Bitcoin Forum

Electrum version 3.3.7. installed on Xiaomi mi9t pro. Nowhere else. Password protection has been enabled. On April 1, the wallet had 1.23595057 btc. Today I switched to a wallet to transfer part of the funds and was very surprised. Wallet balance 0. It turned out that on April 3rd at 23:05 a transaction was sent for the total balance. The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq No one has access to the phone. Electrum has been downloaded from the official site. I know about phishing and always carefully check everything. Never updated the application. I download all applications for the phone only through the play market. Please tell me how this happened? What have I done wrong? for what reason have I lost all my savings?

When you created the wallet did you write down the seed phrase on a piece of paper, and store it somewhere to which only you have access?  If you are correct that you don't have a malicious version of Electrum, then I would suspect that someone may have found your seed phrase.  Is that possible?

The other thing you said is that you downloaded it from the official site, do you mean you downloaded the APK file, or did you click the link to google play?

I just searched the address on Google and found following post on Reddit.
Bitpay wallet hacked - what went wrong? (https://www.reddit.com/r/Bitcoin/comments/eopv6n/bitpay_wallet_hacked_what_went_wrong/)

And since there are several transactions sent to that address (https://www.blockchain.com/btc/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq), seems that it belongs to a hacker.

Sorry, correct is "i downloaded this electrum from google play. I check it twice.

Well, as hosseinimr93 pointed out, that address appears to belong to a hacker/scammer.  It's unlikely your seed phrase was compromised, but it's very likely you did not install the official Electrum app from google.  I know you were trying to be careful, but at this point it's the most likely scenario.  You can check your google account to see which app you have installed, and compare it to the app to which official Electrum website directs.

Here's the official website link: https://electrum.org/#home
And, the link to the official app on google play: https://play.google.com/store/apps/details?id=org.electrum.electrum

If you have the real app installed the play store will inform you as such:

https://i.ibb.co/zs11q09/Capture.jpg

This is indeed puzzling and concerning... if all that OP has said is true regarding their OpSec (only installed from Play Store, seed on paper in safe etc) then theoretically their funds should be "safe" from such events. :-\


Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled? ???

It is not rooted by default and it would take some effort to do so. They use a modified version of Android but I wouldn't suspect them because of that. Most manufacturers modify Android heavily. Also, they aren't a completely random Chinese brand.

I'm not blaming the brand or implying that they are the thieves... I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

@OP, is your device rooted?

How did you create your wallet from Electrum mobile? If someone created it for you he might be the one who stole your Bitcoin. Or if the seed backup is created from other wallets like Bitpay?

If not, then there might be a keylogger in your device. Actually Xiaomi Phones is not secured as Samsung with Knox.

A similar case and address can be found below the same as hosseinimr93 posted above.
- [uncensored-r/Bitcoin] Bitpay wallet hacked - what went wrong? (https://www.reddit.com/r/noncensored_bitcoin/comments/eospkb/uncensoredrbitcoin_bitpay_wallet_hacked_what_went/)

That's why I suspected that this address is controlled by Bitpay? I'm not sure but if your seed backup is created from Bitpay and imported it to Electrum mobile... Maybe?

Looks like it's being used to receive hacked bitcoins not exclusive to Electrum, the chance of being fake Electrum the culprit slim.
It was reported here: https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq (https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq), expand the "scam alert" portion.

What are the other installed applications you have in your phone?
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.

He already did up in Post #4 (https://bitcointalk.org/index.php?topic=5238124.msg54164324#msg54164324)... it was just a bit hidden in the "bad" quoting:

Like I said, if everything he said is true... it's very puzzling and concerning. :-\

Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.

When i use your link, i see Oткpыть, it's translate like Open.  This means that the electrum is installed from official page :
https://i.ibb.co/Z1JkPHv/Screenshot-2020-04-06-09-25-28-001-com-android-vending.png

---

No. The phone was bought in the official store and in order not to violate the warranty, I did not do anything with the official firmware

---

I create my seed by Electrum mobile.
Never used other wallets, this was not necessary

---

All applications on the phone are downloaded from the play store. These are applications from banks, cards, food delivery services and instant messengers. After the money was stolen, I carefully scanned the entire list, all the applications are pretty famous.

"the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me."

---

My phone have official firmware. If this can help to understand the situation, then today I will write a complete list of all applications on the phone.

talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

If this  (https://www.blockchain.com/es/btc/tx/953dba05d48aea92359dd5216aabcd10f8733179ab1def6d56af625bc836a9a5)is the outgoing transaction he is talking about, he received the coins on April 1st into 2 different addresses. Both of them had had a lot of movement in the previous days, so if I had to take a guess, they came from a mixer/exchange/similar.

It may be a long shot, but I've read about user installing the "Houseparty" app had had many data leaks and some even lost BTC. Since we are in lockdown, it's likely he installed it, and it would be inside the "pretty famous" list of apps.

these days my family and I were cleaning the area around the house (we have something like a farm in the village). these days I almost did not use the phone. mainly telegram and viber for communicating with parents. I can definitely say that I did not install new applications (the latter was installed two weeks ago, this is soundcloud), and I can definitely say that these days I did not go into the electrum and did not perform any operations. On April 1st, I checked in the evening that a friend had returned my debt. I know many cases where hackers replaced links. I know cases when they replaced the address and bitcoins went to the address of hackers. but so far I could not find cases when this happened without any actions of the owner.that is why I want to understand in detail how this happened. Because while I do not understand this, I do not think it is safe for me to reuse this application. I'm sorry for my English, this is not my native language, in part, I use a translator. Here is a screenshot of the latest wallet transactions. https://i.ibb.co/yWjtqnG/Screenshot-2020-04-06-15-26-40-976-org-electrum-electrum.png

/* When did you download your wallet?
3.3.8 is the latest version available for download by default since July 11 2019. If you downloaded your wallet after that date then most probably you got phished and downloaded a fake one. */

Sorry for your loss!

thank you for the clarification and correcting me. my bad

As Csmiami observed, there is a lot of transactions in and out based on that ss you posted, but at this point it is impossible to say how without your permission that last transaction occurred. If your seed is in personal safe, and your phone is safe from malware, then some hacker is obviously found a way to use some kind of exploit in Android OS or in the model of phone you are using.

What you definitely did wrong was that you kept such a large amount in your phone wallet, and that you did not use a hardware wallet or cold storage.

---

OP is using mobile version of Electrum, and latest version for Android is 3.3.7.0 from July 3, 2019. According to everything he posted, we're pretty sure he didn't install a fake wallet - otherwise he would have been hacked long before April 3.

An application downloaded from the Play Store doesn't necessarily mean that it is safe to use. The apps can be "famous" like you said but are you 100% sure that all your apps are genuine and trustworthy? Try to check the total number of downloads, ratings and comments on the Play Store, especially the negative comments and bad ratings. Do any of them mention the loss of money or private data?   

How about Guard Provider app or any anti-virus pre-installed on your phone?

Read this article below.
- Xiaomi phones came with security flaw preinstalled (https://www.cnet.com/news/xiaomis-phones-had-a-security-flaw-preinstalled-on-millions-of-devices/)

Since before I don't trust any Chinese phones because there are lots of security vulnerabilities like Xiaomi phones.
If you know well that you downloaded it from trusted sources the only thing that I suspected is the preinstalled apps from your phone(Like the Guard app mention from the article.).

From article :


If we add to all this that Xiaomi is fix this security-flaw last year, and that OP is lives in the farm in the village, which means there probably aren't many neighbors who are capable of making man-in-the-middle attack, then such an option is not exactly the most probable reason for the loss of funds. However, this attack vector should not be neglected either, it is possible that the OP has used some public wireless network or has neighbors who are skilled in hacking.

I used only LTE from my mobile operator (TELE-2). We doesn't have any wifi networks in our place, so far away from the city (60km).

These days I was trying to understand how this happened. But all the known cases come down to is downloading the Electrum application from fake sites or entering a seed phrase in third-party applications. I didn’t do either one. the question is still open for me. It would be great if there were logs in the electrum, in which you could see from which application the transaction was made or any data about the device. but as I understand it is impossible.

I think you misunderstand how Bitcoin works. The transaction was in all likelihood, not sent from your device.

Once someone has your seed or private key(s), they can simply clone it into a wallet on their own device (pc/mobile) and then have full access to your funds. The most likely explanation is that someone has access to your seed.

However, the difficult part for anyone to figure out is how that person got access to your seed... usually, the answer is, like you say, because of fake apps or people storing seeds digitally (screenshots, emails etc)... but according to you, none of that is true in this case.

In that case, you would need to sit down and think of everything that has happened since you installed the wallet and started using it to try and find the hole in your security. There isn't really a lot else that other people can do for you at this stage :-\ :(