I also wonder why only Windows versions of Electrum have a high malware detection rate (Linux=0%) which are all false positives according to Electrum!? This file here I used years ago but is signature verified from electrum.org:

https://www.virustotal.com/gui/file/4afe9fe07318f7ed804ab2ccb6e6b7e65971ffeaad97c612e0d364d05b196f79/detection

...

---

No, definitely only I had access to this PC with the Electrum wallet and I also think an experienced attacker would have used a self-hosted wallet, independent from crypto exchanges with KYC procedures like Binance. But either the first Binance wallet was also hacked and not owned by the attacker or it was a bug in Electrum together with a malicious server. Everything else I can rule out with 99% certainty (no malware, phishing etc.) and I don't think it was a coincidence that in the same second I entered my Electrum wallet password and hit "broadcast", the "fraudulent" (second) TX (UTXO of these coins marked as "frozen" with right-click) initiated simultaneously next to my TX (marked as "spend" with right-click and coin control). It might also be a bug with the UTXO coin control and coins accidentally got sent to the miners!?

Hi everybody!

Here is an update on this strange matter:

After Binance support forced me to open and verify an account (via a KYC process incl. ID upload and video conference) in order to get back my stolen BTC but the verification didn't work because of their crappy outsourced KYC service where nobody entered the video conference for hours and after 2 weeks of endless / useless chats with the support team and at least 10 different support agents, fraud specialists, supervisors and managers etc. whom I all insulted and wished the plague upon, I suddenly received the following email:

Subject: FW: Binance Security Fund Recovery - Funds Credited - 2025-07-29 16:16:55 (UTC)
From: Binance <do_not_reply@mgdirectmail.binance.com>
To: <xxxxx@mailfence.com>
Date: Jul 29, 2025, 4:16:57 PM

Binance Security Fund Recovery - Funds Credited

Dear Binancian,

We are pleased to inform you that our Security team has successfully resolved the dispute related to your previously reported transaction.
Upon further investigation, we learned that the transaction was related to potential fraudulent activities and, in the interest of security and user protection, we performed an in-depth security investigation. As a result of this investigation, we have managed to retrieve your funds from the receiver.

We have already distributed the following amount to your Spot Wallet: 0.01702049 BTC. To check the distribution, please follow these steps:

1. Log in to your Binance account.
2. Navigate to Wallets > Spot.
3. Click on "Transaction History"
4. Select the "Distribution" tab to view the credited amount.

Although we have managed to retrieve your funds on this occasion, please be reminded that this is a rare occurrence and it is usually impossible to cancel or return funds once the transaction has been completed. However due to these exceptional circumstances, and as we managed to identify the fraud transaction in a timely manner, we have been able to retrieve your funds.
Please be extra careful and vigilant and always do your own due diligence before sending or receiving funds. See the following general guide on how to avoid common scams: https://academy.binance.com/en/articles/8-common-bitcoin-scams-and-how-to-avoid-them

Your support and cooperation are much appreciated as we strive to maintain the security and integrity of our platform.

Yours sincerely,

Binance

Then - without completing the verification process - all of a sudden I received the BTCs on my Binance account and could transfer it immediately to a new self-hosted wallet! :-)
Strangely enough all the chat history has been deleted by Binance meanwhile!

This is the strangest shit I've ever seen!

For anyone who is interested: my initial BTC address where the funds got stolen is 1Th4E53SNrNLVGn9CgT8h3BJKuAKjqdWv and the funds were moved from the direct attacker's address 1GrvEughk4fqnGsvtaApZ8BtxRTtTWxmLc 1h later to this Binance address: bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h which has a balance of about 1.8 billion USD !

I have my BTCs back (minus fees) so I am somewhat relieved, but I still don't know (and Binance refuses to tell me) how the hell the BTCs got removed from my original address! In my opinion the only realistic possibility is an unknown/undiscovered vulnerability in Electrum (I have contacted the developers b.t.w. but didn't get any reaction - some days ago a new version 4.6.1 got released!) together with a fraudulent Electrum server where obviously a big Binance customer or Binance itself was involved!

Maybe somebody had a similar experience ?

Cheers!

---

Also, this Binance address has been used for a lot of scams:

https://www.bitcoinwhoswho.com/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h/urlid/14789007

Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?



I have created the wallet on a Windows system years ago - see my post above.

The Debian OS (iso install. file) I have downloaded of course from the original Debian developer site debian.org - also signature-verified.
I now use offline signing with Electrum (cold wallet) and only one wallet per address - so fuck the seed :-) Tails is also a good option, I agree, but only when using it as read-only / non-persistent storage and if you do offline signing, otherwise you still have a hot wallet.

But what really is driving me nuts is that I don't know how the hack worked and why only once at this time and coincidentally with a TX of myself? My old wallet seed and BTC addresses and even the Electrum password never changed in 5 years and any attacker could have stolen much more if he had known the seed/keys/password. I really think it is a combination of a glitch / vulnerability in Electrum together with a malicious server... Any server can send wrong confirmations, tricking you into downloading an update, but I am pretty sure I didn't fall for that. Maybe anything else? There was this JSON-RPC hack, you remember, not so long ago...

B.t.w. I have contacted Binance - where my stolen BTC ended up on one of their addresses - and after proving (with screenshots, videos from wallet opening and wallet/TX history) that I am the owner of the address from which the BTC got stolen, they offered to refund me - but only if I open a Binance account (they will send it to my Binance address)! They said the owner of this Binance BTC address (obviously their customer=the hacker!) agreed to send it back!!! WTF Has anyone had this experience? The don't want to give me his identity nor the type of attack how the BTCs got removed! This looks very dodgy and supports my theory of a malicious server attack / vulnerability in Electrum which they maybe want to hide... Also I think a criminal/police investigation over several jurisdictions (me, Binance HQ, Binance server locations, TX server locations / mining pool, location of Binance customer) would lead to nothing.

I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?