Unathorised transaction - not confirmed

[newcoinc]

Hi

I have the feeling that someone has someone managed to get hold of my wallet file from AppData.

I noticed that it had disappeared a few weeks ago, and I restored it. My wallet originally had MFA enabled, but last night I disabled this as the fees were high. This morning my wallet was emptied: https://live.blockcypher.com/btc/tx/22041d7fab94303d502873b0bab160a29856dcae46b4053cd66f68321643cb50/

RBF has been turned off on it, is there anything I can do to reverse it?

[LoyceV]

See this post on how to do RBF on a non-RBF transaction, but you need to act FAST!
Your transaction is 8 hours old, and still unconfirmed. It pays 30 sat/vbyte, which could get confirmed in a few hours. Or the receiver can do CPFP and it will confirm quickly.
You'll also need to broadcast the new replacement transaction to a node that supports Full RBF. There's no guarantee this will work, but it's worth a try. Your money is currently all gone, so don't be cheep on fees. I'd go with 64 sat/vbyte.

Try this option:

For making the replacement transaction, you can also use electrum.

- Create a new wallet using your private key.
- Let your wallet get synced and then disconnect your computer from the internet.
- Go to "console" tab and use this command to remove the transaction you want to be replaced from your wallet: wallet.adb.remove_transaction("TXID")
- Close electrum and open it again.
- Make the replacement transaction and export the raw transaction.

[newcoinc]

See this post on how to do RBF on a non-RBF transaction, but you need to act FAST!
Your transaction is 8 hours old, and still unconfirmed. It pays 30 sat/vbyte, which could get confirmed in a few hours. Or the receiver can do CPFP and it will confirm quickly.
You'll also need to broadcast the new replacement transaction to a node that supports Full RBF. There's no guarantee this will work, but it's worth a try. Your money is currently all gone, so don't be cheep on fees. I'd go with 64 sat/vbyte.

Which wallet did you use?

Hi Im doing this now, do I use wallet.adb.remove_transaction("bdf3d2cd0a45d69d2b91f3a0d99c266641c80ff180e8fe35f060e2a5ad1559e3") in console?

An error says: NameError: name 'et' is not defined

[LoyceV]

Hi Im doing this now, do I use wallet.adb.remove_transaction("bdf3d2cd0a45d69d2b91f3a0d99c266641c80ff180e8fe35f060e2a5ad1559e3") in console?

This is a NEW transaction, bdf3d2cd0a45d69d2b91f3a0d99c266641c80ff180e8fe35f060e2a5ad1559e3 replaces the one you posted earlier: 22041d7fab94303d502873b0bab160a29856dcae46b4053cd66f68321643cb50.
If you created this new transaction, you should be done. I just hope your new receiving address did not get compromised like your old addresses.

It's confirmed. Did you do it or did the attacker increase the fee?

[newcoinc]

Attacker increased the fee :/

[LoyceV]

Attacker increased the fee :/

What are the odds of the attacker increasing the fee (and changing the receiving address) right when you posted this here (after 8 hours)? Too bad, it's over now

[nc50lc]

I have the feeling that someone has someone managed to get hold of my wallet file from AppData.

I noticed that it had disappeared a few weeks ago, and I restored it.

This looks like planned.
The most probably reason why the hacker deleted your wallet file is because he was aiming for you to restore it back so that he can get your seed phrase where the 2 keys are stored during that restore process.
And even if he didn't managed to get it that time or if you imported the seed while offline, he can still get it from the wallet file and password since you've disabled 2FA.

Hi Im doing this now, do I use wallet.adb.remove_transaction("bdf3d2cd0a45d69d2b91f3a0d99c266641c80ff180e8fe35f060e2a5ad1559e3") in console?

An error says: NameError: name 'et' is not defined

Not useful since the hacker followed the instructions faster, but: it means that you've pasted the command with a breakspace (enter) in front of it.
For some reason when that happens, the first four characters will not be read, leaving you with "et.adb.remove_transaction()" instead and Electrum doesn't have any command for "et".

You can reproduce it by using this command (copy including the empty character above it):

Code:

wallet.adb.remove_transaction()