Bitcoin Forum

What happened:  Today I requested additional loan in shasan's thread here https://bitcointalk.org/index.php?topic=5030169.msg62169183#msg62169183. After some discussions privately with shasan it was approved by him and he sent the coins. As soon as it arrived the hacker moved it from my wallet address: bc1qwerty0uuuee9t3jf5tvr0952a099p67qama7k3 (only one in the wallet). I am not sure how he got control of my Electrum wallet  (despite Malwarebytes on my laptop) but as soon as it happened I reset password of forum and other sites via my mobile and did fresh install of Windows.

Scammers Wallet Address: bc1qzzvml53wkc5g4w5tuk6xz0t0j332rfgftymf2f

Amount Scammed: 0.015 BTC


In seclog both the recent password changes were done by me and to confirm that I am the real Avirunes here is the signed message from my oldest address which I have kept safe on my blockchain.info:




Even after the signed message, I think shasan can verify that I am real Avirunes here as we were always in touch through telegram.


I am clueless as to how this could have happened as like I said I had Malwarebytes on my laptop but despite that this incident happened.I know how dumb and idiot I look right now but I still can't wrap my head around how this could have happened.

What is Malwarebytes? Is it an anti-malware? Do not rely on anti-malware to the extent you will start to using your device in an unsecured way. Always use ad blockers, stop downloading torrent files, stop visiting unsecure sites, start to be careful of malware and start protecting your device.

For better security, use cold wallet or multisig wallet. Or for convenience and security, get a hardware wallet.

Always still be careful of malware.

Sorry to hear about your loss. A few weeks ago the same thing happened to Julerz now happened to you. Can't imagine what is going on with Electrum. Also can't remember but seen a similar case for an Electrum hack. Have you clicked on an update after logging in to the Electrum wallet? I never click on anything through Electrum. I am afraid that I will fall into this type of trap.

Whatever happened, there is no problem with electrum itself. Electrum (if it's used properly) is secure enough. julerz12 used electrum on an online device and Avirunes probably did the same thing.
Any online device is always prone to hacking.

Sorry for your loss Avirunes, you're not dumb and idiot, things like this happen just when we thought we are safe, I also thought that Malwarebytes is good for blocking intrusion but it's not you did the right thing securing your computer, and your account here in Bitcointalk.
You can still get back what you've loss Shasan is a good man he will understand and you can regain what you've lost, when you are ok and you figure out what really went wrong you can share and update so we can also learn from this.
I'm also an Electrum user but I seldom use it now after Julerz's story.

PC is much dangerous for crypto and hackers are now so smarts and its possible that they introduced malware which are not detectable by any antimalware software. 0.015 btc is not a small amount but now you cannot do anything except be careful from next time.

For future safety i will recommend hardware wallet to recieve any big amount.

Never Enter your phrase, personal Gmail, Social accounts related to crypto because Laptop or Pc can easily be hacked through malware. Mobile is secure so far as i am using for 5 years and did not faced any problem while using PC my phrase compromised 3 times

Only what I noticed that you can click on is the Electrum URL for update, which was never like before but having the correct Electrum URL for update. Another thing that I know that can be clicked on is the blockchain explorer.

You can fall for the trap too if you are the type of person that do not take wallet safety and online security seriously. It is not about Electrum wallet, it is about carelessness. Anyone that can fall for the scam while using Electrum can also fall for the scam while using any other online wallet.

As I said in my previous post electrum is secure enough. Just because someone got hacked doesn't mean electrum isn't secure. Electrum is open-source and there's nothing hidden from the users.
As long as your device is online, whatever wallet you use, there's the chance of getting hacked.


This doesn't mean a mobile is more secure than a PC. This only means that your PC had been infected with a malware and you have been lucky that your mobile hasn't been hacked yet.

@ItsCrafty
On my laptop, what I used it most for are 2FA enabled exchange accounts, Netflix and YouTube Premium (I hate ads). Having little amount of bitcoin on Electrum on the laptop and still expecting malware, although not likely. It depends on how you use your device, be it phone or computer. But you should know that you should not have the coins that you can not afford to lose on an online wallet, there are cold wallet options that you can go for. Mobile devices are always online, be careful.

I feel bad just hearing about the continuous and unstoppable attacks. I myself experienced something similar a few weeks ago when my BNB was instantly transformed into another wallet upon receiving it. I understand the shock and bad feeling that you are going through right now, so I’m very sorry for that.
I don't think the issue lies with the Electrum wallet itself, If hackers had found a security loophole in Electrum without having to access your pc first they would target wallets of whales with large amounts of Bitcoin logically. I am sure that your device has been hacked using a malicious program or file you downloaded and your antimalware defense isn’t enough. If you could recall the latest files that you downloaded before the last time you used your Electrum wallet on your PC and run a test on VirusTotal for example and you may find something. Since I’m not sure tracing the hacker’s wallet will lead into something.
And as other users have suggested using a wallet on an online PC is a ticking time bomb waiting to explode. The solution to prevent such painful experiences is to use another device only for a Bitcoin wallet or a better option which is to get a cold wallet.

You probably had the malware in your computer for a while and it got activated once it detected coins in your wallet. When was the last time you made a transfer using this computer?

Very sad to hear that you lost 450$. I just want to inquire that you saved this phrase cloudly online anywhere. If you saved then this is possible reason hacker got access to your wallet and success in transfer fund. Online savings phrase may be gmail, photos l, Notes Telegram or other social media where you send phrase. hackers send these btc to another wallet. More chance that he mixed it using any mixer or deposited into his own other wallet.

You did right job to reset all password on time but its not enough yet because it's essential to know how hacker get access to wallet.

It's the first time you get hacked ? Other funds on other addresses from your wallets are still here or some other have been theft too? Did you check your logs from Electrum to see if your funds have been stolen through Electrum on your computer? Because if you haven't exposed your seed anywhere else, I wonder how the attacker has been able to hack your funds, if it's not from Electrum directly ? It would be a really bad news because it would mean that Electrum is currently not safe anymore.

If your private key was recoverable with security questions then you might have the answer.

It’s unusual for a malware to get through on Malwarebytes since it’s very active on blocking any incoming malware from the web. You should combine WD on top of your malwarebytes to have second layer of security.

By any chance, Do you accidentally allow something which malwarebytes blocked?

Sorry for your loss, Avirunes.  This is getting concerning, there seems to be an increase in these reports.  So far the ones I've seen have all been on Windows machines, but I don't know if other operating systems are immune.  A similar event was recently discussed on Github, I've added the link below.  

Issue discussed on Github: https://github.com/spesmilo/electrum/issues/8263
Corresponding forum thread: https://bitcointalk.org/index.php?topic=5445300.0
Recent similar incident: https://bitcointalk.org/index.php?topic=5433643.0


What do you mean "only one in the wallet"?  Did you create the wallet with an imported private key?  So, you don't have a seed phrase?



Can you give us more detail, please?  Windows version, Electrum version before the re-install, any other software you may have downloaded in the recent months?



I don't use any malware software other than what's included in Win11, and to be honest I don't know how effective any of them really are.  It seems like they can only work once the malware is identified by the developer, and added to the software's blacklist.

I don't know how this is happening either, but I suspect there might be some malware being promoted to crypto users that attacks Electrum and extracts funded private keys.  Based on the Github discussion to which I linked above, multiple victims had their funds stolen in one transaction that included multiple address types, indicating the private keys were swept.

All I can say is be very careful and suspicious of any software you install your system, and diligently verify Electrum downloads (https://bitcointalk.org/index.php?topic=5240594.msg54223763#msg54223763).

Hi andulolika :)
you can recover private keys from electrum with security question?!
I've never heard of this possibility.
it's a "classic" wallet they shouldn't have this option since you don't set... but I could be wrong maybe I don't know this function ?!?

Regrettably, stories of this nature seem to surface all too often. What frustrates me most about such cases is that the truth behind them is often shrouded in mystery. There could be a multitude of reasons why someone's cryptocurrency is compromised - an unsecured wallet or device (where the thief had physical access to the computer), malware or spyware on the system, falling prey to a phishing attack (where the user knowingly or unknowingly exposed the private key or seed to third parties), an outdated or insecure operating system (many people are hesitant to admit using a cracked version of software, which could introduce numerous threats), or even a remote hack on the system. The list of potential culprits is virtually endless.

What we can be sure of is that these cases are isolated and do not reflect the overall security of the Electrum wallet. Electrum is a reputable and widely used cryptocurrency wallet that has undergone numerous security audits and has proven to be highly secure.

By the way, OP, I'm sorry for your loss. This may be a good time to consider getting a hardware wallet to prevent situations like this from happening again in the future.

sorry about your loss, it would be nice if you could update us if you ever find out what was the cause of your wallet being compromised.

perhaps creating a multi-sig wallet would help to greatly increase the security of your wallet and the asset inside it.

Wow even if I wouldn't call that a massive attack for now, it starts to scare me a little bit to be honest. Unlike what some people are saying above, Electrum could be not so safe to use anymore if those testimonies are true. So what could we do now ? Only using it as a cold wallet? But how we will make Lightning Network transactions now? We can't do that with a cold wallet unfortunately. I really hope it's just a coincidence because it would be a really bad news for Bitcoin, many people are using Electrum has a hot wallet on their computer  :-\

LOL :D You like to be funny bro  ::)

I think you are right but in the maximum case, we can see hacking of Electrum instead of any other wallet. In the case of Julerz many people thought julerz s lying to steal the fund of the campaign. But there is no way to think that about the OP. Actually, both fall on the hacking and no-one lying.

I am sorry and saddened by the loss you have experienced.

Electrum is a pretty good bitcoin wallet from what I know that keeps me looking for it by reading every post related to electrum wallet.

A few days ago I signed/verified the address with electrum to prove ownership of the address and it was quoted and verified (https://bitcointalk.org/index.php?topic=996318.msg62156170#msg62156170) by @bitbollo

OP broke the news that broke me Today at 12:31:19 PM.
I came across a discussion about electrum wallet users 2FA (https://bitcointalk.org/index.php?topic=5450700.msg62172189#msg62172189) Today at 11:53:20 AM.

There seems to be continuity.
I just want to follow for the sake of gaining new knowledge.

Hey there! :D.
It is possible if the private key was created in a different place and imported there.
I find it more likely that his device was compromised by untrustworthy apps which can very very easily leak into the pc such as a fake file or corrupted installer.

I also verify and signed the wallet using Electrum and now checking articles and discussions about Electrum's security, this is not good if we have two reputable and I believe knowledgeable members getting hacked using the same wallet,
I hope Avirunes can give us more details about our security concerns, I'm using Malwarebytes too, and Kaspersky if this is not enough I guess the only option is to transfer to Linux for better security, this was highly recommended when Julerz Electrum wallet was hacked.

It has nothing to do with Electrum itself, it has to do with a virus or malware that is capable of sweeping/sending coins from Electrum to an address the moment it is received or as andulolika clued, the virus/malware got the security phrase and the hacker was able to move the coins that way.

I am guessing the OP was using Windows and relied on nothing more than malware-bytes to protect him from online threats, contracted a form of virus/malware at some stage (as presumed Julerz did also) and the hacker was able to sweep/send the funds to their address.

This is yet another validation for the cybersecurity & privacy (https://bitcointalk.org/index.php?topic=5434404.msg61581530#msg61581530) board to be implemented into the forum.

I will try to answer as much as questions as I can but right now since I don't have any particular answer I will say due to my carelessness it happened. I will be quick and direct as much as I can so pardon me for not explaining properly or to the point as needed.

---

It wasn't through any Electrum popup and I am aware about case where someone installed a hacker version of Electrum. I actually updated the Electrum wallet some time ago. Maybe like 2-3 months from the site after verifying gpg signatures.


No, it wasn't.



a) Yes, its my first time getting hacked like this.
b) There were other addresses but they didn't had any transactions.
c) I don't think it was Electrum actually because I have been using Electrum for long time and before installing, I confirm its from original source. The question is why now?

I highly suspect something running in the background. But I've autorun software to check if there is something malicious in registry which has been set to autorun and I check it too and I check the processes running in background regularly as well.



No if my memory serves me right. I usually read the alerts by antivirus, antimalware programs and I always choose quarantine/remove option , allow is not even a chance.



This will serve as an answer to anduloika and you as well: The wallet address was created by VanitySearch and I trust this software but as a precaution I use it for only small amounts. Since its been so long , I started trusting for more balance. There were other addresses as well which also was created by VanitySearch as I like to generate some cool addresses and use it but none of them had any balance in it or were used in the forum except the one I use.

so @anduloika it wasn't a private key with recoverable security questions.


Yes, it was a Windows version. I am not sure of Electrum version but I recall something like 4.3.3  something. Software I could have but they were usual like Chrome and Winrar and stuff. Just the things I need. All were downloaded from original sources.



Yes, it is only added once some has been affected by it. By the time its added, they already have got their initial victims. I am not saying it happened to me or maybe it did but the purpose is to let others aware of problems like this.

---

I don't think Electrum is the case actually as I've been using it for more than 2-3 years in this lappie and over this course of years bc1qwerty0uuuee9t3jf5tvr0952a099p67qama7k3.... address has received many signature campaign earnings and later on there were times when there was more funds than that. So why now?

I've also come to conclusion right now that it was probably some script running in background whenever I open Electrum and it probably sends private keys of all the addresses in the wallet and then have a system of some sorts which sweeps all the balances when the addresses receives some balances. <--as some of you guys have mentioned here

As for Malwarebytes, I am bit surprised that it didn't alerted something running in background whenever I opened Electrum. I am bit paranoid about scripts running in background or autostartup so I had softwares to check those as well and delete/remove those things as well.


What I am not sure of is that entry point of this script/malware or whatever. I also seriously don't recall anything suspicious being downloaded. I've already made a fresh install of the Windows on my laptop after clearing everything in every partition my laptop has including the partition in MB size having some boot records so I can't go back and check those things about what happened for clear.

At the end, I can only say always be wary of these things. Anti-viruses/anti-malware also sometimes might not protect you all the time.

About hardware wallet, I still have a Ledger Nano which I have used in the past to hold big balances but right now I don't use it. So yeah I have the policy of big balances to hardware wallets but there are cases where I need to move coins fast I tend to loose up a little and move into wallets that I have in my easily accessible devices.

---

Thank you everyone for answering here and discussing with ideas on what could have happened.

Hot wallets have never been 100% safe, no matter which one you use. Microsoft Windows has never been safe either, and most computer users make mistakes once in a while. Any substantial funds should indeed be kept in cold wallets.

I haven't use Windows in a long time, so I have to ask: is this "normal"? I would expect to use antivirus software as an absolute last resort, and wipe the system the moment it finds something. You make it sound as if it finds and quarantines malware on a regular basis.

All it takes is to connect to a suspicious website to become vulnerable on windows. Read into Reverse shell attacks (https://www.techtarget.com/searchsecurity/tip/What-reverse-shell-attacks-are-and-how-to-prevent-them). They target by the thousands, and do not require downloading files or inbound connections to take advantage of your system. All it takes is for you to connect to a predatory website, as it thrives on your systems outbound connection to a predatory server/website. To be clear about how easy it is to be reverse shelled, all software (even what you least expect) conducts outbound connections and every website you connect to has at least one outbound connection (usually between 3 and 10, depending on how many resources are required to load the page). This attack is commonly aimed toward Windows since it's the most common operating system, where attackers can build easily and gain the most. Switch to Linux as soon as you can.

I'm not saying this is what you have suffered from however it is possible considering you don't recall directly downloading anything suspicious or recall anything that you may have obviously done to become vulnerable.

It was in past and not on this device but basically I was referring to first action that I took back then as my usual action there^^. In this device, I didn't had any alerts from the antimalware program.



Interesting, I wasn't aware about that. I will give it a good read later and maybe you can give me link to a thread where these things can be properly discussed there.

---

Regarding this, I am using Linux inside virtual software like VMware and so for operating wallets. What do you guys think about this? or there is still some vulnerability?

Unfortunately, there is no place to discuss these things right now. Around 3 months ago I made a request for a cybersecurity and privacy board (https://bitcointalk.org/index.php?topic=5434404.msg61581530#msg61581530), where discussion can at least go well-documented and all discussion added to that board would serve as a good knowledge resource, however it has not yet been addressed. For now people are just having their questions answered when asked or people are adding to topics after it's already too late ???

This is where it was compromised. In fact any hot wallet can not be trusted.

Thankfully it was not a fortune. Sorry for your loss brother.

P.S: I hope the large amount which you consider as your asset are safe in a multi sig wallet or hardware wallet. If it's not yet then your first priority will be to send them to a safe wallet.

If Avirunes was using the open source VanitySearch by JeanLucPons (https://github.com/JeanLucPons/VanitySearch) then there is no reason why this would be the culprit, because it is software that you run locally and thus Avirunes should be the only one in control of the keys, you're not trusting someone else/another party with the keys as well. Technically, it should not be possible for VanitySearch to be the cause. Lets say that it was though, I am sure that the VanitySearch announcement thread (https://bitcointalk.org/index.php?topic=5112311.1180) would be flooded with similar complaints.

Your guest OS is only as secure as your host OS. It's better to do it the other way around: on a trusted OS, use a VM to run untrusted software without risking your host OS.

Sorry it's off-topic.
I hear a lot about VM. How to have one and how much it costs. I will appreciate a link or article about it.

Thank you.

I assume you have the Premium version? Even then, you cannot be sure that it will detect every malicious software or attempt to compromise your operating system. When you look at the fact that hackers break into highly sophisticated systems and steal information, it should not be surprising that they bypass some trivial protections compared to such systems.


It's a shame that you stopped using the device that would have most likely protected you from what happened to you, but people learn best from their own mistakes. Surely you know that you can have multiple wallets on HW and protect each of them individually with a passphrase, so you can separate something that you keep long-term from what you will use in some way as a hot wallet.

Bingo.

I'm not saying VanitySearch is stealing private keys from you, but being a cracking tool, it is designed for speed, so there's absolutely no security in mind. It doesn't try to scrub memory regions with private keys or anything.

That means if you used VanitySearch while connected to the internet or while there was a malware running, the private keys could've been captured that way, and it doesn't help that they usually don't provide checksums.

Also you have to be very careful where you download this kind of software from, these programs are the targets of malicious counterfeits that have backdoors in them for capturing the keys.

And PS. Antivirus software generally considers any software that deals with a "private key" to be a malware, so it would've went straight through it in that case.

I use VirtualBox. It's free. Install it, and install your own OS inside or download an image.

OP, electrum recently posted a new version of the product; if you are talking about two or three months, then your version was not fresh. I'm always paranoid about updates and try to keep everything fresh.
In the same way, it is now important for you to find out, so as not to repeat what happened, if your Windows is really licensed with the latest updates. Winrar software is always recognized as very dangerous, as password-protected viruses are often put into it. In addition, the hacker can create a server for RDP remote access and hide it so that it is not detected in autoload and in the task manager. There are detailed instructions on the forums; the victim only needs to click on the link sent to hide the file and start surveillance.
In addition, if I understand correctly, on April 30, the hacker stole not only the OP but several other transfers worth more than $2,000. Please correct me.

I would also love to see that happen. My post would be kind of similar to what julerz wrote but there really should be board properly dedicated to this.



Yeah good point [+1]. I will set up a VM like this and work accordingly. Thanks really for pointing it out.



Yeah lessons learned with some price but now I need to see what would be the best way to setup my system and my way of working around these things. I now really wished that I would have come down to my senses for once and would have used my hardware wallet but being casual along the way you just start to follow things like you have been doing and only come down to sense once the harm has been done.



It could be anything: It could be like as you said or if the hacker swept the wallet directly to exchange then its exchange sweeping the deposit address to another address of their own.

---

About the VanitySearch, I don't think its the reason but I am not gonna use it anymore. I have generated bc1qwerty address years ago and have been using it for long time. What @BenCodie said is also right , and @NotTether is also right but that will make it a different case as I was the one careless in the end for getting my device infected with malware.

Though based on the post of the Op it seems that vanity search has not leaked or not stolen the fund. But I have still doubts about that. I think it might have happened to them. Someone or some site might not steal anything that doesn't mean they will not. In the same way, the same thing might not be happened by Vanitysearch but it may happen/happen this time.

First of all, I'm sorry to hear about your loss Avirunes. However, I'm relieved to hear that the amount stolen wasn't a fortune given that I've seen instances of people losing large amounts of Bitcoin due to being hacked. This year, in particular, has been especially tumultuous, and it's likely due to people being careless with their wallet security

---

I've read nearly every post here, and I was curious about how you got hacked, but it seems that you're not sure about it. Given that your wallet is connected to the internet, it could have been any things happened. You mentioned a script running in the background on your OS which could be the problem here as Malwarebytes may not have detected it

Ensure that your fresh operating system is clean and avoid installing any suspicious software that you are unfamiliar with(any cracked or random software) It would be best to use Linux, as it is generally more secure than Windows, but prioritize securing your BTC wallet. Personally, I use both Linux and Windows, and if I need to test out suspicious software, I rely on the Windows sandbox feature (https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview), which acts exactly like a VM.

I thought of a possible hack on this, considering the op address is a vanity address it's questionable what device it was generated with. Obviously it's impossible to generate through electrum, and needing to import privkey in a way that is actually vulnerable especially if the device has been infected with viruses from the start.

I advise caution with the latest versions, because as I already wrote in the Electrum board, they messed something up with the Android version, and some users report that the combination of Electrum+Ledger does not work for them. In addition, they turn a very simple wallet into something too complicated, especially for new users.

---

You have a new OS and that's a good start, and from now on be much more thorough in every step and check everything at least three times, and if necessary five times for larger amounts. Although no HW is perfect and cannot protect you from everything, it will still provide you with a fairly high level of security if you use it correctly.

If you use cracked software and key generators, the AV will from time to time detect it as malware, quarantine it, and ask what you want to do next. You then have the option to allow the file back on the device, delete it, or keep it quarantined. A perfect example of that are the cracks that come with Microsoft Office products that many people use. The same thing can happen with Photoshop. 

Why anyone who deals in crypto would continue to trust pirated software is a mystery to me.  Especially just to get MS Office and Photoshop!  If you must have Office for business purposes and your business can't afford to fork out the $100 for an annual subscription, you're doing it wrong.  Or just use LibreOffice and be done with it.  And for most of us GIMP is a decent enough replacement for Photoshop.  With all the open source free software available these days, there's only risk and very little reward in the use of pirated software.

Even better: that $100 gets you a hardware wallet, or a second hand laptop to dedicate to only crypto usage (after wiping it).

People like free stuff and not paying for software, that's why. Netflix isn't expensive, but even if it were $2, many wouldn't want to pay if they can download the show or movie they want as a torrent.

I don't know how good LibreOffice is, as I never tried it. I doubt GIMP can offer nearly the same that Photoshop can. Just use a separate device for less-safe software that is pirated or cracked if you must use it. Keep it off your computer where you work with crypto, private keys, financial data, and other personal stuff.