Pages:
Author

Topic: My wallet has been hacked. What to do? - page 2. (Read 535 times)

member
Activity: 111
Merit: 17
March 20, 2023, 03:33:52 AM
#28
No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.
Before I answer, I have read your post twice so I took the quote of the question @bitmover which asks where do you save the seed phrase? which I think is a good question to find a solution to the problem you are facing friend.

Where did you stored your seed? In a paper? If not, that is a mistake.

I'm learning and you're probably at the learning stage too. But you're a little careless in my opinion.



Nope, this is a different case with yours. No files were deleted from OP's wallet.
Oh yeah. Hope there's a solution
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
March 20, 2023, 12:43:40 AM
#27
2 rat03gopoh

as I expected, it works. I just copied the Electrum profile folder and pointed the standalone-version to it. And after entering the password, I got access without any questions. On a completely different PC with a different address.

Hell, that's an elephant-sized security hole!
Thanks for the effort, definitely not a good security method. I thought this theft was by someone around you. But...

This is the same question I asked in a self-made
Nope, this is a different case with yours. No files were deleted from OP's wallet.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
March 19, 2023, 08:17:06 PM
#26

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.
Well I saw sport bookies also send tx with higher fees. If I can remember I saw even 100 sats/vByte tx sent to me from a sportsbook. I guess they don't care about the fees as they have a lot of other things to look into.

thanks everyone for the replies.
Perhaps the translation was not very accurate - my English is far from ideal and I have to use Google.

The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
And - yes, I imagine how the blockchain works. Please don't waste your time visualizing how much smarter you are. Thank you.
The way you are explaining, it sounds like you have your wallet stored in a USB stick or removable storage. You go in different places, copy the wallet file, do your things and then delete the file from the device. By any chance, are you using internet cafes where they allow you to work on a PC for a small service charge? I hope I am wrong.

And one more thing guys, it's about security issue - look at this, 3 days ago
https://github.com/spesmilo/electrum/issues/8244
Isn't it looks like something just begun?
I gonna ask there as well
Your wallet was a 2 of 2 multisig wallet?

I guess everyone of us is having difficulty to understand your English. Sorry.
jr. member
Activity: 48
Merit: 2
March 19, 2023, 12:52:10 PM
#25
2 DireWolfM14

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Do you remember where you downloaded the software from?
Of course I do. I answered this question of yours on github already and can repeat the answer here -
Hello.
Today, when logging into the wallet, I received a message about an outgoing transaction dated 12/03/2023. As a result, my balance was reset to zero. What should I do? Can I do anything to return the money?
(Program version 4.3.3 at the time of entry)
This is the same question I asked in a self-made topic where I asked when we reinstall our laptop, will the assets stored in Electrum be deleted?
Almost all of the answers I got were automatically the same, that is, deleted, except that when reinstalling the laptop, the seed pharse is still stored, allowing it to be re-entered.
No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
March 19, 2023, 12:17:43 PM
#24

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Do you remember where you downloaded the software from?
member
Activity: 111
Merit: 17
March 19, 2023, 12:07:40 PM
#23
Hello.
Today, when logging into the wallet, I received a message about an outgoing transaction dated 12/03/2023. As a result, my balance was reset to zero. What should I do? Can I do anything to return the money?
(Program version 4.3.3 at the time of entry)
This is the same question I asked in a self-made topic where I asked when we reinstall our laptop, will the assets stored in Electrum be deleted?
Almost all of the answers I got were automatically the same, that is, deleted, except that when reinstalling the laptop, the seed pharse is still stored, allowing it to be re-entered.

There is no solution to your problem unless you still have your seed phrase saved, so the question of where you saved your seed is a good one because if you didn't save your seed then you can't get your balance back.
jr. member
Activity: 48
Merit: 2
March 19, 2023, 08:49:07 AM
#22
well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.

Not necessary, but if you wanna do, then pls with the "temp-wallet" profile. Just wondering if you've ever accessed your wallet on another device(not yours) without making sure if it's safe from being infected with malware or you simply trust the owner.
Thank you for your worry but at fist my wallet is empty now as you know and second - i have several servers which i can use safe

2All - the story has some new facts - there is another user with the same problem. Check my question at issues page amd new repplies there
https://github.com/spesmilo/electrum/issues/8263



2 rat03gopoh

as I expected, it works. I just copied the Electrum profile folder and pointed the standalone-version to it. And after entering the password, I got access without any questions. On a completely different PC with a different address.

Hell, that's an elephant-sized security hole! If you steal a profile, you can easy  bruteforce a password, and this is clearly easier than bruteforce a seed phrase! Who there said that deleting a profile from a PC and storing it in an archive under an additional password is a waste of time - wants to repeat this phrase again? Wink

>>
since nobody paid attention to the above TXID - here is just statistics
https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

6.57549844 BTC was dropped on the hacker's address in total.
I'm proud of myself - I'm in the top five cool losers. There are only two dudes cooler than me with 0.5BTC and one with 0.7BTC. They .ucked everyone they could hook - there is an address from which they took as much as 0.0.000019 BTC - this dude is definitely laughing, because this amount would not even be enough for him to withdraw interest)

[moderator's note: consecutive posts merged]
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
March 19, 2023, 03:17:14 AM
#21
well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.

Not necessary, but if you wanna do, then pls with the "temp-wallet" profile. Just wondering if you've ever accessed your wallet on another device(not yours) without making sure if it's safe from being infected with malware or you simply trust the owner.
legendary
Activity: 2534
Merit: 6080
Self-proclaimed Genius
March 19, 2023, 01:46:20 AM
#20
The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
Look.
The transaction is dated 03/12/2023. At this point, there was no Electrum profile on the PC.
So basically, you're using the command line option -D or --dir to specify a custom data directory (the "profile folder")?

If so, it'll only provide you a "false sense of security" since it's still connected to the internet and using a possibly compromised PC.
Even if the wallet and data directory is not in your PC at that time, the hacker will only need one chance to get your private keys or seed phrase during the times when you unpack it.
With those info alone, he can create his own copy of your wallet that can send transactions anytime he like.

Isn't it looks like something just begun?
I gonna ask there as well
It happens all the time, usually it's the user's fault. However, we can't discount the possibility of a bug or security issue.
jr. member
Activity: 48
Merit: 2
March 18, 2023, 12:41:29 PM
#19
And one more thing guys, it's about security issue - look at this, 3 days ago
https://github.com/spesmilo/electrum/issues/8244
Isn't it looks like something just begun?
I gonna ask there as well
jr. member
Activity: 48
Merit: 2
March 18, 2023, 11:31:07 AM
#18
You didn't answer my  question in the beginning. In the first post.

Where did you store your seed?

All you said about archive program and password means nothing and this doesn't increase your security.

With the seed anyone can just download electrum and move your coins. The seed should be your main concern.

The seed phrase should always be written in paper, which is unhackable.

It is very likely that your computer is compromised and the hacker just got access to your seed. This may have happened in the time you just created the wallet and saw the seed for the first time or later on.
the seed file is always located in another archive, also under a password. I never turn to him - there is no need. It has not been available on PC for many years.



There was no text file with the phrase. And I haven't logged into Electrum since January. None of this is stored in decrypted form anywhere else. Knowing only the password, assuming it is impossible to access the wallet. So another option suggests itself - the vulnerability of Electrum itself, the specified version. It was this executable file that was last executed in January. And it was taken from the link from the previous version, also from the official location.
Can you clarify these a bit?
Do you mean is that when you created the wallet it didn't give you a text/seed phrase?
No. Of course, when creating the wallet, the seed phrase was generated and I have it. But, as I already answered above to another participant, I do not contact her - to access the wallet, it is enough to indicate the folder with the wallet to the program and enter the correct password.

There is a vulnerability on Electrum before but it was fixed on 3.3.4 lower versions are still prawns to phishing you might have an older version than 3.3.4 and recently updated it to the latest version. Since you said that you downloaded the latest version by using the link from the previous version which is possible a phishing site.

And did you just install it without verifying the installer with the GPG tool?

I don't have any issue using the latest version but if you believe that it's a vulnerability you are free to report it directly on their GitHub page and then bring some proof that there is a leak.
I know about the vulnerability in 3.3.3. I can’t say which version I started working with this wallet with, but the exe file was always downloaded from the official website using the link from the status bar of the program. In the first message, I indicated that the last access was using version 4.3.3, which officially has no vulnerabilities at the moment.



It is a pity that this will not help me or the users of the wallet in any way - it means that there will still be the same leaks from the wallets of other owners.

You still don't seem to understand. Electrum happens to be one of the most widely used desktop wallets, along with Bitcoin Core, and has a vast user base of millions of individuals worldwide who utilize it at any given moment. It's highly unlikely that any security vulnerabilities within the software would go unnoticed, given the sheer volume of users and the attention that such flaws would attract online. I'm not saying it's impossible, just very unlikely. So, rather than making baseless accusations, it would be more constructive to provide evidence to support your claims.
I guess users of version 3.3.3 have also been told, right?
I chose exactly for its prevalence and reviews in a very distant year. I haven't had any problems since before this incident.

About 3rd party... I mean somebody did this without hacking my PC. I don't know how it could be done and it's looks imposible for me too.

Electrum is open-source software. Feel free to review the code yourself and report any loopholes or vulnerabilities you find.
I doubt very much that my level of knowledge of languages will allow me to understand the code. Have you been able or just decided to show sarcasm? )

But above I wrote why I think that access to my PC at the time of the specified date would not have given anything even if it had happened

After reading your explanation, I must say that I have serious concerns regarding your OPSEC and its effectiveness. Deleting your wallet profile after each use provide no significant protection, as it offers no real advantage in terms of security, unless you used an offline, air-gapped device to sign your transactions. Similarly, there is little advantage to adding another password to the archive since the wallet file's encryption already provides an adequate level of protection and is virtually impossible to break.
But it certainly won't get any worse, right? When an object is present but encrypted, that's one thing. But when an object is missing, it doesn't matter if it's encrypted, it just doesn't exist.
hero member
Activity: 1456
Merit: 940
🇺🇦 Glory to Ukraine!
March 18, 2023, 11:23:48 AM
#17
It is a pity that this will not help me or the users of the wallet in any way - it means that there will still be the same leaks from the wallets of other owners.

You still don't seem to understand. Electrum happens to be one of the most widely used desktop wallets, along with Bitcoin Core, and has a vast user base of millions of individuals worldwide who utilize it at any given moment. It's highly unlikely that any security vulnerabilities within the software would go unnoticed, given the sheer volume of users and the attention that such flaws would attract online. I'm not saying it's impossible, just very unlikely. So, rather than making baseless accusations, it would be more constructive to provide evidence to support your claims.

About 3rd party... I mean somebody did this without hacking my PC. I don't know how it could be done and it's looks imposible for me too.

Electrum is open-source software. Feel free to review the code yourself and report any loopholes or vulnerabilities you find.

But above I wrote why I think that access to my PC at the time of the specified date would not have given anything even if it had happened

After reading your explanation, I must say that I have serious concerns regarding your OPSEC and its effectiveness. Deleting your wallet profile after each use provide no significant protection, as it offers no real advantage in terms of security, unless you used an offline, air-gapped device to sign your transactions. Similarly, there is little advantage to adding another password to the archive since the wallet file's encryption already provides an adequate level of protection and is virtually impossible to break.
jr. member
Activity: 48
Merit: 2
March 18, 2023, 11:23:26 AM
#16
The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.

Please tutor me about your security method by extracting the electrum profile file elsewhere (tbh this is the first time I've heard of this method).
So, anyone who has the profile folder and (somehow) has the encryption password to the folder and the access password to electrum will be able to open your electrum profile and do anything including sweeping your balance, right?
Does it also work if accessing the profile using another device with a copy of that profile file and have you tried it?
well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
March 18, 2023, 10:21:31 AM
#15
There was no text file with the phrase. And I haven't logged into Electrum since January. None of this is stored in decrypted form anywhere else. Knowing only the password, assuming it is impossible to access the wallet. So another option suggests itself - the vulnerability of Electrum itself, the specified version. It was this executable file that was last executed in January. And it was taken from the link from the previous version, also from the official location.
Can you clarify these a bit?
Do you mean is that when you created the wallet it didn't give you a text/seed phrase?

There is a vulnerability on Electrum before but it was fixed on 3.3.4 lower versions are still prawns to phishing you might have an older version than 3.3.4 and recently updated it to the latest version. Since you said that you downloaded the latest version by using the link from the previous version which is possible a phishing site.

And did you just install it without verifying the installer with the GPG tool?

I don't have any issue using the latest version but if you believe that it's a vulnerability you are free to report it directly on their GitHub page and then bring some proof that there is a leak.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
March 18, 2023, 04:39:37 AM
#14
thanks everyone for the replies.
Perhaps the translation was not very accurate - my English is far from ideal and I have to use Google.

The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
And - yes, I imagine how the blockchain works. Please don't waste your time visualizing how much smarter you are. Thank you.

You didn't answer my  question in the beginning. In the first post.

Where did you store your seed?

All you said about archive program and password means nothing and this doesn't increase your security.

With the seed anyone can just download electrum and move your coins. The seed should be your main concern.

The seed phrase should always be written in paper, which is unhackable.

It is very likely that your computer is compromised and the hacker just got access to your seed. This may have happened in the time you just created the wallet and saw the seed for the first time or later on.
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
March 18, 2023, 12:48:48 AM
#13
The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.

Please tutor me about your security method by extracting the electrum profile file elsewhere (tbh this is the first time I've heard of this method).
So, anyone who has the profile folder and (somehow) has the encryption password to the folder and the access password to electrum will be able to open your electrum profile and do anything including sweeping your balance, right?
Does it also work if accessing the profile using another device with a copy of that profile file and have you tried it?
jr. member
Activity: 48
Merit: 2
March 17, 2023, 07:23:25 PM
#12
There is no tech support for Electrum this section is the right place to seek help with Electrum. Or if you have some issues or bugs you can report them from their GitHub check the link below

- https://github.com/spesmilo/electrum/issues


But you can not report your issue there because you were hacked or have a compromised wallet.

What I guess is that you are being phished or your PC is compromised would you mind telling us what 3rd party you mention above?

Look.
The transaction is dated 03/12/2023. At this point, there was no Electrum profile on the PC. And there was no text file with the phrase. And I haven't logged into Electrum since January. None of this is stored in decrypted form anywhere else. Knowing only the password, assuming it is impossible to access the wallet. So another option suggests itself - the vulnerability of Electrum itself, the specified version. It was this executable file that was last executed in January. And it was taken from the link from the previous version, also from the official location.
It is a pity that this will not help me or the users of the wallet in any way - it means that there will still be the same leaks from the wallets of other owners.

About 3rd party... I mean somebody did this without hacking my PC. I don't know how it could be done and it's looks imposible for me too. But above I wrote why I think that access to my PC at the time of the specified date would not have given anything even if it had happened
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
March 17, 2023, 06:23:44 PM
#11
There is no tech support for Electrum this section is the right place to seek help with Electrum. Or if you have some issues or bugs you can report them from their GitHub check the link below

- https://github.com/spesmilo/electrum/issues


But you can not report your issue there because you were hacked or have a compromised wallet.

What I guess is that you are being phished or your PC is compromised would you mind telling us what 3rd party you mention above?
jr. member
Activity: 48
Merit: 2
March 17, 2023, 06:01:09 PM
#10
thanks everyone for the replies.
Perhaps the translation was not very accurate - my English is far from ideal and I have to use Google.

The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
And - yes, I imagine how the blockchain works. Please don't waste your time visualizing how much smarter you are. Thank you.
hero member
Activity: 504
Merit: 625
Pizza Maker 2023 | Bitcoinbeer.events
March 17, 2023, 03:31:43 PM
#9

The wallet profile was missing on the PC, as well as the passphrase to restore it. I don't think it's my PC. I believe that the actions were carried out on a third-party resource. Does Electrum have tech support to check this? How can I communicate them?



What do you mean third party?  Do you think of any program in particular that could be complicit?  Second question is it a hardware wallet connected to electrum?
Pages:
Jump to: