Bitcoin Forum

Hi, this is my first time posting here. Keep in mind that I'm a noob.
I sent 105 euro worth of bitcoin (0.0302 btc) from my etoro mobile wallet to my Electrum 3.3.0 wallet. In a few minutes, at 00:49 local time the btc was transferred in my desktop wallet address but at the exact same minute the btc was sent to this address: 16CAY7PhHPCbV5veTGUjxMfthNYbLnNESu. This address is not in my Electrum list of addresses. How could the btc have been stolen this quickly? Even if someone somehow got their hands on my seed can they set it for the btc to be transferred to a set address instantly without assistance? I can't imagine them sitting there with the finger on the button for months on end for the exact right time to strike. I never used this months old address for any transactions ever before tonight. I checked for malware with Malwarebytes but there was nothing suspicious on my pc. Any chances of getting my btc back? Am I not getting something? How is this possible? Is something wrong with that stupid etoro wallet or electrum? Ask me for more details if necessary. Help!

If others already got your SEED, they can definitely do that but I doubt it.
You must be hacked or downloaded a fake Electrum version.

From where did you downloaded Electrum (it must be electrum.org), double check your browser's history to be sure.

Also, did you received an error message in Electrum regarding a mandatory update and followed the link (not the official site or Github page)?
If that's the case, you've been a victim of a Phishing scam by malicious electrum servers.

Thanks for reply.
In what way could I've been hacked? There's nothing unusual in my pc, I'm a crypto noob but not a PC noob, and I don't even have a file with the seed. I just don't get how this is possible. Electrum was definitely downloaded from electrum.org, I checked in my history. I didn't receive any error message and made no upgrade since 20 december 2018.

I meant *no Update since 12.20, did not meanto say upgrade. I'm just baffled. Electrum says Insufficient funds so I guess it's all gone, right?

There are several ways to get hacked like getting infected by malwares, viruses, visiting malicious websites and software vulnerability exploitation.
But most malware and viruses are detectable by AVs, so if you've been hacked, it must be through malicious links.
Some examples are those fake links to images posted by hackers here in the forum (so far, I've reported 2 posts) or through Winrar's bug by sharing a malicious .rar file.

But the hacker must also know your wallet's passphrase if you've been hacked, unless it came with a keylogger.
Okay, in case that's not what happened, how did you created the wallet?

• Through Standard method (create a new SEED)
• Import SEED
• Import Private key(s)
• or the wallet file came from an external source?

Because there's no other reason except the SEED being compromised if it wasn't a hack or the famous phishing scam.

Yes it is possible to setup a script that automatically transfers BTC from an address (if you have the appropriate private key/seed)... check out the transaction times for this address: 1CC3X2gu58d6wXUWMffpuzN9JAfTUWu4Kj (https://www.blockchain.com/btc/address/1CC3X2gu58d6wXUWMffpuzN9JAfTUWu4Kj)

It is the address that matches the "sample" private key listed on the Bitcoin Wiki: 5Kb8kLf9zgWQnogidDA76MzPL6TsZZY36hWXMssSzNydYXYB9KF (https://en.bitcoin.it/wiki/Private_key#Base58_Wallet_Import_format)

People occasionally send a few satoshi's to this address and they are generally moved within minutes (if not seconds).

Given the speed with which your coins moved (approx 2 seconds)... either your wallet software is "bad"™ and is configured to automatically send coins out... or your seed/private keys have been compromised somehow and the thief has an automated script monitoring the addresses for deposits.


Do you still have the install file or the .exe for portable or standalone Windows version? ???

If so, have you checked and verified the digital signature of the file? This is the only way to guarantee authenticity of the wallet.

I created the wallet myself many months ago through a new seed (standard method). I never used the wallet until today (its history was completely blank) and no one around me even knows what bitcoin or a bitcoin seed are or how to use. I should've used Jaxx and generate a fresh new wallet which i wanted to do but I was too lazy, damn it :'(.

I still have the 3.3.0 installer. What kinda information do you need?

You must verify it as HCP said, you'll never know if it was the old redirecting eIectrum.org <-Fake Site from google search.

Follow these guides (select depending on your OS):

• How to Verify Your Electrum Wallet on Windows (https://bitcointalk.org/index.php?topic=4183993.0)
• How do i verify Electrum installer on Linux? (https://bitcointalk.org/index.php?topic=5069664.0)

I think Electrum is one of the best wallet out there. So like others said, you must be hacked or your Electrum is fake. It is not really Electrum fault per se that your funds got lost instantly, if that was the case, there will be a lot of people protesting here and Electrum should be dead since long time ago.

My suggestion is make sure to always verify any file that you've downloaded from the internet to prevent something like this from happening again.

This is the fake mandatory upgrade attack other users are talking about: https://bitcointalk.org/index.php?topic=5090097.0

I don't know. I'm gonna keep the compromised wallet for awhile, maybe the thief grows a consciousness and sends the coin back  ::). I checked that address on blockchain.com and the money hasn't been sent forward so far. After a month or so I'm gonna delete the bad wallet, electrum and every single file associated with it, registry entries, etc., maybe even reinstall Windows. I'm really paranoid right now. You say Electrum is safe which might be true but since there are so many bad clones out there and servers and attacks I wouldn't consider it safe. Of course, my mistake was using that old wallet which I had no reason to.

If you still have the installer... I would still try and verify the digital signature. Use the guides as posted by nc50lc.

Or, if you can't verify it yourself, feel free to upload it to a filehost somewhere... PM me the link to it, and I can try and verify the signature for you. At least that way maybe we can either confirm or eliminate the "fake wallet" possibility as the reason for your wallet being compromised.

Verifying the Electrum installer seems a bit complicated and I didn't manage to do it.
No updates were made to this version ever since I installed it in december last year. The installer has been in my PC ever since.
I'm usually super careful but apparently not when I should've been the most careful.

Then can you do what HCP suggested? Maybe we can help you verify the files if that's really legit or not. If that's legit then you're hacked, if not, then you lost your funds because the software is fake (or can be both).

I have gone ahead and verified the installer as provided on the link via PM from btcSCNB... results are as follows:

So, that would indicate that the installer is "good"...

Therefore, assuming that the rest of the information we have is correct, the wallet was most likely to have been compromised in some other manner... keylogger or RAT that somehow managed to get seed mnemonic or wallet file+password... or the OP has unknowingly leaked their seed through some other manner (claiming forks from dodgy wallets? unlikely given it was an unused wallet) or stored it "digitally" in one form or another (ie. email/IM/screen shot/text file) and that storage has been compromised. ???

@btcSCNB, at this time, and unless you can positively identify how your seed/wallet was compromised, I would seriously contemplate wiping your computer and doing a fresh OS install... then changing ALL your passwords to EVERYTHING... as it would appear something on your PC or with your "OpSec" is compromised. :-\

OP have you downloaded any suspicious files since installing your Electrum wallet?
Any browser plugins?
How did you save your seed? You say you don't have a file with your seed but did you create one initially that you saved somewhere on your PC?
Is it a shared PC, could someone have gotten access to it?
Did you save it in an email client, viber, whatsapp, sent it over facebook, google drive etc?
Do you use the same PC where your Electrum is installed for other online activities, torrenting, gaming, xxx?

No, no suspicious files, I'm very careful about what I download. The only extension is Ant video downloader for Firefox. I don't remember what I did with the seed, I'm sure I had a text file with the seed at some point but it was stored only on my PC and I deleted it a long time ago or got lost when my old HDD failed. The old HDD never left the house, it's under my desk right now. I only had the old empty wallet which I now wish I had lost too. The wallet was exported on a stick and the stick always stayed in my house. Only I have access to this PC, I'm the only user. I rarely use Google drive, it wasn't ever uploaded there; I went trough all the old emails in my most used accounts and searched for terms and there's no trace of any wallet or seed and I don't remember ever sending anything like that over email in the first place. I don't even use or used Whatsapp, viber or similar apps. I use facebook but never used it for anything crypto related, I didn't have any reason to. I do use this PC for almost everything I do online (mainly youtube watching, wikipedia) including xxx and, rarely, torrents but I did deep scans and couldn't find any virus or malware anywhere. I disinfected dozens of PCs myself in my lifetime, I would've found something if there was something.
I mean it's just 100€ but I'm still bitter about it, I could've used that money.

Maybe you caught something on one of the torrent sites. While porn sites are supposedly surprisingly safe, torrent and streaming sites can't be quite as choosy as far as advertisers are concerned, so sometimes you'll get nasty little malware just from entering the site. Happened to me a couple years back, I wasn't sure whether to be pissed off or impressed. Either use ad blockers / disable JavaScript or use a VM when visiting any piracy related sites.

Also note that well written malware doesn't necessarily turn up on virus scans. Actually malware doesn't necessarily need to be well written to remain overlooked, it often suffices if it's just rare enough to slip under the radar. Accordingly I'd probably consider reinstalling my OS from scratch if I were you.

Do you have any spell checkers installed? Turns out they potentially leak your seed and other sensitive information:
https://www.zdnet.com/article/cryptocurrency-wallet-caught-sending-user-passwords-to-googles-spellchecker/

That can be an issue and a potential security threat. A PC where you keep your Bitcoins and your wealth shouldn't be used for shady activities like watching porn or downloading torrents. It takes time for new threats to be discovered by AV vendors and for the code to be recognised as malicious.

Like HeRetiK said, reinstalling your OS is the safest thing you can do now. 

Maybe its worth to try  https://www.spyshelter.com/ (https://www.spyshelter.com/) and reboot the system. If there is a keylogger or some other kind of evil software Spyshelter will find it.

You're not supposed to store the seed on the PC. Any program could have read that text file. Maybe it was backed up to the cloud by some backup program.

Looks like this is Windows only? How good is this? By the looks of it, seems like this is made for Windows XP?
Looks very old too (got an award in 2013).

Is there an alternative software for other OS?
Not that I'm gonna need it but maybe some users find it useful.

look like you ddnt't update your file, i thing this because it, deflecting server or something wrong when sinc of server.

If you didn't paste your seed somewhere online or some website your seed is safe.
So I'm sure you could be infected there's something blocking the file from scanning that is why the Malwarebytes couldn't find any malicious files inside in your PC.
If the virus was executed and running behind and pretending as system file I'm sure the Malwarebytes can't detect it or any antivirus this most likely a trojan virus.

Did you tried to scan the HDD as external to other PC just to make sure the infected file is not running from HDD? If not do this but make sure that the PC is clean before you scan the whole external HDD.

This happens a lot with people who use weak phrases to make their wallets with vanity gen, maybe this is not the scenario but if you make an addy from the phrase 'cocacola' and send money there, you will see how fast the bitcoin disappear from that addy. I think some hackers load al the weak addys and made a script to instantly send the money to their addys after someone put BTC on those weak addys.