Topic: unauthorized transactions (Read 279 times)

OP said that he is using a program for password maybe its a fake program
 that he did steal his password and used it to decrypt the wallet file

Did anything change in your life after the last time you successfully used and accessed your wallet with its correct balance and the day when part of your coins was taken? Were there any negative events in that period of time? Did you owe anyone any money, did you promise someone something that you didn't keep, etc.? Did you get into conflicts with some people in that period? 

As @Pmalek says, if everything is as you claim, then your case is a mystery (for now), but there must be an answer because nothing happens by chance. Given that you say that you have memorized the password (which is not very smart), is it a password that is easy to guess, or is it so simple that it would be easy to brute force it? Let's say that despite everything you've already written, someone still managed to get hold of your wallet, and then guessed/brute-forced your password.


I already wrote my theory (although it sounds a bit cinematic), but I think that @pooya87 is probably much closer to a possible answer as to why the hacker did not clear the entire amount. Go back a few posts and read his answer again, but of course the question still arises as to how the hacker managed to penetrate your system in the first place.

No. I always used the password-protected program with a password that I only used there and that I had memorized (not written down anywhere physically or digitally) so there is no way anyone could have accessed it. The other thing that continues to catch my attention, as I have already mentioned, is that they did not empty the entire wallet and if it had been a hack or someone who had accessed my private keys or passwords, the logical thing is that they would have emptied it completely.

Greetings and thanks for answering.

It's a mystery. But you surely made a wrong turn somewhere and someone or a piece of software got access to the secrets needed to spend from your wallet.
Based on your previous reply, you didn't say anything about encrypting your Electrum wallet. Can we conclude that you can run the software and spend from the wallet without needing to enter any passwords? 

Hello. Thank you first for answering and I will answer you in order:

I am guessing you were using the desktop version of Electrum. Who else from those close to you has access to your computer? I know people don't want to consider that but you shouldn't dismiss anything straight away.

If I was sitting at your computer where you have your Electrum wallet, how difficult would it be for me to access your wallet and take some coins if I wanted to?
Is your OS password-protected? If so, how complex is the password and who knows it?
Is your Electrum wallet file encrypted? Same question as above, is it a complex password and does anyone else know it?

Nobody. I only entered from my desktop PC located in my house and that only I use. Access to it is password protected in the BIOS and in the access to the operating system. I have never used Electrum on another computer or on my mobile devices.

How would you assess your ability to remain safe on the internet?
Would you know how to recognize a scam, a fake wallet, a phishing site?

What activities do you use that computer for?
Do you receive and click on email spam? Download files with weird attachments promising monetary rewards, gifts, etc.? What about torrents, pirated software, porn, unsafe permissions via social media, etc.?

Of course. I spend a lot of time online and I never open unknown emails and I check every site I enter. I also do not use the PC to download content or other activities of that type.

I repeat that I have always been very careful to take all the recommended security measures that are within my reach, except to use a cold wallet, so I still cannot understand how this has happened.

I am guessing you were using the desktop version of Electrum. Who else from those close to you has access to your computer? I know people don't want to consider that but you shouldn't dismiss anything straight away.

If I was sitting at your computer where you have your Electrum wallet, how difficult would it be for me to access your wallet and take some coins if I wanted to?
Is your OS password-protected? If so, how complex is the password and who knows it?
Is your Electrum wallet file encrypted? Same question as above, is it a complex password and does anyone else know it?

How would you assess your ability to remain safe on the internet?
Would you know how to recognize a scam, a fake wallet, a phishing site?

What activities do you use that computer for?
Do you receive and click on email spam? Download files with weird attachments promising monetary rewards, gifts, etc.? What about torrents, pirated software, porn, unsafe permissions via social media, etc.?

All these questions can also be directed towards other users of your computer.   

No. I do not know that address nor have I made that transaction. With respect to the other thing you mention about CEX, I don't quite understand what the truth is referring to.

Ah, before taking the time to respond individually to each message, I want to clarify again that I have never shared my private keys with anyone and I had the wallet seed phrase written down on paper in a safe place for me in my house (within the possibilities of an ordinary person of course) so I never exposed that phrase digitally in any way as they always recommend (neither in a photo, nor in a file in the cloud, nor in anything). In addition, I insist on the point that I do not believe that someone has accessed the wallet (through a virus, a hack or whatever) because if so, they would have withdrawn everything it had since they withdrew "only" 0.36283111 of the 0.5 that were in total.

Hello.

First of all, thank you all very much for your answers and for trying to help me in such a difficult situation for me that I honestly don't wish on anyone.

I will try to respond to each message independently so that everything is more orderly and sorry for not responding sooner but this situation has me very discouraged and it is a little hard for me to take the time to read and respond to messages.

Once again thank you all very much for your help.

Just because someone is referred to as a "hacker" who is basically stealing money from others, it doesn't mean they understand how bitcoin works or have a decent program to work with!
Sometimes these so called "hackers" use broken code that has bugs which means for example if they had some sort of access to the wallet and/or gained access to the seed phrase and then used that buggy code of theirs to derive child keys, they ended up deriving some keys and not all. It is also possible that their balance check could have been buggy ending up not finding out about all the UTXOs that could be spent.

This is the reason why I thought it could be his family members or friends who needed some money and take the opportunity to move the funds from his wallet and they take the amount needed. There is no reason for a hacker to leave the 0.13 Bitcoin when it is worth somewhat a smart amount of money. Sometimes friends and family members also steal money and they take only what they need.

We don't know what happened in his case. If he can discover, good for him. Unless we have nothing to say except for saying sorry for your loss.

It also doesn't remove the risk to the people around, you should also have a private offline space and keep the recovery key in a static secret place.
But this is the most ridiculous hack because it doesn't clear all balances. I think hackers know your condition personally, and my suspicions point to the people around you who only need your electrum password to steal it.

I don't think that the hacker didn't want to take everything, but for some reason he couldn't empty the entire wallet. If we were to go beyond the technical aspect of the possible explanations of this case, this would picture some kind of debt collection where a person takes only what he thinks belongs to him. In any case, it's a very strange situation that definitely needs answers, because we know that things like this don't happen without someone initiating them.

Since when have hackers are being friendly and thought about the coin owner to left any amount in balance while they had access to the whole wallet? For some reason, I feel like someone from your family members might do it without your permission. Hackers are unlikely to keep 0.13 which is not a small amount of money. They don't think about the coin owner when they do these dirty works.

Did you make this transaction or does this address belong to you https://www.blockchain.com/es/explorer/transactions/btc/a782f2df7a94bb1f48886117c8661d8a78a274c510df5e36f6bdf007e55d6078 What is the amount withdrawn compared to the amount you have?

Do you have more than one wallet on the same device, and are you sure that you verify signature when you updated the wallet? Because the legacy addresses is not a default option in new versions.

You have to assume the worst case which mean you need to save your wallet seed offline, reinstall the operating system, install a new wallet, transfer coins to it and make sure that no one knows new seed password or accesses your computer.

There are only a few CEXs that provide a legacy deposit address so it is easy to find out which CEX provides this address https://www.blockchain.com/es/explorer/addresses/btc/1NNGETjxDw7U2aTd5E5MYeBhBUKMyBUW9A (there is a good possibility that this is the address of a CEX) and from there You can specify whether it is a hacker or a person from your country.

Sorry for your loss.  There's really little that can be done other than filing a report with the cybercrimes law enforcement authorities in your area.  Who knows, maybe years from now they'll actually recover your bitcoin and you'll be a millionaire, but don't hold your breath.

Cricktor asks some really good questions, I'll highlight in yellow the ones that will help us help you, and in red the ones you should answer in secret. 



Some other observations; the hack only targeted two private keys, and you say other funds in the wallet were left untouched.  That leads to more questions I'll add:

• Did you start using a new mobile wallet recently?
• Did you "stake" your keys with a service promising an "air-drop" (I don't know if people still fall for that, but it's worth asking)
• Did you do anything seemingly innocent, yet out of the ordinary with the last several months?
  

Unfortunately this reminds me of a few incidents reported around the start of the year. 

The weired thing is that for all three transactions there is always three outputs. The first is a segwit address which always receives a round amount (the biggest), the second is a legacy address and the third is yours which receives the change back. Adding the fact that whoever made the transaction didn't empty the wallet makes it hard to think this is a jack!

Anyway, as others have pointed out above, conformed transactions are irreversible so don't trust anyone who contacts you saying he can help you recover your money.

Sorry for your loss, this must be terrible!

You can report your theft to local authorities and only those or with a police case you could report thief's addresses to exchanges, if the thief is dumb enough to go with your stolen coins directly to an exchange with KYC. Likelyhood of success is probably minimal. It depends also what the thief is doing to disguise the origin of your stolen coins.

But all this is very much too late when you discovered it a month later. It's not impossible that the thief itself did huge privacy mistakes where and when he moved your coins, but I wouldn't count on it. Still worth a shot as you can't do a lot more.

The other interesting puzzle to try to solve is how your wallet's security was compromised.

1. What system did you use for your Electrum wallet? Was that also your daily driver? What kind of software was on that system?

2. Who had access to your computer, to your place? How about when you're on vacation?

3. Did you ever take digital pictures of your wallet's recovery words?

4. Where did you store your wallet's recovery words? Is it possible someone else could get access to those?

5. Did you use some password manager and saved your recovery words there, too?

6. Who else did know that you had bitcoins or other crypto currencies?

7. Did you always verify your Electrum software update downloads?

8. Your wallet had legacy addresses. Was this wallet created by Electrum or did you create your wallet by some other procedure?

---

If you have funds left and can't use a secure environment for your wallet, consider to buy a decent hardware wallet. If you follow good practices with a hardware wallet, this will at least secure your wallet from malware on your computer.

A hardware wallet won't help much if you somehow messed up with your storage of your recovery words.

I know nobody wants to hear this, but do you trust everyone who has / had access to that computer?
If you eliminate hack / virus and come back to they didn't take everything it might just be friend / relative that did it.

Also, is the machine OS fully patched & updated? AV software can only do so much if the OS itself has issues:https://bitcointalk.org/index.php?topic=5462160
Yes, it's about a Mac virus but the post it still there.

-Dave

 

As I said in my previous, any online device is prone to hacking.


It's really weird that the thief didn't steal all your fund. He/she even sent back some of the fund to your wallet as change.


Bitcoin transactions are irreverisble and no one can help you recover your fund.

I was connected to the internet but only from my home internet connection and from my personal PC. I never did it any other way.
Unfortunately, I didn't have the possibility to use a cold wallet and that's why I had to do it like this. But I insist, I don't think it was a hack because if it had been that they would have emptied the entire wallet and they didn't.

Now, assuming that maybe it is something almost impossible, I don't know if someone can help me to recover the funds or at least a part of them. Obviously I can give a reward for it in the case of success because I am not an expert by any means in this type of thing and honestly I don't know what else to do

Once again thank you all for your answers.

I am using the latest version of Electrum (4.4.5) and I downloaded it from the official site (https://electrum.org/) as I always have. I have been using Electrum for more than 3 years, mainly to store funds because I considered it the safest thing to do after a cold wallet taking all the appropriate security precautions, and I have never had any problems so far.

As I explained, I used this wallet only to store fractions of bitcoins and I went in to check it from time to time to see that everything was fine until I found this damn surprise.

Ah, clearly I moved what little was left of the wallet (about 0.13 of 0.5 it originally had) as soon as I realized what had happened.

Did you create your wallet on an air-gapped device? Or you used electrum as a hot wallet?
If you didn't create your wallet on an air-gapped device and it was connected to the internet, you didn't really follow all security recommendations. Take note that any online device is always prone to hacking.  

Hello. Thank you for answering so quickly. With respect to what they mention, I don't think it is a virus because I formatted everything and I have passed many antiviruses and everything is ok. They didn't take all the funds as well, so I don't think that's the case.

In relation to tracking the funds I have tried to do it but it is quite difficult because the transaction is lost after all the movements of the blockchain.

well, probably you have just a malware on your laptop, or a compromised version of electrum.
which version of electrum are you using? where you have downloaded? did you updated recently?
if not already done, move your funds immediately (if anything still stored on these address or addresses create such solution)...

Sadly, There’s nothing can be done here except on tracing your coin and hope that it will land on centralized exchange for you to get the identity of the hacker. The amount is really big. Sorry for the loss.

You might not sharing your private key publicly but there’s a possibility that your computer is infected by malware that gives hacker access to your wallet without being notice. Reformat your computer immediately or scan it using reliable antivirus.

Hello:

The following transactions were made from my Electrum wallet without my authorization about a month ago:

https://www.blockchain.com/es/explorer/transactions/btc/185c4ba5ff25c8603090f5c4fa8e646bdabef995f01123d5e610b75b0232a517

https://www.blockchain.com/es/explorer/transactions/btc/b3dcfc3e18047139ae197f07c4fa2cb79c94b3c9059d93fa315e871ad7ddcd5a

https://www.blockchain.com/es/explorer/transactions/btc/6365cdf3291026fd3f1335c8e2b763e051dc8d178bf9226bca59c6e92b0898fc

I want to make it clear that I have always followed all the security recommendations, which is why I have never shared my private keys publicly and that I have not stored the seed phrase to access my wallet digitally either, as they always recommend to avoid situations like this. In fact, I didn't even use this wallet to make transfers since it was intended only to store fractions of bitcoins, thinking that it was much safer to do so than in a custodial wallet like Coinbase, so it had also been a long time without using it to make transfers. transactions. I also don't think it was a hack because, as you can see, they didn't empty the entire wallet, although a large part of it did.

I would appreciate if someone can guide me because it is a fairly high amount and I need to recover it somehow since it took me many years of effort and hard work to collect it.

Thank you all very much for your help and have a nice day.