I do not know how you can run Electrum server using mobile Electrum. But for anonymity (no privacy), you can connect mobile Electrum using Tor. But with the help if Orbot.

After you download Orbit, click on setthigs and check Electrum to enable it to connect using Orbot.


After you download mobile Electrum.

Enable Proxy
SOCKSS/TOR
Address: 127.0.0.1
Port 9050

If you connect to Tor, the green circle at the upper right corner will be blue instead. This is for anonymity. Central (public) servers can still connect your addresses but will kit be able to know your IP.

It is not an assumption if you are using public servers. They will know your bitcoin addresses and know the funded ones. They will know your IP addresses too. Which means they can link your real identity to your wallet.

If you want privacy, run your own node/server using Tor.

No.

Electrum has a gap limit, which means that once X (IIRC, its 20) addresses are empty, it stops querying for addresses with balance. Only the address that are used + 20 empty addresses will be leaked. Electrum does not leak xpubs.

For privacy if connected to your own node/server, yes. As long as your server is connecting using Tor.

If you do not connect to your own server or run your own node but depend on public server, you will not have the privacy that you want.

The seed phrase and keys are created on a hardware wallet, and its public key is imported on an online wallet. That is enough for security even if you connect to public server, but not having privacy because the public server can spy on your IP addresses and bitcoin addresses.

The issue arises when Electrum queries your addresses. If you're using Electrum to serve as a watch-only wallet, you'll have the addresses linked to each other. Electrum queries all the required address using the same IP address. Any adversary running the node would be able to make the assumption that they're owned by the same person and thereby linking them to each other.

Running it behind a proxy or Tor won't help in this case.

Well fuckballs.....

MSFT had their monthly patches yesterday and the PC running Fulcrum decided to install them and reboot and did not cleanly exit fulcrum before doing that.
And now it's saying that the database is corrupt and it's trying to redo it. I'm too busy to do a deep look, is there a way to check / repair the fulcrum DB instead of having it redo everything.

And, yes I know to ask in github but I figure this might be quicker.

-Dave

core lightning v23.08 release candidate 1 has now been announced and it is now time to test new and experimental features before release, such as these:

• taproot address support for core lightning
• introduction of renepay
• splice funds in or out of a live channel

https://community.corelightning.org/c/general-questions/version-23-08-release-candidate-1-tagged
 

If you have a synchronized Bitcoin Core instance, you can get the raw transaction and use testmempoolaccept to test if it is valid without broadcasting.

Keep this educational and don't create any serious addresses using this. Most importantly is that you won't find bugs by just testing it a couple of times with random cases, there are a lot of edge cases that you may not know of and may not face in your "random tests" but can encounter in a real scenario.
Off the top of my head since you mentioned Java and are probably using the BigInteger class,is that you may forget the necessary padding for the public key and use a smaller than 32 byte x/y coordinate in the pubkey for your hash and end up with coins that can never be spent.

The best real life example I can think of that is similar to what I explained here is the bitcore-lib by Bitpay written in Javascript that had a similar bug with lack of padding. https://github.com/bitpay/bitcore-lib/issues/47

I would also say that generating a serious key (to send actual funds to) using your own code is not a good idea even if you verify the correctness of the key->address using a secondary tool. Because there can be other vulnerabilities in your code like your RNG being weak.

As I've mentioned, if you're able to import the address into a well-known wallet, it should be fine. They are unlikely to allow you to import a private key that cannot be spent. The first one would be the best, if you can do so. It doesn't affect the security nor the privacy of your paper wallet so long as you spend the coins back to yourself.

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

For peace of mind, I (would) do this every time when I create any offline wallet (before funding it). It doesn't hurt to make sure you can recover your backups.

There are different ways of doing it. 

1) Since you've already sent the small amount of Bitcoins, you can create a transaction that spend a small amount of Bitcoin to your address. You can spend a fraction of that with a small fee, the confirmation doesn't matter. So long as you can see the transaction on blockexplorer, it's fine.

2) Sign a message with the address. If you can verify it, then it would be fine.

3) Import it into an offline wallet. So long as the wallet allows it to be imported, it should be valid and its perfectly safe. Which is what you've done. Well-known and working wallet have sanity checks on your private key which prevents those which aren't working to be imported.

There is a good saying that I have heard countless times in American movies that says "assumption is the mother of all fuc*ups", and if you think that something can't happen to you (and it happens to a lot of people every day), then you already have a big problem at the start.

Feeling comfortable and at the same time convinced that you are untouchable is a very dangerous combination.

is there any way I can check if my wallet is already compromised or not?

I'm not entirely convinced that here the Android phone and the Swiftkey app are the main problem. The OP did some other bad things that he should avoid in the future.

• He handled recovery words on an online device outside of the original app (Bluewallet). Recovery words were fed into another wallet app. Don't do that on online/hot devices, period!
• He used 3rd party keyboard apps for entry of sensitive data. We agree, that's bad and should be meticulously avoided as you have no control whatsoever where your entry data diffuses to.
• He might have taken digital pictures of his recovery secrets. I don't know that, it was not talked about this. Of course, avoid this ever, too!

Recovery words are supposed to be backed up analog only, ie. paper or stamped in metal or similar analog and secure storage.
Maybe there's that went wrong, we don't know.

I can feel your pain. I would be totally pissed if that would happen to me even for the smallest amount that I would ever keep on a mobile phone wallet. I consider mobile phones as completely unsecure simply because a user does a hell of his internet shit on a mobile phone, install maybe questionable apps on it and just don't have much clue about security of such devices, not to mention the questionable update status of most Android devices once they get older.

Well, it depends. If you coinjoin them and then store the xpubs of your new outputs insecurely again, then you will be back at square one.

If you think that you will be safer that way, it seems that you have not realized how risky it is to store sensitive information, regardless of whether it is a smartphone or a desktop computer. When it comes to a desktop computer, you can also very easily expose your seed if you enter it in another wallet and you have a keylogger on that device.

Devices on which you store private keys should be isolated from all possible risks arising from your daily activities, which means that you need a hardware wallet or an airgapped device. Even then, you should always be on your guard, because being your own bank means you need to be on the lookout for thieves, whether they're online hackers or bad guys in the real world.

That depends on your personal preference for privacy. But even if you move the funds, if they know your current public keys they can follow the money trail.

Sorry about your loss. I hope you will soon find peace of mind.

From what I have read, I cannot tell you where you were not careful enough or how you could have stopped this from happening but I doubt it had nothing to do with 12 word or 24 word seed phrases. Although we all recommend you use 24 word, I doubt somebody brute-forced your seed phrase. I think what happened is that you might have a virus on your device or you stored your seed phrase in an unsafe way and somebody might stolen it without you noticing.

Best thing to do now is to get familiar with wallet security practices. OPSEC!

You say you use Bluewallet, is it the android or iOS version (if applicable)? And where did you install it from, in the case of Android?

There are many 0-day vulnerabilities targeting older mobile OSes and it is possible that you were hacked with one of those.

What was the reason for your choice of Bluewallet and not Electrum? Of course, this will not change anything, and most likely it would not have changed even before hacking, because the malicious program would certainly have stolen from the electrum wallet as well. In your situation, only hardware wallet could save the contents or the multi-sig.