Topic: My wallet has been hacked. What to do? (Read 455 times)

Yes, it's in the wallet file protected only by your password, if there's no password set, it's in plain text that can even be read by a text editor.
Even if you changed that password or set a password in one copy of the wallet file, the other copies wont be affected by that password change.

That's because the wallet file, password or seed phrase aren't saved in a server but the local machine where the wallet is saved.

This year's "April Fools" event wasn't as crazy as the previous IMO.

For reference, here's the admin's reply to the "capcha update" thread: Re: New CAPTCHA now required before posting
Here's the list of previous April Fools threads: [Compilation] All pranks that was made by theymos in every April Fools Day come.

Absolutely not. My first thought was - "where and when did I mess up." I convulsively recalled whether I went where, downloaded what, what incidents happened during this time, how long ago I changed the password, etc. That is why your conclusion about the removal of responsibility is a miss. And I tried to answer all your questions as detailed as possible. That's why there were fewer questions asked - the wrong picture comes out. Especially in the context of the number of affected people.
And - yes, that's right, I'm upset that the money is lost - they have been accumulating for more than one year there, for a minute. And it is precisely on the basis of an analysis of the general situation that I conclude that something more than just my mistake happened and that this software was unable to protect me.

As I wrote above you can work with the wallet profile from another PC by simply entering the correct password. I wanted to clarify - does everyone know that this same file contains your seed phrase as well? Even if you write it on your forehead and put the cap on your very nose, but if this file falls into the wrong hands, the phrase will also be in these hands and the wallet can be restored as many times as the thief wants, no matter how you change the password of the remaining copies of you?

PS: by the way who was that genius who put the game as a captcha? I hardly understood at all what was needed from me and how to achieve this. You would have forced to solve the Newton binomial

When a software wallet like Electrum generates a new wallet, you're shown the wallet recovery words in an environment whoes safety is basically unknown when it is an online computer. You can make this a rather safe environment when you boot from a knowingly safe system, like TAILS or similar OS boot environments which start from a known state. If you keep this offline during the wallet creation and destroy the environment before it can go online, you're likely pretty safe.

The wallet's recovery words have to be written down offline, no exception here unless you like to gamble. Trying to save the recovery words on a digital device that might go online in some future is a recipe for desaster. Yes, yes, you shout, but it's an encrypted archive. Well, good luck with that. How strong is your encryption passphrase? Are you 100% sure (btw, you likely can't be) there's no malware, keylogger, whatever on your device?
Any online storage of your recovery words weakens the security to that of the encryption password. Typing this encryption password on an online device makes it susceptible to password stealers and keyloggers, not to mention danger from ransomware for digital storage schemes.

When you have written down the recovery words offline or stamped them in metal washers/plates, don't take a picture with your mobile device. Think about it!

Now you probably should try to remember when you handled your recovery words on which environments (online? bad!, offline? better, but doesn't help too much, if the device will go online later) and under which circumstances.

It's way easier to make mistakes than to do it all right. Use a hardware wallet in the future as decent ones are usually not affected by malware on a computer as long as you carefully examine the transactions you're going to sign with a hardware wallet.

I posted both answers - about antivirus Ok and about GPG Ok. And - yes I don't have a cold wallet otherwice I wouldn't write this topic, right?

---

I have to duplicate my answer - none but the cat. To use a password the wallet-file need to be stolen but it wasn't as I already said.
Please be careful - many of the questions have already been asked and answered.

Unfortunately, this type of situation causes me to agree with you, as much as I don't want to.  But as has been demonstrated by the OP's comments on Github, he expects the development team to compensate him for his loss, as if bitcoin was FDIC insured.  Obviously it's not.

The OP doesn't seem interested in evaluating his own habits and practices to make sure this never happens again.  Doing so would equate to taking responsibility and accountability for the loss, while it's much easier to blame the software or the developers.  I can't say that the OP is unique in this situation, the lack of accountability seems to be a societal plague these days.

Electrum doesn't run a for-profit business. They don't make money on our use of their software, so there is no pool of funds from where you could get compensated. Their software is free, you don't pay any fees to them for the product you use. It's open-source software where each user is responsible for protecting their sensitive information.

Cases like this one only shows that legacy banking isn't going away any time soon. Being your own bank is a serious business. It is not a joke.


You can call the police. Nothing else can be done.

---

Maybe the hacker is very close to you. Does anyone have access to your computer? Do you have a weak login password? Do you have a login password at all? These things happen too. Maybe a friend of yours took a photo of your priv key with his cell phone while you were taking a piss and then he decided to rob you after a few days.

Your earlier post states you were virus checking the electrum file rather than using the signatures electrum provides for this purpose.  I suspect that's why you lost the Bitcoin or because you did not use a hardware wallet or sign the transaction on a air gapped computer.

That's right. But I didn't have any problem with transactions to\from the wallet - everithing was Ok

It's clear. I gonna create a new wallet. But I won't can change settings of some stations which send BTC to this wallet's adress because no access to them right now. I'm unable to make sure if someone else has access to my wallet, am I right?

As I already noted I've checked my exe's with GPG

---

You are right. But your advice is a bit late - I just lost all the coins. And given the fact that they have been mined for many years, it doesn’t matter anymore, I’m unlikely to be able to get into the same situation in the near future.

---

The money was saved for the education of my kids or for the purchase of housing. Now it doesn't matter anymore. I am sure that even if it is confirmed that the attack was successful not due to user error, but using some kind of wallet vulnerability, Electrum does not compensate for the losses to its users, as Nicehash did in a similar situation. Because it is always easier to write off such things as viruses, errors, licenses and other rubbish than to admit there is a problem and take responsibility for the result.

In most cases concerning the theft of bitcoins, it's the user who made one or multiple mistakes. The problem is, people don't want to admit making mistakes, not to themselves and not to others. It's always something else that caused it.

Everything you do on that computer can potentially be a landmine because that's what happens if the device that holds your keys is constantly online and used for various other activities. You need to separate that. Getting a hardware wallet is the easiest way. Getting a second laptop with a genuine OS that you aren't going to use for other things online is another way. Using a completely airgapped solution is the least user-friendly but safest option.

A few years ago there were some malicious Electrum servers broadcasting a message to Electrum users directing them to download and install a malware version of Electrum.  The malware wallet would send all the bitcoin in the wallet to the hacker's address whenever the user made an attempt to send ay transaction.  I don't know if seed phrases were compromised by the same hack, but that certainly could have happened.  

I would suggest you start from scratch; fresh OS install, fresh Electrum install and make sure to verify the download before installing it, and then create a new seed.  Write the seed down on paper, and store it in a safe place.  Don't store the seed digitally, and don't store on any cloud servers.

Here's a guide for verifying Electrum with GPG: https://bitcointalksearch.org/topic/m.54223763

No, I even don't know if it's

I couldn't remember anything like this in the last 3 years

---

I have no idea. I did everything to prevent this from happening

Everybody says that. But the reality is - my PC is clean.  Online scanners confirm that as well. My static AV is Kaspersky right now.

---

I'm not a gamer at all, my only game is HMM 3.5 which was downloaded 15 years ago. About a year ago I had to leave my hometown because of the war UA - RU. I'm the only user of my laptop and no one else can access it in the apartment - there's no one but the cat who doesn't like BTC at all. During this time, nothing strange or dangerous happened to the software. The license is irrelevant to the situation as it doesn't require cracks or anything like that. So I really don't have any options how it could be other than if the seed was stolen much earlier, more than a year or three years. But judging by what happened, one gets the impression not of long-term storage and use years after the theft, but that the penetration took place in a recent period, which is impossible in my case.

Tell us a bit more about the computer where you used Electrum and which holds your achieved seed phrase.

What do you use it for? It makes no sense not telling the truth because it's an unfortunate learning experience. You are not going to get your BTC back, but you can learn what you did wrong and not repeat it again.

Do you use a genuine and licensed OS or a pirated one?
Do you use other pirated and cracked software on it?
Do you have other wallets installed on the same computer for any cryptocurrencies?
Is the .rar password easy to guess or bruteforce? Did you use the same password somewhere else?
Do you play cracked PC games, download torrents, watch porn, browse any other forums, software or hacking related?
Who else uses or has access to your computer?
Have you received any emails recently that you have clicked on or opened?
Are you active on Telegram or other social media and in what capacity?
What did you do in the days prior to your coins getting hacked? Did you visit any new sites, installed new software, talked with new people, anything out of the ordinary?

But how then your wallet has been hacked ? Which antivirus you use in your computer. I think you downloaded serious virus/malware somewhere.

What about some other wallet software?  The fellow on Github who's funds were also stolen mentioned he had installed a wallet on different machine, I'm assuming he means some software other than Electrum.  Have you used some other software to access your Electrum wallet, possibly?

It's rather odd, because the other guy was using the Android software, and you indicated you're using Windows Desktop software.  The issue gives me the impression that a hacker gained access to your private keys or seed phrase, but to have done so on two separate platforms (operating systems) is rather unlikely.

I encourage you to think back to any risky behavior you may have engaged in that could have led to your being phished.

I never did anything with my seed at all

Base on that transaction that you posted, and the other guy on Github who's funds were swept in the same transaction, I can only assume that your seed was compromised.  Did you sign up for any give-away or stake in some air-drop, or something of the sort?  Did you divulge your seed to any entity that promised you a reward of some type?

thank you.
I checked the signatures for both downloaded executables - they have an identical result. No errors found

I know. Just one more additional check

You can check the validity of each executable yourself by verifying their signatures.

Follow this guide to know how to verify your Electrum download: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
Signature files (.asc) for the older versions can be downloaded here: https://download.electrum.org/

By the way, Antivirus can't be a good indicator since even real Electrum, specially the older versions usually have false-positive detection from some Antivitus software.

Just if Electrum's link has faking exe's. I can upload previously used standalone - it wasn't deleted. And it was checked by an antivirus without any warnings as well as all other files on my laptop

---

Thank you for you try but I would like to ask you again to pay attention for my posts - I already answered that question

Before I answer, I have read your post twice so I took the quote of the question @bitmover which asks where do you save the seed phrase? which I think is a good question to find a solution to the problem you are facing friend.


I'm learning and you're probably at the learning stage too. But you're a little careless in my opinion.

---

Oh yeah. Hope there's a solution

Thanks for the effort, definitely not a good security method. I thought this theft was by someone around you. But...

Nope, this is a different case with yours. No files were deleted from OP's wallet.

Well I saw sport bookies also send tx with higher fees. If I can remember I saw even 100 sats/vByte tx sent to me from a sportsbook. I guess they don't care about the fees as they have a lot of other things to look into.

The way you are explaining, it sounds like you have your wallet stored in a USB stick or removable storage. You go in different places, copy the wallet file, do your things and then delete the file from the device. By any chance, are you using internet cafes where they allow you to work on a PC for a small service charge? I hope I am wrong.

Your wallet was a 2 of 2 multisig wallet?

I guess everyone of us is having difficulty to understand your English. Sorry.

2 DireWolfM14
Of course I do. I answered this question of yours on github already and can repeat the answer here -
No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Do you remember where you downloaded the software from?

This is the same question I asked in a self-made topic where I asked when we reinstall our laptop, will the assets stored in Electrum be deleted?
Almost all of the answers I got were automatically the same, that is, deleted, except that when reinstalling the laptop, the seed pharse is still stored, allowing it to be re-entered.

There is no solution to your problem unless you still have your seed phrase saved, so the question of where you saved your seed is a good one because if you didn't save your seed then you can't get your balance back.

Thank you for your worry but at fist my wallet is empty now as you know and second - i have several servers which i can use safe

2All - the story has some new facts - there is another user with the same problem. Check my question at issues page amd new repplies there
https://github.com/spesmilo/electrum/issues/8263

---

2 rat03gopoh

as I expected, it works. I just copied the Electrum profile folder and pointed the standalone-version to it. And after entering the password, I got access without any questions. On a completely different PC with a different address.

Hell, that's an elephant-sized security hole! If you steal a profile, you can easy  bruteforce a password, and this is clearly easier than bruteforce a seed phrase! Who there said that deleting a profile from a PC and storing it in an archive under an additional password is a waste of time - wants to repeat this phrase again?

>>
since nobody paid attention to the above TXID - here is just statistics
https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

6.57549844 BTC was dropped on the hacker's address in total.
I'm proud of myself - I'm in the top five cool losers. There are only two dudes cooler than me with 0.5BTC and one with 0.7BTC. They .ucked everyone they could hook - there is an address from which they took as much as 0.0.000019 BTC - this dude is definitely laughing, because this amount would not even be enough for him to withdraw interest)

[moderator's note: consecutive posts merged]

Not necessary, but if you wanna do, then pls with the "temp-wallet" profile. Just wondering if you've ever accessed your wallet on another device(not yours) without making sure if it's safe from being infected with malware or you simply trust the owner.

So basically, you're using the command line option -D or --dir to specify a custom data directory (the "profile folder")?

If so, it'll only provide you a "false sense of security" since it's still connected to the internet and using a possibly compromised PC.
Even if the wallet and data directory is not in your PC at that time, the hacker will only need one chance to get your private keys or seed phrase during the times when you unpack it.
With those info alone, he can create his own copy of your wallet that can send transactions anytime he like.

It happens all the time, usually it's the user's fault. However, we can't discount the possibility of a bug or security issue.

And one more thing guys, it's about security issue - look at this, 3 days ago
https://github.com/spesmilo/electrum/issues/8244
Isn't it looks like something just begun?
I gonna ask there as well

the seed file is always located in another archive, also under a password. I never turn to him - there is no need. It has not been available on PC for many years.

---

No. Of course, when creating the wallet, the seed phrase was generated and I have it. But, as I already answered above to another participant, I do not contact her - to access the wallet, it is enough to indicate the folder with the wallet to the program and enter the correct password.

I know about the vulnerability in 3.3.3. I can’t say which version I started working with this wallet with, but the exe file was always downloaded from the official website using the link from the status bar of the program. In the first message, I indicated that the last access was using version 4.3.3, which officially has no vulnerabilities at the moment.

---

I guess users of version 3.3.3 have also been told, right?
I chose exactly for its prevalence and reviews in a very distant year. I haven't had any problems since before this incident.

I doubt very much that my level of knowledge of languages will allow me to understand the code. Have you been able or just decided to show sarcasm? )

But it certainly won't get any worse, right? When an object is present but encrypted, that's one thing. But when an object is missing, it doesn't matter if it's encrypted, it just doesn't exist.

You still don't seem to understand. Electrum happens to be one of the most widely used desktop wallets, along with Bitcoin Core, and has a vast user base of millions of individuals worldwide who utilize it at any given moment. It's highly unlikely that any security vulnerabilities within the software would go unnoticed, given the sheer volume of users and the attention that such flaws would attract online. I'm not saying it's impossible, just very unlikely. So, rather than making baseless accusations, it would be more constructive to provide evidence to support your claims.


Electrum is open-source software. Feel free to review the code yourself and report any loopholes or vulnerabilities you find.


After reading your explanation, I must say that I have serious concerns regarding your OPSEC and its effectiveness. Deleting your wallet profile after each use provide no significant protection, as it offers no real advantage in terms of security, unless you used an offline, air-gapped device to sign your transactions. Similarly, there is little advantage to adding another password to the archive since the wallet file's encryption already provides an adequate level of protection and is virtually impossible to break.

well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.

Can you clarify these a bit?
Do you mean is that when you created the wallet it didn't give you a text/seed phrase?

There is a vulnerability on Electrum before but it was fixed on 3.3.4 lower versions are still prawns to phishing you might have an older version than 3.3.4 and recently updated it to the latest version. Since you said that you downloaded the latest version by using the link from the previous version which is possible a phishing site.

And did you just install it without verifying the installer with the GPG tool?

I don't have any issue using the latest version but if you believe that it's a vulnerability you are free to report it directly on their GitHub page and then bring some proof that there is a leak.

You didn't answer my  question in the beginning. In the first post.

Where did you store your seed?

All you said about archive program and password means nothing and this doesn't increase your security.

With the seed anyone can just download electrum and move your coins. The seed should be your main concern.

The seed phrase should always be written in paper, which is unhackable.

It is very likely that your computer is compromised and the hacker just got access to your seed. This may have happened in the time you just created the wallet and saw the seed for the first time or later on.

Please tutor me about your security method by extracting the electrum profile file elsewhere (tbh this is the first time I've heard of this method).
So, anyone who has the profile folder and (somehow) has the encryption password to the folder and the access password to electrum will be able to open your electrum profile and do anything including sweeping your balance, right?
Does it also work if accessing the profile using another device with a copy of that profile file and have you tried it?

Look.
The transaction is dated 03/12/2023. At this point, there was no Electrum profile on the PC. And there was no text file with the phrase. And I haven't logged into Electrum since January. None of this is stored in decrypted form anywhere else. Knowing only the password, assuming it is impossible to access the wallet. So another option suggests itself - the vulnerability of Electrum itself, the specified version. It was this executable file that was last executed in January. And it was taken from the link from the previous version, also from the official location.
It is a pity that this will not help me or the users of the wallet in any way - it means that there will still be the same leaks from the wallets of other owners.

About 3rd party... I mean somebody did this without hacking my PC. I don't know how it could be done and it's looks imposible for me too. But above I wrote why I think that access to my PC at the time of the specified date would not have given anything even if it had happened

There is no tech support for Electrum this section is the right place to seek help with Electrum. Or if you have some issues or bugs you can report them from their GitHub check the link below

- https://github.com/spesmilo/electrum/issues


But you can not report your issue there because you were hacked or have a compromised wallet.

What I guess is that you are being phished or your PC is compromised would you mind telling us what 3rd party you mention above?

thanks everyone for the replies.
Perhaps the translation was not very accurate - my English is far from ideal and I have to use Google.

The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
And - yes, I imagine how the blockchain works. Please don't waste your time visualizing how much smarter you are. Thank you.

What do you mean third party?  Do you think of any program in particular that could be complicit?  Second question is it a hardware wallet connected to electrum?

It is unclear which profile is missing from your PC. Can you specify? Do you have any idea how this occurred?
This fact itself tells us that your computer is very likely infected with some malware.


Electrum is a self-custody wallet, meaning that you are the only one who possesses your private keys, and there is no third-party resource that could cause you to lose your coins. However, if you have saved your seed phrase to an external source, that was a major security failure on your part.

I will start by telling that the bitcoins never stay in the wallet. The wallet only handles the keys.
So there's an extremely good chance that somebody got access to your wallet seed, restored (basically obtained a copy of) your wallet and then spent your coins.
Since bitcoin transactions are irreversible, if the transaction is confirmed you cannot get your money back.

What you can do? Try to find out how did your seed got stolen - is your system compromised, or did you save the seed in mail, or cloud? (If system is compromised you may lose more than only the bitcoins). As the others said: learn how bitcoin works, learn to keep your money safer, consider buying a hardware wallet for your coins.

Probably you install software that has a malware or you get from downloading files. The disappearance of the wallet.dat is a clear sign that your computer is compromised. I’m curious how your passphrase is missing while you should put this on safe place?

There’s no electrum support and confirmed transaction is irreversible. Even Satoshi can’t recover this. Reformat your PC and make sure to avoid installing and downloading files from untrustworthy source.

When I read such questions like does Electrum have tech support, how can I get my coins return, please help me I lost my bitcoin, I feel disappointed and frustrated. Sorry brother, you are not dealing in Bank or any financial institution. When a hacker hack you device and still your cryptocurrency, it's gone forever. There are no return back unless the person who taken it decides to favour you.

I urge you to learn how Bitcoin works, what it means by decentralization things like that.

Sorry for your loss.

The wallet profile was missing on the PC, as well as the passphrase to restore it. I don't think it's my PC. I believe that the actions were carried out on a third-party resource. Does Electrum have tech support to check this? How can I communicate them?

Discover what is compromised in your system.
Format your computer.
Buy a hardware wallet.

Where did you stored your seed? In a paper? If not, that is a mistake.


No.

Do you know how it happened? There's sadly nothing you can do now that the transaction is confirmed but you can try and follow the transaction, and see if it ever landed in a centralized exchange's address (one that requires KYC) using walletexplorer.com if it does, contact law enforcement but unless the hacker is from the same country as you, I don't think that would help much.

Hello.
Today, when logging into the wallet, I received a message about an outgoing transaction dated 12/03/2023. As a result, my balance was reset to zero. What should I do? Can I do anything to return the money?
(Program version 4.3.3 at the time of entry)