lot.

However, since the website is the legit one, then it must be something else that you did that caused the loss.

Either the wallet file was compromised, or the seed phrase was compromised. Or, even more possible, the computer itself was accessed unwillingly.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I think, and now I’m even certain, that there was a Trojan on my computer that activated when the wallet was launched.
~snip~


If you are 100% sure that this is the case, then you have no choice but to format the disk and install a new OS. Some will tell you that in that case you should consider Linux because it is far more secure than Windows, but I think it all comes down to how someone uses their computer and what kind of online activities they have.

If you download pirated software, movies and visit websites that are risky, then you should not have any sensitive data on that computer. The question is whether a good antivirus/firewall would help in your case, but that's irrelevant now.
?
Activity: -
Merit: -
I would still be very interested to know what exactly happened in any case, and especially if you ever invest in BTC again in the future. In that case, I would recommend a hardware wallet, preferably open source and trusted by the community.

I think, and now I’m even certain, that there was a Trojan on my computer that activated when the wallet was launched. Unfortunately, Windows Defender didn’t detect it. This was my mistake.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Friends, thank you for the detailed explanations. I have already come to terms with this issue. Apparently, someone else needed my money more.

You always have the option to report the case to the police, especially if it's a significant amount - who knows, maybe one day they'll catch the person behind everything, and if you don't do anything, you won't have any chance to get your coins back.

I would still be very interested to know what exactly happened in any case, and especially if you ever invest in BTC again in the future. In that case, I would recommend a hardware wallet, preferably open source and trusted by the community.
?
Activity: -
Merit: -
Friends, thank you for the detailed explanations. I have already come to terms with this issue. Apparently, someone else needed my money more.
legendary
Activity: 2646
Merit: 6681
Self-proclaimed Genius
Is it possible to obtain logs from the ELECTRUM servers to understand what happened? Was the recovery phrase guessed (restoring the wallet), or was the wallet file itself stolen? Can such logs be provided, or is it impossible?
If you're thinking that the servers work like a centralized server and Electrum wallets are just GUI clients that connect to them, it doesn't work that way.
Those servers are just Bitcoin Nodes where your client (Electrum) request to check for wallet-related transactions, it's all for syncing purposes, your wallet does most of the wallet functions.
If you can request for logs from the server where you're connected during that time, they can present you your addresses in relation to the IP address that you've used to connect. (not too useful)
Some of them do not even store logs.

For the control of your funds, your wallet file that's saved in your drive hodls your private keys which is what's required to sign transactions.
So the attack vectors are your seed phrase that can derive your private keys, private keys and your online machine where both can be stolen from.

If there're logs to identify which one was utilized, it isn't related to Electrum.
For example; if the wallet file is the target, the attacker doesn't even have to open Electrum.
They'll just go to ".../electrum/wallets" and copy the file, then wait for you to type your password (like opening it after the update) to steal it.
Then he don't need to use your Electrum client to send.
Make sure to preserve the state of that machine as much as possible for forensics who know how to handle computers.
legendary
Activity: 2772
Merit: 3114
Top Crypto Casino
Unfortunately, getting access to Electrum's server logs is highly unlikely (if such data even exists).  Perhaps it would be possible if you were running your own Electrum server, but Im not sure, as Ive never done it myself.
Even if such thing was possible, I don’t see how these data can help him figure out what happened!

OP, did you open/use your wallet since the last time you make that big deposit in 2022 and was your wallet file encrypted with a password?
The most likely scenario is that your device was infected with a keylogger or some other malware and you exposed your seed / wallet file password when you imported your wallet into the new potable version.
legendary
Activity: 1526
Merit: 1359
Is it possible to obtain logs from the ELECTRUM servers to understand what happened? Was the recovery phrase guessed (restoring the wallet), or was the wallet file itself stolen? Can such logs be provided, or is it impossible?

Unfortunately, getting access to Electrum's server logs is highly unlikely (if such data even exists).  Perhaps it would be possible if you were running your own Electrum server, but Im not sure, as Ive never done it myself.
legendary
Activity: 3500
Merit: 3249
Happy New year 🤗
Yes, I’m using the "portable" version. The wallet file is correct, and all transactions are visible.

Can you clarify this since you said that you installed the latest version of the portable wallet? How about your old wallet? Is it the portable one or the installer?

If the old wallet is not a portable one, then how did you import your old wallet to a latest electrum portable wallet?

Or maybe you did update it from old electrum wallet because the older version of electrum Electrum older than 3.3.4 is vulnerable to phishing attacks; it might redirect you to the phishing site that looks like the original Electrum site.
If that's what you did, your coins are totally lost.

This is the bad practice of recovering an old Electrum wallet next time. The best thing you need to do is to do it always on an offline PC and only take the master public key and import it to another device with Electrum wallet. Because online devices are always vulnerable to online attacks that do not require your permission or without consent.
hero member
Activity: 2366
Merit: 793
Bitcoin = Financial freedom
Let’s assume the phrase was stolen, but why specifically after the wallet update?

P.S. It's a pity about my funds; I was confident this was a secure place to store them.

Can you check the funds went through your wallet is in the same time frame of you installed the new version?

You might have used the device for browsing other stuffs and that's likely possible when it got stolen so you just assumed that the funds were stolen due to the upgrading. There is no security vulnerabilities found in the version so there's nothing wrong with the wallet file since you mentioned it's downloaded from the official site.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
The course of events suggests that the main culprit for what happened should be the wallet update - but if you are 100% sure that you downloaded the files from a legitimate website and you have also verified the files, then such a scenario makes no sense.

As for someone guessing your seed, the chances are really small or nonexistent - because although many people think it's not difficult to guess 12 words, things are much more complicated than they seem at first glance. There is a much higher chance that someone managed to get hold of your backup, especially if you saved it anywhere online, or maybe on a computer as a plain text document without encryption.

Also, if you haven't saved a backup of your wallet file somewhere where it would be easily accessible, if someone manages to steal it, it means that you have something on your computer that allows a hacker to take complete control over your device (RAT).
?
Activity: -
Merit: -
There is still a possibility that your computer has been compromised by malware.  But are you sure the transaction occurred after the wallet upgrade? You might have only noticed it after the wallet synced with the network. Have you checked the transaction details on a public blockchain explorers?

It can be assumed that this is an unknown type of malware, as a possibility. I checked the transaction, and it is recent. Is it possible to obtain logs from the ELECTRUM servers to understand what happened? Was the recovery phrase guessed (restoring the wallet), or was the wallet file itself stolen? Can such logs be provided, or is it impossible?

The Electrum software is safe and secure, but that doesnt mean you are invincible. There is always a risk, whether its a sneaky malware attack or a simple mistake on your part.  This is why serious long-term holders prefer cold storage methods over hot wallets.

Thank you for the advice.

Have you used the "portable" version previously?
Yes, I’m using the "portable" version. The wallet file is correct, and all transactions are visible.
legendary
Activity: 2646
Merit: 6681
Self-proclaimed Genius
-snip- Yesterday, I downloaded the latest portable version of the wallet (electrum-4.5.8-portable.exe) from the official website. Here's the link: https[Suspicious link removed]

Today, I was robbed, and the entire amount was transferred from my wallet. What can I do in this situation?
Is there a displayed transaction that sent the entire amount or just a blank transaction history?
Have you used the "portable" version previously?

Because if there no history and you've used it before but had been using the stand-alone or installed version,
you could be looking at a different wallet stored in "electrum_data/wallets" folder where 'electrum-4.5.8-portable.exe' binary is located.

Otherwise (if not), don't mind this post and refer to others' replies.
My best guess is; a rogue server might have logged your IP and transactions and found that it has a "significant amount",
With those info (specially the IP address), they've attempted to hack your computer for vulnerabilities through other means
since they can't do it through Electrum but it's possible on a vulnerable device connected to the internet.
legendary
Activity: 2044
Merit: 1018
Not your keys, not your coins!
This is why serious long-term holders prefer cold storage methods over hot wallets.
Cold storage wallet is best choice but if can not have it, a multisig wallet with some co-signers on different devices is a good alternative option.

Risk that all devices of cosigners are compromised is not too high.

Assume the fund is lost forever, it's time to clean up that computer, and consider of better alternatives: cold wallet or multisig wallet.
Creating a multisig wallet with Electrum.
legendary
Activity: 1526
Merit: 1359
Let’s assume the phrase was stolen, but why specifically after the wallet update?

There is still a possibility that your computer has been compromised by malware.  But are you sure the transaction occurred after the wallet upgrade? You might have only noticed it after the wallet synced with the network. Have you checked the transaction details on a public blockchain explorers?

P.S. It's a pity about my funds; I was confident this was a secure place to store them.

The Electrum software is safe and secure, but that doesnt mean you are invincible. There is always a risk, whether its a sneaky malware attack or a simple mistake on your part.  This is why serious long-term holders prefer cold storage methods over hot wallets.
legendary
Activity: 2604
Merit: 2353
Let’s assume the phrase was stolen, but why specifically after the wallet update?

P.S. It's a pity about my funds; I was confident this was a secure place to store them.
Yes that's very surprising. But do you remember if you 've made something with your seed on your computer recently? Have you copied it or displayed it in whatever way? How have you imported it in your new Electrum wallet? Is it by just using your old wallet file or you've created a new wallet and entered it manually? What Operating System are you using? Have you performed a virus scan on your system, in order to see if it finds something wrong?
Yes, I'm sorry for your funds, it's always very unfair to be a victim of theft, even when there is no physical assault.
?
Activity: -
Merit: -
Let’s assume the phrase was stolen, but why specifically after the wallet update?

P.S. It's a pity about my funds; I was confident this was a secure place to store them.
?
Activity: -
Merit: -
I checked the signatures, and everything is indeed correct.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
It seems to be the legit website. Have you tried to check its PGP signature in order to see if it's a legit file or if the website has been hacked somehow? Are you able to see the transaction and the recipient address where your funds have been sent? You can see that in a blockchain explorer.
The website is not hacked. Probably his wallet was compromised at his end and not a generally problem.

If there is an outgoing transaction from your wallet that you did not initiate, it means someone else has gained access to your wallet. It sounds like you either downloaded a fake wallet, thinking it was the real deal but did not verify it, or your computer has been compromised by some malware. Either way, its not good news.
It is the legit wallet if truly he downloaded it from the official website. Another means the wallet can be compromised is if he kept the seed phrase where it is vulnerable to offline attack in a way that the attacker will see the seed phrase and use it to compromised the wallet.
legendary
Activity: 1526
Merit: 1359
Today, I was robbed, and the entire amount was transferred from my wallet. What can I do in this situation?

I doubt that there is much you can do at this point. You probably lost your coins for good.

If there is an outgoing transaction from your wallet that you did not initiate, it means someone else has gained access to your wallet. It sounds like you either downloaded a fake wallet, thinking it was the real deal but did not verify it, or your computer has been compromised by some malware. Either way, its not good news.
legendary
Activity: 2604
Merit: 2353
The site is original, here’s the link.

https:// download. electrum. org/ 4.5.8/ electrum-4.5.8-portable.exe
It seems to be the legit website. Have you tried to check the PGP signature in order to see if it's a legit file or if the website has been hacked somehow? Are you able to see the transaction and the recipient address where your funds have been sent? You can see that in a blockchain explorer.
How have you entered your seed on your new wallet or you have used your old wallet file? Have you manipulated your seed recently on this computer, disclosing it in a way or another? Your computer could have been infected by a malware spying your activity and able to catch your seed once displayed.
?
Activity: -
Merit: -
The site is original, here’s the link.

https:// download. electrum. org/ 4.5.8/ electrum-4.5.8-portable.exe
legendary
Activity: 2758
Merit: 6830
The link has been removed by the forum. Could you post again with a space in the middle? Cheesy

But if it wasn't ELECTRUM.ORG, then it's fake.
?
Activity: -
Merit: -
Could you advise me on my case? In 2015, I created a wallet and used it irregularly. In 2022, I deposited a significant amount into this wallet. Yesterday, I downloaded the latest portable version of the wallet (electrum-4.5.8-portable.exe) from the official website. Here's the link: https[Suspicious link removed]

Today, I was robbed, and the entire amount was transferred from my wallet. What can I do in this situation?
Jump to: