Bitcoin Forum

Hi there.

I recently recovered my Electrum wallet using a seed ( which worked successfully  ;D) but it shows a transaction was made on the 2nd of December which I didnt make!!! All of my bitcoin is now missing? Can anything like this happen by recovering a wallet multiple times? I have the transaction ID.

I'm afraid I'm not super clued up on all this stuff. Any help wold be most appreciated. I cant see how anyone could my wallet, but who knows.

G

Do you have antivirus on your machine?

It's possible that a piece of malware has taken your seed or signed a transaction. Also can you check the source you downloaded electrum from (this'll likely be in your browser).

This sounds to me as this:
You have downloaded fake Elecrtum. Once you entered your seed, the hacker got the information and there was a script that transferred everything the given address by the hacker. You had no clue in between.

Sorry this happened to you. How much you have lost?

Also take a lesson from this that never install a software without verifying the signature.

So I installed this 1st on the 28th of Nov https:raw.githubusercontent.com/specnimo/specnilon/main/electrum-4.0.5-setup.exe

then updated using this DL address is   electrum.org/4.0.9/electrum-4.0.9.exe later in December.

Would it help to post the transaction ID?

Thanks

This is the correct Github repository of Electrum: https://github.com/spesmilo/electrum (https://github.com/spesmilo/electrum)
Sorry to say that you're funds were hacked and bitcoin transactions are irreversible.

No idea how did you find this url and no idea if this is a legitimate exe but from your experience it's probably fair to say that this is a fake copy of the exe file.

It was suppose to be very simple.

Search "Electrum"

Take https://electrum.org
Download the exe from there which is their official site.

Besides not limit yourself only with downloading the file from the official site but also verify the signature they provide.

A nice tutorial for you for the next time : https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
Please be careful when you are handling virtual currency.

I do not think it will help much to you since you can not get the money back. Bitcoin are irreversible. But maybe you can aware the community and give the receiving address. Also you can track the address (maybe require some tools) and if you see this ended up in any KYC exchange then file a report to freeze that account and maybe with their help you can find the hacker. All these are very complicated with zero chance I guess.

The only thing that is certain is that something happened between November 28 when you installed Electrum and December 2 when an unauthorized transaction occurred. If we assume that you have downloaded a legitimate Electrum file (and nc50lc confirms this), then your seed has somehow leaked.

It is possible that you have a keylogger on your computer, and it recorded every keystroke on your keyboard and passed that information to the person who stole your BTC - and it is also possible that you have something even more dangerous called a remote access trojan that allows the attacker to complete control over your computer.

You can try to find out what actually happened, but it probably won't give you back what was stolen - so it would be best to format the disk and do a clean installation of the operating system.

I guess nc50lc confirms that the quote is the wrong link and his link is the correct Github repository of Electrum.

We all know that trying to get the fund back is impossible and right now OP only needs to accept the loss and learn the lesson for future.

No. He downloaded a fake and malicious version of Electrum.

Look closely at the github link he posted. specnimo/specnilon. The real Electrum github is under the name spesmilo. It looks like he later updated using the correct website, but by then the attacker already has his seed and therefore cleared out his wallet a few days later.

He also makes no mention of verifying the file, which is the most important step. Simply downloading from the official github or website is not good enough - these can be compromised.

That's a fake (and now removed) github repository. You downloaded a fake version of Electrum which sent all your funds after you restored/opened your wallet file using it. :-\


That is most likely the correct and legit version of Electrum, but by then it was too late :-\


No, your funds are gone. The transactions are irreversible. You will not be getting those coins back. I hope you didn't lose too much. :-\

How did you get this link it seems that you just invented this and you don't know actually the right link?
I tried to check every archive it seems no result even on Google.

What I think is you're trying to promote this link and soon you are going to build this account with a fake Electrum?
I'm actually trying to retrieve the file from that link by following this (https://www.vogella.com/tutorials/Git/article.html#retrievefiles_finddeletedfile) but it seems the link wasn't created before.

Anyway, maybe you just manually type it and didn't share the correct URL?
Next time do research first before you install software which is you don't know or always go to this forum to ask if what are legit sites or fake.

Good thing about GitHub is that when malicious software that are abusing the name of another popular project are reported they are rather fast at removing them. So even if OP had plans to promote this malicious thing he is out of luck since the account is now nuked.

https:raw.githubusercontent.com/specnimo/specnilon/main/electrum-4.0.5-setup.exe

If that specnimo/specnilon site is where you visited, then you have absolutely downloaded a fake version. There is an endless stream of fake and phishing Electrum sites which pop up and disappear regularly. If you simply typed "Electrum" in to Google, then there is a relatively high chance of landing on a fake site. Can you check your internet history to see if you visited any site other than electrum.org?

This is why you should always verify the software you download (not just Electrum) prior to using it.

Just as your bank wouldn't be responsible if you visited a fake site and entered your card details, Electrum are not responsible if you visited a fake site and downloaded malware.

The most you can do is open a police report, but the chance of recovering your coins is almost zero I'm afraid.

Was there a pop up saying that your Electrum was outdated? I assume your prior version wasn't below 3.3.4?

The likely scenario I can think of is that you clicked on one of the top few results of Electrum if you've Googled it. Your Electrum was compromised when you installed the github version which is only 4.0.5.

There is nothing to be done, unfortunately. It's a good practice to be downloading and verifying the PGP signature of the binaries because these phishing attempts are very common. They cannot be held responsible, there is nothing they can do if users were to accidentally get phished because they didn't verify the binaries.

If the link indeed was from "the electrum website", then you also have visited the wrong website.
The correct one is https://electrum.org/ (https://electrum.org/). Everything else is fake. Especially the github link you posted is not the official one.

You have downloaded and installed malware.




To get your coins back? No.
But this doesn't mean that you are done.

Depending on the malware you have downloaded, the attacker might have full access to your system.
Or he might be downloading your whole hard drive, spying on your keystrokes, etc..

You need to backup important files, format your hard drive and reinstall your operating system.

Well I don't want this happening to anyone else so I wil try and pass as much info on as poss.. Ive found the file I downloaded and scanned it, but says there was no threat?

I will post all the DL links here late and look up the sites I visited.

Thanks for your help.

Most virus scanners simply compare code against a database of known malicious code. If all that the malicious version of Electrum does is email your seed phrase to an attacker or upload it to a server, then it could easily avoid detection from virus scanners since it is a very simple piece of code and isn't actually doing anything to your system.

There is a good article from Malwarebytes about the common Electrum malware here: https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/

You're right, of course, I don't know how I missed it - but the thing is very clear then, and it's less important that the OP claims that it was redirected to that link from the official Electrum site. This is just another warning for everyone to check every link and when they are convinced it is legitimate to save it in their bookmarks and always use it from there.


Only in the case when AdBlock is not used, otherwise, at least for me, the original Electrum site is always displayed at the top of the search, followed by other legitimate links.

AV's classify malware based on (basically) two methods. The first one are heuristics where the AV is checking the signature of the software and compares it with a database.
The second one is a runtime analysis where the file is being run in a sandbox. The classification is depending on the state of the system before and after executing that file.

If now "only" your coins are stolen and this exact malware is not known to the AV yet, neither the signature nor the runtime analysis will result in a positive scan result.

Further, it is good to know that it can be quite easy to 1) change the signature and 2) detect whether the software is run in a sandbox to not execute malicious code when being scanned.
Therefore, an AV will never be extremely accurate. It helps against well known and poorly coded malware, but won't protect you against sophisticated ones.

Thanks.



History shows I visited electrum.org.in   so Beware!!!!!!

I ran some antivirus software and deleted Electrum.   Is there anything else I should do, or anything else that can be done?

Thanks

It's safe to assume your BTC is gone. I hope it wasn't a big amount. Your machine is also likely infected.

I would recommend:

• Marking your seed as unsafe (but don't actually discard it, in case you need to reference it in future).
• Format your hard drive and do a fresh installation of your OS.
• Change passwords on your email addresses and any other accounts you logged into on that machine. Enable 2FA whenever you can.
  
• Start fresh. Don't re-use any of the old seeds or private keys. Don't re-use any passwords.
  

Most importantly, pay close attention to whatever you're downloading and where that download is coming from.

If you hold any BTC (or any other crypto currency) in any other wallets that you accessed on this machine, they could also likely be compromised. I would transfer them to a secure wallet ASAP.

One lesson to be learned here is to always verify the GPG signature of the tool you are going to install or run. If it doesn't match, don't open the file. Electrum's official download page links you to resources on how you can verify the signature: https://electrum.org/#download

I’m really sorry that things like this happen, and it’s actually so easy to prevent them. I checked the link, but Firefox has already blocked it and marked it as a deceptive page - so the good news is that everyone who uses Chrome, Firefox and Brave (probably some other browsers) will be warned of the danger.

Listen to the advice of Evilish, and be much more careful in the future, scammers are everywhere and profit precisely on people who are not aware of how dangerous the internet is.