Whatever it was appeared to push all my coins to this wallet:
18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF
I am hoping it's a bug.. I just spent money and time to lose money.. $2000 is alot of money for me.
This is 1/3rd of the story at best.
We are talking about 5BTC, split in 2 wallets, ~2.9 BTC in wallet A, ~2.1 BTC in wallet B.
On May 6th, 3 transactions in block #410492 moved coins from wallets A and B to address 18mhcZ4tdD2GQquSrMda5TPzgRodAEfYeF:
- tx 1&2 move all coins from wallet A. All coins in this wallet were split between 2 addresses. The spending tx each sweep one of these addresses.
- tx 3 moves all coins out of out of 1 address from wallet B, about 0.28 BTC.
In all cases, there was no change and all outputs were spent regardless of how small they were (a few were >0.02 BTC). This pattern is indicative of a private key sweep.
However, all transactions came with small fees. All fees were >0.002BTC. Considering one of these tx spends 10 utxos and another one 7, we're far below the proper fee/kB for quick confirmation. The fact that all 3 tx were confirmed within the same block with such low fees is possibly an indicator that they sat in the mempool for some time.
This to me doesn't characterize theft, rather deliberate private key sweeping. You would expect a thief targeting your private keys would be sophisticated enough to pay a 0.01 total fee on 3 tx stealing some 3 BTC just to get included in the next block.
This accounts for ~3.2 BTC. If the story ended there, and you claimed 3.2 BTC were stolen, then you would have more evidence supporting your claim than otherwise. The fee analysis alone is not strong enough on its own refute theft. However, you are claiming 5 BTC are missing, and the last ~2 BTC leave your wallet in a different fashion.
---------------
About half a day later, in block #410581, 6 transactions move coins from wallet B.
- 5 tx spend to address 1CDyeeCHcReYhfaeTb37Piwq8ZWqLtHU5o
- 1 tx spends to address 12DaNV3b6iSobe5uMwBELYdMkoLJ1V4eto
- 4 out of 6 addresses return change
- As a result of change, wallet B currently has a balance, albeit rather small. Nonetheless, this balance remains larger than some of the smaller utxos that were redeemed among all these transactions.
- The fee/kB density of these 6 transactions is over 2~3 times superior (guesstimate) that that of the first 3 transactions.
---------------
It is also notable that prior to these 9 transactions, you only spent coins once, from wallet B, in November 2015. This implies, in case you use online wallets, that you rarely if ever typed in your password to decrypt your private keys. The point is moot if your wallets are offline. On the other hand, there is not much to discuss if your wallets are online and unencrypted.
This observation narrows down the possible attack vectors. Since you didn't spend any coins for months prior to the event, this couldn't have been an attack on the recipient address (swapping a payment address for the attacker's), nor an adversary process trying to steal your password/encryption key or decrypted private keys in RAM. This also rules out RNG snafu.
Again this point is moot if you toyed around with your password a few hours before the coins moved. This comment in particular and this post in general should be a reminder that you need to provide as much details as possible if you hope to find out what happened to your coins. Your wallets only speak that much.
The only credible attack vector that remains is that someone has access to your encrypted wallets (physical access to your computer, cloud storage backup, infected machine, etc...) and your passwords (possibly brute forced if they are weak, again need more details here). However, this would contradict the sweeping pattern: why sweep private keys if you crack a wallet? Just spend it all in one go.
Still this doesn't explain why the attacker would sweep all keys from one wallet and only ~15% from the other, nor his spending pattern (you'd expect 1:1 spend address to wallet address, or a single address for all wallets), nor why he deemed useful to return change, nor why he paid low fees to steal >60% of your coins and much higher fees for the remainder, and lastly why he did it 12h apart.
