Bitcoin Forum

Hey, im kinda of a noob in bitcoin in general so please bear with me.
I sent some bitcoin to my electrum wallet as soon as they appeared in there as unconfirmed there appeared a secound payment order. That payment order was for that exact amount (it was empty before) and it sent the coins i just received to god knows where. Now both are fully confirmed and i kinda dont know what to do.
Anyone got some advice?

Was that wallet freshly installed or have you used it before, if the first case, where did you download it from?

Was not the first time, had it for a long time

It sounds like your wallet got compromised. Maybe someone got your seed phrase, maybe you have malware, or maybe the version of Electrum you downloaded is the malware.
I wouldn't trust anything on your computer anymore. To be safe: disconnect the internet, backup your data, wipe your computer, and reinstall it.
Then, don't use that Electrum wallet anymore. Create a fresh one, or better, get a hardware wallet and keep your seed phrase offline.

I hope it wasn't a lot. Please get a hardware wallet and store your seed phrase offline if you are dealing with any kind of significant funds.

There's nothing you can do. Bitcoin transactions are irreversible
The only thing you can do now is to avoid sending any more fund to your wallet and as mentioned above, format your computer and install a fresh operating system.

Take note that if you want to be completely secure in the future, you should install electrum on air-gapped device.
If you can't do that for any reason, it's recommended to use a hardware wallet.

You are probably no longer the sole owner of that wallet, i.e. someone else has access to your private key or seed phrase. Did you share your private key with someone or did someone else create that wallet for you? Whatever the case, consider that wallet compromised and you have no way to get your coins back unless you know the perpetrator.

How long? If the wallet was created with Electrum version below 3.4.4 and it's currently installed in your device or PC then it will give you the notice to download the latest version with a link if you updated it using the link it will lead you to a phishing site and then if you downloaded and installed it in your device/PC then your wallet is already compromised.

Electrum.org remove the warning but a few months ago you can see this warning below on their website.


So before you install Electrum or update it make sure you always verify the Electrum to make sure you have the original Electrum installer. There are many people who suffer from this a year ago so be careful with any phishing sites.

About your current case if the transaction is still unconfirmed yet I think you can double spend the transaction and transfer it to your new wallet.

Since OP made this topic, the mempool has been emptied several times. Therefore, even if the transaction in the question has been made with the fee rate of 1 sat/vbyte, it has been surely confirmed and there is no way to double spend it.
Also, it was mentioned in the OP that both transactions (the one made by OP and the one made by the hacker/thief) have been confirmed.

See:

This sounds a lot like the behavior of that malicious version of Electrum that plagued the community around the end of 2018.  Do you remember from where you downloaded Electrum?  I'm not going to ask you to disclose any information you want to keep private, but I'm curious if you would be willing to share the address to where you coins were sent?  No big deal if not, if my suspicion is accurate, the coins probably just moved from there to a mixing service, anyway.

I also encourage you to heed LoyceV's warnings and advice; back up what you need from the device, then purge the OS and reinstall it.  I also suggest that you read this post (https://bitcointalk.org/index.php?topic=5240594.msg54223763#msg54223763) before installing Electrum again.

[GUIDE] How to Safely Download and Verify Electrum [Guide] (https://bitcointalk.org/index.php?topic=5240594.msg54223763#msg54223763)

As all have said, the wallet is compromised. Maybe your OS too.
This means that you should no longer use any address of that wallet, this means that you should create safely (fresh OS, maybe hardware wallet) a completely new wallet.

I think that the rest was covered by the previous posts.

Okay so to answer all the questions

No it was not a lot thankfully

I have used that wallet for a long time now and it always worked like normal in all that time i didnt update it form my original version (3.3.8)

The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol

No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.

@DireWolfM14 It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Wallets fucked anyways

And thanks for all the help guys, appreciate it

The only danger in sharing the information above is breaching your privacy, no security risks exist.

But I did notice a clue that's tells me you got scammed somehow; the fee rate that was applied to the outbound transaction:

https://i.postimg.cc/MKpPSxmx/image.png

227 sats per v-Byte is a huge overpayment on fees.  It's a typical tactic used by scammer scripts that force huge fees to make sure the scam transaction gets confirmed in the next block, and prevents the victim from double spending the transaction in an attempt to thwart the theft.

I also see that you've used the same address as recently as last month with no ill affects.  That makes me think that something on your system must have changed after August 21.  Do you recall installing any new software, or making some adjustments to your OS in the past few weeks?

in that timeframe i downloaded a single PDF file about some unrelated stuff

didnt really go on any dodgy websites or opened any e-mails

Kinda weird i dont know how i couldve been compromised

Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org

Sadly something could have been something sitting dormant for months before they decided to take your BTC

If your wallet was compromised a while ago they probably had a bot sitting there monitoring transactions, waiting for one above a certain amount to be sent to you. If that big transaction did not after a certain amount of time they just grab whatever comes in and move on.

-Dave

Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation. I still think that someone made a manual transaction after receiving notification about the incoming transaction. The OP may have some spyware on his/her computer, or the private key (seed phrase) was leaked in some other way. But of course, it is impossible to know for sure.

You received the amount on your wallet then after 10 minutes that amount has been sent again to that address you mentioned, i can’t say if your wallet is infected by something as the honeypot bots that keep withdrawing any money received in honeypot wallet. But to be sure now since that bitcoin is gone forever i suggest that you clean your computer and change the wallet you are using

This is the transactions from your wallet  https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr (https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr)

What makes you think it took ten minutes for the scam transaction to be initiated?  To me it looks like it was generated instantly after the OP's wallet received the Tx.

https://i.postimg.cc/d0yw7ZZv/image.png

I checked three different block explorers and they all show the two transactions with identical timestamps.

Sorry, but you're wrong. The two transactions:
were both mined/included in the same block (754092). You can look that up on mempool.space. No 10 min difference.

Of course then that they have both same timestamp, as DireWolfM14 said.
And this is usually automatic.

Still, manually made transaction should not be ruled out, since one could have been notified when the tx was sent and not at the moment of getting confirmed, allowing (giving time) somebody spend the unconfirmed input (I expect the scripts work exactly the same, just faster), which will have the same result: both tx in the same block.

Most interesting. I used the "stupid" blockchain.com explorer, and it shows a 10 minute difference (I wasn't paying attention to the block number at the time).

https://i.imgur.com/9ZVPfXb.png
https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr

But when I look at each transaction individually, I noticed that it says "Received Time 2022-09-14 19:20", and when I move my mouse over the text, a pop-up appears "Time this transaction was broadcast to the network, YYYY -MM-DD". It appears that blockchain.com explorer shows the transaction time when it was broadcast, and not when it was confirmed, so again it turns out that there is a 10 minute difference between these two transactions (unless I misunderstood something here).

That is quite interesting, because the OP also made it sound like it was instant;


I don't use blockchain, and haven't in a while.  What a shitshow their front page for the explorer has become.  Anyway, I used mempool.space, blockstream, and blockchair, (and a locally hosted mempool as well,) they all show the timestamp of both transactions as 17:30 UTC.

---

ETA; I just noticed that the Blockstream specifies the timespamp is indeed that of the block hash.  Blockchain must post the time the transaction was broadcast, but it's possible that it doesn't treat a  transaction with ab unconfirmed parent the same way.

The wallet file is the least of your concern as long as it's password protected (with a strong password).
What you might have stored/shared to a vulnerable environment are the seed phrase (12-words) or a backup - any of your private key, etc.

That said, are any of those stored online, cloud storage, on a device or paper that can easily be accessed?
If so, you should keep the seed phrase in a safe offline environment the next time you create an Electrum wallet. [e.g.: exclusively written on paper/steel plate in your vault(s)]

Since your initial setup is v3.3.8, you can rule-out the malicious server message to upgrade to a malware version.
The update notification that you received was most likely the in-app "update-check" notification, it'll open right after you launch Electrum, not after a transaction.

But you still can't rule out the possibility that you've downloaded the update from a fake source.
To mitigate that, you always have to verify Electrum (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/) before using/installing it to your PC.

to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other

Sorry to hear that you can't able to recover your funds I thought that your transaction is still unconfirmed.
The only thing that you can do right now is to scan the whole PC/Laptop to know if you are really compromised.
And next time if you are going to open your old wallet always make sure to do it on an offline device you can still make a raw transaction from your public key and imported it to a watch-only Electrum wallet. That way it can help to protect and avoid malware or virus that automatically sends BTC to another wallet that you don't own.

That must be Window's notification when you receive/sent a transaction in Electrum (or similar if you're on other OS).

The malicious notification is actually just an additional error message that's sent by a malicious server after deliberately failing to send a transaction.
But in the "fixed versions" including v3.3.8, that was replaced by hard-coded messages which can't be altered by the selected server.

At this point assume the machine is compromised as is any information on it.

Any saved information, any website logins, may have been compromised. Yes, it could have been just something that stole your electrum information. Do you want to find out next week you have no money in your bank because when you logged into their portal a while ago your credentials were stolen?

As I said a few posts up, more and more funds are not stolen the moment your machine is compromised but weeks or possibly months later as the try to get as much of your information as possible.

-Dave

There is a 10 minute difference between when blockchain.com's site says it first saw those two transaction. This is not the same as there being a 10 minute difference between those two transactions being broadcast. There could have been problems with propagation, problems with blockchain.com's node, problems with its mempool, problems updating their website, and so on. The point is that transactions are not timestamped; only blocks are timestamped. You can pay attention to when any specific node first sees a transaction if you like, but that is not representative of the wider network. The only network-wide consistent way to timestamp a transaction is by the block it was included in (and even then the block timestamp can vary by around a 3 hour window when compared to the actual time).

Or perhaps OP's transaction was immediately spent by another transaction, and then 10 minutes later when it still hadn't confirmed the attacker replaced that transaction with a second higher paying transaction. We don't know.

There's another transaction on blockchain.com explorer trying to spend the same UTXO from OP's address.
The transaction had been made with exactly the same fee rate and is invalid now. Click here (https://www.blockchain.com/btc/tx/799dfd5392130b457cb14dab7ab6bb41bd25184aa96b34b75791db9b9f95bb56) to see that.  

I don't really know what exactly caused that 10 minute difference on blockchain.com, but it may have something to do with this invalid transaction.

Ahh, there's your answer then.

The invalid transaction you linked to there was timestamped at the same time as OP's original transaction (17:20). Call this Transaction A. The transaction which confirmed was timestamped 10 minutes later, which is the same time it was confirmed (17:30). Call this Transaction B.

Both these transactions were likely broadcast seconds apart. The invalid Transaction A was seen by blockchain.com, and so it was timestamped at the time it was first seen (17:20). However, this transaction was later rejected when the conflicting Transaction B was confirmed in block 754,092, which is timestamped 17:30. The first time blockchain.com saw Transaction B was when it received block 754,092, since it previously rejected Transaction B for being a double spend and conflicting with Transaction A, which was already in its mempool. And so it gave Transaction B the timestamp of 17:30, despite Transaction B being in other nodes' mempools prior to this.

This explains why blockchain.com's timestamps are all over the place and confirms OP's story that the funds were swept immediately.

Thanks for the great explanation.
So, it seems that there were (at least) two people with access to OP's wallet.
Both used an automated program to steal OP's fund and the one who made transaction B was luckier than the one who made transaction A.

I'm not 100% sure about that. It's very strange that both Transaction A and Transaction B paid the exact same amount in fees. It could be that two different people/bots were watching the account as you say, and they were both happening to use the same generic sweeping script which therefore set the same fee, I suppose. Or perhaps it was a single person/bot whose script had a bug causing it to broadcast multiple identical transactions (except that it used a new receiving address each time).

We'll never know, but the answer is academical at this point I suppose.

The coins are unfortunately gone and you have to forget about them. The question now is what happened and what you can do to prevent it from happening again. You have obviously made mistakes in your digital world that led you to get compromised or hacked.

After you accessed your Electrum wallet prior to having it completely emptied, you mentioned you downloaded a .pdf file. Can you tell us more about that file even though it isn't crypto-related? Malware can be hidden in .doc, .pdf., or even image files. It can get on your system once you run it or even a preview is enough.

Unless you learn what happened, similar mistakes can happen again in the future.