The coins are unfortunately gone and you have to forget about them. The question now is what happened and what you can do to prevent it from happening again. You have obviously made mistakes in your digital world that led you to get compromised or hacked.
After you accessed your Electrum wallet prior to having it completely emptied, you mentioned you downloaded a .pdf file. Can you tell us more about that file even though it isn't crypto-related? Malware can be hidden in .doc, .pdf., or even image files. It can get on your system once you run it or even a preview is enough.
Unless you learn what happened, similar mistakes can happen again in the future.
Topic: Received Bitcoins were instantly gone (Read 404 times)
So, it seems that there were (at least) two people with access to OP's wallet.
I'm not 100% sure about that. It's very strange that both Transaction A and Transaction B paid the exact same amount in fees. It could be that two different people/bots were watching the account as you say, and they were both happening to use the same generic sweeping script which therefore set the same fee, I suppose. Or perhaps it was a single person/bot whose script had a bug causing it to broadcast multiple identical transactions (except that it used a new receiving address each time).We'll never know, but the answer is academical at this point I suppose.
--------------
Thanks for the great explanation.So, it seems that there were (at least) two people with access to OP's wallet.
Both used an automated program to steal OP's fund and the one who made transaction B was luckier than the one who made transaction A.
-snip-
Ahh, there's your answer then.The invalid transaction you linked to there was timestamped at the same time as OP's original transaction (17:20). Call this Transaction A. The transaction which confirmed was timestamped 10 minutes later, which is the same time it was confirmed (17:30). Call this Transaction B.
Both these transactions were likely broadcast seconds apart. The invalid Transaction A was seen by blockchain.com, and so it was timestamped at the time it was first seen (17:20). However, this transaction was later rejected when the conflicting Transaction B was confirmed in block 754,092, which is timestamped 17:30. The first time blockchain.com saw Transaction B was when it received block 754,092, since it previously rejected Transaction B for being a double spend and conflicting with Transaction A, which was already in its mempool. And so it gave Transaction B the timestamp of 17:30, despite Transaction B being in other nodes' mempools prior to this.
This explains why blockchain.com's timestamps are all over the place and confirms OP's story that the funds were swept immediately.
Or perhaps OP's transaction was immediately spent by another transaction, and then 10 minutes later when it still hadn't confirmed the attacker replaced that transaction with a second higher paying transaction.
There's another transaction on blockchain.com explorer trying to spend the same UTXO from OP's address.The transaction had been made with exactly the same fee rate and is invalid now. Click here to see that.
I don't really know what exactly caused that 10 minute difference on blockchain.com, but it may have something to do with this invalid transaction.
so again it turns out that there is a 10 minute difference between these two transactions (unless I misunderstood something here).
There is a 10 minute difference between when blockchain.com's site says it first saw those two transaction. This is not the same as there being a 10 minute difference between those two transactions being broadcast. There could have been problems with propagation, problems with blockchain.com's node, problems with its mempool, problems updating their website, and so on. The point is that transactions are not timestamped; only blocks are timestamped. You can pay attention to when any specific node first sees a transaction if you like, but that is not representative of the wider network. The only network-wide consistent way to timestamp a transaction is by the block it was included in (and even then the block timestamp can vary by around a 3 hour window when compared to the actual time).Or perhaps OP's transaction was immediately spent by another transaction, and then 10 minutes later when it still hadn't confirmed the attacker replaced that transaction with a second higher paying transaction. We don't know.
to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other
At this point assume the machine is compromised as is any information on it.
Any saved information, any website logins, may have been compromised. Yes, it could have been just something that stole your electrum information. Do you want to find out next week you have no money in your bank because when you logged into their portal a while ago your credentials were stolen?
As I said a few posts up, more and more funds are not stolen the moment your machine is compromised but weeks or possibly months later as the try to get as much of your information as possible.
-Dave
to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other
That must be Window's notification when you receive/sent a transaction in Electrum (or similar if you're on other OS).The malicious notification is actually just an additional error message that's sent by a malicious server after deliberately failing to send a transaction.
But in the "fixed versions" including v3.3.8, that was replaced by hard-coded messages which can't be altered by the selected server.
in that timeframe i downloaded a single PDF file about some unrelated stuff
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
Sorry to hear that you can't able to recover your funds I thought that your transaction is still unconfirmed.
The only thing that you can do right now is to scan the whole PC/Laptop to know if you are really compromised.
And next time if you are going to open your old wallet always make sure to do it on an offline device you can still make a raw transaction from your public key and imported it to a watch-only Electrum wallet. That way it can help to protect and avoid malware or virus that automatically sends BTC to another wallet that you don't own.
to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other
The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol
Since your initial setup is v3.3.8, you can rule-out the malicious server message to upgrade to a malware version.The update notification that you received was most likely the in-app "update-check" notification, it'll open right after you launch Electrum, not after a transaction.
But you still can't rule out the possibility that you've downloaded the update from a fake source.
To mitigate that, you always have to verify Electrum before using/installing it to your PC.
~
That is quite interesting, because the OP also made it sound like it was instant;
I sent some bitcoin to my electrum wallet as soon as they appeared in there as unconfirmed there appeared a secound payment order.
I don't use blockchain, and haven't in a while. What a shitshow their front page for the explorer has become. Anyway, I used mempool.space, blockstream, and blockchair, (and a locally hosted mempool as well,) they all show the timestamp of both transactions as 17:30 UTC.
ETA; I just noticed that the Blockstream specifies the timespamp is indeed that of the block hash. Blockchain must post the time the transaction was broadcast, but it's possible that it doesn't treat a transaction with ab unconfirmed parent the same way.
What makes you think it took ten minutes for the scam transaction to be initiated? To me it looks like it was generated instantly after the OP's wallet received the Tx.
I checked three different block explorers and they all show the two transactions with identical timestamps.
I checked three different block explorers and they all show the two transactions with identical timestamps.
Most interesting. I used the "stupid" blockchain.com explorer, and it shows a 10 minute difference (I wasn't paying attention to the block number at the time).
https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr
But when I look at each transaction individually, I noticed that it says "Received Time 2022-09-14 19:20", and when I move my mouse over the text, a pop-up appears "Time this transaction was broadcast to the network, YYYY -MM-DD". It appears that blockchain.com explorer shows the transaction time when it was broadcast, and not when it was confirmed, so again it turns out that there is a 10 minute difference between these two transactions (unless I misunderstood something here).
Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation.
Sorry, but you're wrong. The two transactions:
Code:
ddcfe5fd98cf4418c926b0d9b61b8fdcc85f0034614b3c1a5530a7c821b357ab
1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
were both mined/included in the same block (754092). You can look that up on mempool.space. No 10 min difference.1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Of course then that they have both same timestamp, as DireWolfM14 said.
And this is usually automatic.
Still, manually made transaction should not be ruled out, since one could have been notified when the tx was sent and not at the moment of getting confirmed, allowing (giving time) somebody spend the unconfirmed input (I expect the scripts work exactly the same, just faster), which will have the same result: both tx in the same block.
Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation. I still think that someone made a manual transaction after receiving notification about the incoming transaction. The OP may have some spyware on his/her computer, or the private key (seed phrase) was leaked in some other way. But of course, it is impossible to know for sure.
What makes you think it took ten minutes for the scam transaction to be initiated? To me it looks like it was generated instantly after the OP's wallet received the Tx.
I checked three different block explorers and they all show the two transactions with identical timestamps.
Okay so to answer all the questions
No it was not a lot thankfully
I have used that wallet for a long time now and it always worked like normal in all that time i didnt update it form my original version (3.3.
The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol
No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.
@DireWolfM14 It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Wallets fucked anyways
And thanks for all the help guys, appreciate it
You received the amount on your wallet then after 10 minutes that amount has been sent again to that address you mentioned, i can’t say if your wallet is infected by something as the honeypot bots that keep withdrawing any money received in honeypot wallet. But to be sure now since that bitcoin is gone forever i suggest that you clean your computer and change the wallet you are using No it was not a lot thankfully
I have used that wallet for a long time now and it always worked like normal in all that time i didnt update it form my original version (3.3.
The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol
No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.
@DireWolfM14 It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Wallets fucked anyways
And thanks for all the help guys, appreciate it
This is the transactions from your wallet https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr
Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation. I still think that someone made a manual transaction after receiving notification about the incoming transaction. The OP may have some spyware on his/her computer, or the private key (seed phrase) was leaked in some other way. But of course, it is impossible to know for sure.
in that timeframe i downloaded a single PDF file about some unrelated stuff
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
Sadly something could have been something sitting dormant for months before they decided to take your BTC
If your wallet was compromised a while ago they probably had a bot sitting there monitoring transactions, waiting for one above a certain amount to be sent to you. If that big transaction did not after a certain amount of time they just grab whatever comes in and move on.
-Dave
in that timeframe i downloaded a single PDF file about some unrelated stuff
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
didnt really go on any dodgy websites or opened any e-mails
Kinda weird i dont know how i couldve been compromised
Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
The only danger in sharing the information above is breaching your privacy, no security risks exist.
But I did notice a clue that's tells me you got scammed somehow; the fee rate that was applied to the outbound transaction:
227 sats per v-Byte is a huge overpayment on fees. It's a typical tactic used by scammer scripts that force huge fees to make sure the scam transaction gets confirmed in the next block, and prevents the victim from double spending the transaction in an attempt to thwart the theft.
I also see that you've used the same address as recently as last month with no ill affects. That makes me think that something on your system must have changed after August 21. Do you recall installing any new software, or making some adjustments to your OS in the past few weeks?
Jump to: