Author

Topic: Unverified transaction fron Electrum wallet (Read 514 times)

HCP
legendary
Activity: 2086
Merit: 4363
April 12, 2020, 03:50:12 PM
#23
It would be great if there were logs in the electrum, in which you could see from which application the transaction was made or any data about the device. but as I understand it is impossible.
I think you misunderstand how Bitcoin works. The transaction was in all likelihood, not sent from your device.

Once someone has your seed or private key(s), they can simply clone it into a wallet on their own device (pc/mobile) and then have full access to your funds. The most likely explanation is that someone has access to your seed.

However, the difficult part for anyone to figure out is how that person got access to your seed... usually, the answer is, like you say, because of fake apps or people storing seeds digitally (screenshots, emails etc)... but according to you, none of that is true in this case.

In that case, you would need to sit down and think of everything that has happened since you installed the wallet and started using it to try and find the hole in your security. There isn't really a lot else that other people can do for you at this stage Undecided Sad
newbie
Activity: 7
Merit: 0
I used only LTE from my mobile operator (TELE-2). We doesn't have any wifi networks in our place, so far away from the city (60km).

These days I was trying to understand how this happened. But all the known cases come down to is downloading the Electrum application from fake sites or entering a seed phrase in third-party applications. I didn’t do either one. the question is still open for me. It would be great if there were logs in the electrum, in which you could see from which application the transaction was made or any data about the device. but as I understand it is impossible.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
How about Guard Provider app or any anti-virus pre-installed on your phone?

Read this article below.
- Xiaomi phones came with security flaw preinstalled

From article :

Quote
Guard Provider gets its updates through an unsecured HTTP connection, he said. This means that if an attacker was on the same Wi-Fi network as a potential victim, the hacker could insert malware in those updates through a "man-in-the-middle attack." That's when a rogue network is set up to look exactly like the one you're connected to and tricks the victim's device into connecting to the fake Wi-Fi. Using the vulnerability, a hacker could've interrupted Guard Provider's update process and added malware that would steal data, install tracking apps or plant ransomware, Makkaveev said. The attacker would have to time this to when the updates are happening and also know the file name of the update -- which is not difficult to figure out because they follow a template, said Yaniv Balmas, Check Point's head of research.

If we add to all this that Xiaomi is fix this security-flaw last year, and that OP is lives in the farm in the village, which means there probably aren't many neighbors who are capable of making man-in-the-middle attack, then such an option is not exactly the most probable reason for the loss of funds. However, this attack vector should not be neglected either, it is possible that the OP has used some public wireless network or has neighbors who are skilled in hacking.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
No, I never heard of this application and did not install it on the phone. I am from Russia, sometimes new trends go up to us sometimes)
How about Guard Provider app or any anti-virus pre-installed on your phone?

Read this article below.
- Xiaomi phones came with security flaw preinstalled

Since before I don't trust any Chinese phones because there are lots of security vulnerabilities like Xiaomi phones.
If you know well that you downloaded it from trusted sources the only thing that I suspected is the preinstalled apps from your phone(Like the Guard app mention from the article.).
legendary
Activity: 2730
Merit: 7065
All applications on the phone are downloaded from the play store. These are applications from banks, cards, food delivery services and instant messengers. After the money was stolen, I carefully scanned the entire list, all the applications are pretty famous.
An application downloaded from the Play Store doesn't necessarily mean that it is safe to use. The apps can be "famous" like you said but are you 100% sure that all your apps are genuine and trustworthy? Try to check the total number of downloads, ratings and comments on the Play Store, especially the negative comments and bad ratings. Do any of them mention the loss of money or private data?   
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
~snip~

As Csmiami observed, there is a lot of transactions in and out based on that ss you posted, but at this point it is impossible to say how without your permission that last transaction occurred. If your seed is in personal safe, and your phone is safe from malware, then some hacker is obviously found a way to use some kind of exploit in Android OS or in the model of phone you are using.

What you definitely did wrong was that you kept such a large amount in your phone wallet, and that you did not use a hardware wallet or cold storage.



When did you download your wallet?
3.3.8 is the latest version available for download by default since July 11 2019. If you downloaded your wallet after that date then most probably you got phished and downloaded a fake one.

OP is using mobile version of Electrum, and latest version for Android is 3.3.7.0 from July 3, 2019. According to everything he posted, we're pretty sure he didn't install a fake wallet - otherwise he would have been hacked long before April 3.
legendary
Activity: 2744
Merit: 3097
Top Crypto Casino
/*
Electrum version 3.3.7
When did you download your wallet?
3.3.8 is the latest version available for download by default since July 11 2019. If you downloaded your wallet after that date then most probably you got phished and downloaded a fake one. */

Sorry for your loss!

quote]
OP is using mobile version of Electrum, and latest version for Android is 3.3.7.0 from July 3, 2019.
thank you for the clarification and correcting me. my bad
newbie
Activity: 7
Merit: 0
talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

these days my family and I were cleaning the area around the house (we have something like a farm in the village). these days I almost did not use the phone. mainly telegram and viber for communicating with parents. I can definitely say that I did not install new applications (the latter was installed two weeks ago, this is soundcloud), and I can definitely say that these days I did not go into the electrum and did not perform any operations. On April 1st, I checked in the evening that a friend had returned my debt. I know many cases where hackers replaced links. I know cases when they replaced the address and bitcoins went to the address of hackers. but so far I could not find cases when this happened without any actions of the owner.that is why I want to understand in detail how this happened. Because while I do not understand this, I do not think it is safe for me to reuse this application. I'm sorry for my English, this is not my native language, in part, I use a translator. Here is a screenshot of the latest wallet transactions. https://i.ibb.co/yWjtqnG/Screenshot-2020-04-06-15-26-40-976-org-electrum-electrum.png
copper member
Activity: 1652
Merit: 1325
I'm sometimes known as "miniadmin"
talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

If this is the outgoing transaction he is talking about, he received the coins on April 1st into 2 different addresses. Both of them had had a lot of movement in the previous days, so if I had to take a guess, they came from a mixer/exchange/similar.

It may be a long shot, but I've read about user installing the "Houseparty" app had had many data leaks and some even lost BTC. Since we are in lockdown, it's likely he installed it, and it would be inside the "pretty famous" list of apps.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?
newbie
Activity: 7
Merit: 0
the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.
~
Sorry, correct is "i downloaded this electrum from google play. I check it twice.

Well, as hosseinimr93 pointed out, that address appears to belong to a hacker/scammer.  It's unlikely your seed phrase was compromised, but it's very likely you did not install the official Electrum app from google.  I know you were trying to be careful, but at this point it's the most likely scenario.  You can check your google account to see which app you have installed, and compare it to the app to which official Electrum website directs.

Here's the official website link: https://electrum.org/#home
And, the link to the official app on google play: https://play.google.com/store/apps/details?id=org.electrum.electrum

If you have the real app installed the play store will inform you as such:

https://i.ibb.co/zs11q09/Capture.jpg

When i use your link, i see Oткpыть, it's translate like Open.  This means that the electrum is installed from official page :
https://i.ibb.co/Z1JkPHv/Screenshot-2020-04-06-09-25-28-001-com-android-vending.png



I'm not blaming the brand or implying that they are the thieves... I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

@OP, is your device rooted?


No. The phone was bought in the official store and in order not to violate the warranty, I did not do anything with the official firmware



How did you create your wallet from Electrum mobile? If someone created it for you he might be the one who stole your Bitcoin. Or if the seed backup is created from other wallets like Bitpay?

If not, then there might be a keylogger in your device. Actually Xiaomi Phones is not secured as Samsung with Knox.

A similar case and address can be found below the same as hosseinimr93 posted above.
- [uncensored-r/Bitcoin] Bitpay wallet hacked - what went wrong?

That's why I suspected that this address is controlled by Bitpay? I'm not sure but if your seed backup is created from Bitpay and imported it to Electrum mobile... Maybe?

I create my seed by Electrum mobile.
Never used other wallets, this was not necessary



The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq -snip-
Looks like it's being used to receive hacked bitcoins not exclusive to Electrum, the chance of being fake Electrum the culprit slim.
It was reported here: https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq, expand the "scam alert" portion.

What are the other installed applications you have in your phone?
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.
All applications on the phone are downloaded from the play store. These are applications from banks, cards, food delivery services and instant messengers. After the money was stolen, I carefully scanned the entire list, all the applications are pretty famous.

"the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me."



I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.

My phone have official firmware. If this can help to understand the situation, then today I will write a complete list of all applications on the phone.
legendary
Activity: 2170
Merit: 1789
I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.
HCP
legendary
Activity: 2086
Merit: 4363
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.
He already did up in Post #4... it was just a bit hidden in the "bad" quoting:

the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.
Like I said, if everything he said is true... it's very puzzling and concerning. Undecided
legendary
Activity: 2618
Merit: 6452
Self-proclaimed Genius
The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq -snip-
Looks like it's being used to receive hacked bitcoins not exclusive to Electrum, the chance of being fake Electrum the culprit slim.
It was reported here: https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq, expand the "scam alert" portion.

What are the other installed applications you have in your phone?
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
How did you create your wallet from Electrum mobile? If someone created it for you he might be the one who stole your Bitcoin. Or if the seed backup is created from other wallets like Bitpay?

If not, then there might be a keylogger in your device. Actually Xiaomi Phones is not secured as Samsung with Knox.

A similar case and address can be found below the same as hosseinimr93 posted above.
- [uncensored-r/Bitcoin] Bitpay wallet hacked - what went wrong?

That's why I suspected that this address is controlled by Bitpay? I'm not sure but if your seed backup is created from Bitpay and imported it to Electrum mobile... Maybe?
HCP
legendary
Activity: 2086
Merit: 4363
I'm not blaming the brand or implying that they are the thieves... I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

@OP, is your device rooted?

legendary
Activity: 1876
Merit: 3139
Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled? Huh

It is not rooted by default and it would take some effort to do so. They use a modified version of Android but I wouldn't suspect them because of that. Most manufacturers modify Android heavily. Also, they aren't a completely random Chinese brand.
HCP
legendary
Activity: 2086
Merit: 4363
This is indeed puzzling and concerning... if all that OP has said is true regarding their OpSec (only installed from Play Store, seed on paper in safe etc) then theoretically their funds should be "safe" from such events. Undecided


installed on Xiaomi mi9t pro.
Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled? Huh
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.
~
Sorry, correct is "i downloaded this electrum from google play. I check it twice.

Well, as hosseinimr93 pointed out, that address appears to belong to a hacker/scammer.  It's unlikely your seed phrase was compromised, but it's very likely you did not install the official Electrum app from google.  I know you were trying to be careful, but at this point it's the most likely scenario.  You can check your google account to see which app you have installed, and compare it to the app to which official Electrum website directs.

Here's the official website link: https://electrum.org/#home
And, the link to the official app on google play: https://play.google.com/store/apps/details?id=org.electrum.electrum

If you have the real app installed the play store will inform you as such:

newbie
Activity: 7
Merit: 0
When you created the wallet did you write down the seed phrase on a piece of paper, and store it somewhere to which only you have access?  If you are correct that you don't have a malicious version of Electrum, then I would suspect that someone may have found your seed phrase.  Is that possible?


the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.


The other thing you said is that you downloaded it from the official site, do you mean you downloaded the APK file, or did you click the link to google play?
Sorry, correct is "i downloaded this electrum from google play. I check it twice.
legendary
Activity: 2380
Merit: 5213
I just searched the address on Google and found following post on Reddit.
Bitpay wallet hacked - what went wrong?

And since there are several transactions sent to that address, seems that it belongs to a hacker.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
When you created the wallet did you write down the seed phrase on a piece of paper, and store it somewhere to which only you have access?  If you are correct that you don't have a malicious version of Electrum, then I would suspect that someone may have found your seed phrase.  Is that possible?

The other thing you said is that you downloaded it from the official site, do you mean you downloaded the APK file, or did you click the link to google play?
newbie
Activity: 7
Merit: 0
Electrum version 3.3.7. installed on Xiaomi mi9t pro. Nowhere else. Password protection has been enabled. On April 1, the wallet had 1.23595057 btc. Today I switched to a wallet to transfer part of the funds and was very surprised. Wallet balance 0. It turned out that on April 3rd at 23:05 a transaction was sent for the total balance. The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq No one has access to the phone. Electrum has been downloaded from the official site. I know about phishing and always carefully check everything. Never updated the application. I download all applications for the phone only through the play market. Please tell me how this happened? What have I done wrong? for what reason have I lost all my savings?
Jump to: