Bitcoin Forum

Hey, ineed your assitance in a case i dont get at all! Lets Start:

I was trying to pay for a $12.95 ExpressVPN subscription, but I accidentally sent the full amount of  0.0111 BTC instead of just the invoice amount.

According to the blockchain, the payment went to ExpressVPN’s invoice address, and only a small portion was used for the subscription. The rest of the BTC was moved to another address within minutes, which still seems to belong to them, or me ?!

I’ve contacted support, but they claim to only see the $12.95 charge. The full amount is clearly visible on-chain, yet no refund has been made, as they say its not in their ecosystem. So i assume the money is not transferred elswhere but to me. But my wallet is empty. And i can not find the adress in my Wallet.

How do these Bitcoin payment processors work? If the funds were overpaid, shouldn’t the system detect that and send the excess back automatically? Or is there any way to recover it manually if they still control that address?

Would appreciate insights from anyone familiar with crypto payment gateways or similar cases.

My Wallet is Electrum,
Hash ID: c2ec89dcfc42a1bd95c59d945b6f24c96f73955816008c22c19ae4c7d97285b1

I´would be glad if someone could explain me the options.

Greetings :)

Check your wallet: I think bc1q3zjqp6l0p8yvp99w4f0s240ud6mv8pw32nnee4 (which received 0.01093663 BTC) is your change address.

---

---

You should probably read up on change addresses and "UTXOs", to understand how Bitcoin works. The use of change addresses is normal, but often confuses people. Think of it as paying $1000 and getting $987.05 in change, but now the change is in one amount.

Thanks for the help i will get into the topic!

No, if you send funds to one address, the change should go back to your own wallet.

Does your Electrum show the Addresses tab? If not: enable it by clicking View > Addresses. Scroll down for change addresses: they're in yellow.
If it's not there, I can't tell you what happened. Did you download Electrum from electrum.org (and not from a phishing site)? Try to retrace your steps: what exactly did you do to get here?

If OP hadn't said, "But my wallet is empty," I would also have bet that bc1q3zjqp6l0p8yvp99w4f0s240ud6mv8pw32nnee4 was his change address. However, since he insists that his wallet shows zero balance, it means something else is likely happened. The only explanation that comes to my mind is that his machine is infected, the wallet is compromised, and the attacker replaced the generated change address with their own. This type of attack is more sophisticated than the simple clipboard hijacking, but it is still possible.

I can think of a few possibilities, but since I didn't watch you do it, I can't determine which possibility happened (or if it's something else entirely).

1. It is possible you accidentally downloaded Electrum from a phishing site instead of the real Electrum. If so, the thief who created that fake Electrum now has the bitcoin. However, I don't know why a thief would send the intended portion to ExpressVPN. I'd expect them to just take all of it. Therefore, since ExpressVPN has indicated that they received their payment, I think this is unlikely.

2. It is possible that the extra amount was just sent back into your Electrum wallet, and you are simply confused because you were trying to trace it on a blockchain explorer without understanding what you were looking at.

3. It is possible that you deleted your Electrum wallet after sending the bitcoin to ExpressVPN.  If you deleted your local wallet file, then Electrum would need to generate a new wallet and it would no longer have the change address.  Deleting your wallet file would be a very odd thing to do, but I've read here at BitcoinTalk about people doing stranger things.

It looks like this transaction was sent back on March 22.  Are you sure you're using the same Electrum wallet file today that you used back then?  Does your Electrum wallet show bc1qzsdznj248dgx6fxnvd4rl8umxp66jhz4k9h4s9 in the Address tab as one of the Wallet's addresses?

Please tell your Electrum version and wallet type (e.g.: standard or hardware wallet connected).
And how's the "accident" happen, did you send normally or used some other methods like "pay-to-many"?

For now, check your wallet to confirm if it's actually an issue:
Does that specific transaction listed in your Electrum's history tab?
Because if so, that's certainly related to the loaded wallet.
Electrum should display the amount sent and the change shouldn't be accounted to it.
If it shows -0.01109780 BTC that's an issue, should be showing -0.00015829 BTC if it's normal.
And when you check the transaction's details, the change is labeled with yellow highlight, if that output isn't labeled, then it's sent elsewhere.

If not displaying in the history tab and the connection icon is Green/Blue, that specific wallet isn't the sender, thus, missing the change address should be expected.
Check your wallet list (not address list) if you have other wallets that are not loaded.
In Desktop: "File->Open", then browse to your wallet's folder.
In Mobile: "{Wallet name}upper-left->Other wallets"

If the wallet was not used to broadcast all bitcoin stored in it, the amount deducted after the transaction used will be sent to a change address or the same address if the user turns off Change address use in the wallet settings - most users don't customize their wallet settings so it is less likely the OP case.

The wallet shows positive balance as the returned bitcoin in a change address is still in the wallet. OP case is 0 in wallet balance so it seems either it was compromised or he actually sent all of his bitcoin to the receiving address, and the receiver or hacker moves these coins too.

I don't think the hacker moves bitcoins this way as he will move all stolen bitcoin in one transaction to his new address, no reason to split it.

I guess OP is confusing between an address balance and a wallet balance.

---

Verify the wallet before funding it.
[Guide] Verify and download Electrum wallet. (https://bitcointalk.org/index.php?topic=5240594.0)
The paranoid user's security guide for using Electrum safely. (https://bitcointalk.org/index.php?topic=5456886.0)

The chance of this happening is slim based on the OP's explanation, and I don't see an attacker not replacing the recipient wallet address when the OP sent the Express VPN the $12.95. Since Express claimed they received the payment, the only problem will be based on what DannyHamilton said, or the OP is yet to understand how to check the change BTC wallet address. To be sure about what really happened, I think we have to wait for the OP's reply to Nc50lc and DannyHamilton's message, which will trigger what actually happened.

OP said his wallet is empty. >:( So none of his change addresses are funded.


This kind of attack doesn't involve replacing the destination address, which users are more likely to check at transaction signing ^{unlike change addresses}.


Agreed, but OP remains silent so far. I believe the discussion in this thread will help him analyze all the circumstances involved and formulate the clear-cut response.

OP is a newbie, and you cant be sure his/her wallet is indeed empty, as he/ s/he said, since the OP doesn't understand how to use the Electrum wallet properly, which is why I believe OP's response to the question asked by the users I previously mentioned will tell us what actually happened.

You said, "The only explanation that comes to my mind is that his machine is infected, the wallet is compromised, and the attacker replaced the generated change address with their own." This is a situation that mostly doesn't occur, and from someone like OP who is a newbie, you cant expect him/her to recheck the recipient address before sending the BTC. Besides, how many Bitcoiners recheck the recipient every time they want to do a transaction?