Unknown transactions made from wallet

[yinon]

Hi,
I’m new to crypt-currencies and experiencing some struggle understanding a cause of funds loss from my Multibit HD wallet. I’ll try to explain:

A week ago I made 2 transactions to ShapeShift which is a coin conversion service. following that service’s instructions I've made the 2 transactions from my wallet to a provided address of ShapeShift and received the converted funds to a different ether wallet I provided, as expected, an hour later.
Few days later I tried entering my Multibit HD wallet again (haven't done so since that transaction to ShapeShift) but it kept rejecting the password which I’m 100% sure was the right one saying "The password did not unlock the wallet". restore attempt also strangely kept failing and rejecting the new passwords each time.
I googled around to find that such issue had been following Multibit for a while now:

see this thread -
https://github.com/keepkey/multibit-hd/issues/753

going through the advices and solution on the link above, I used the secret seeds from my - now - Inaccessible Multibit HD wallet, converted it to private keys, imported them keys to a different wallet only to find out it’s empty of the funds I had.
I was also able to retrieve the transactions history and the transactions made to ShapeShift:
https://blockchain.info/tx/e6cfaf4858af0d105973382588d31700dc11a97efde576c2b6d11a1311c07d84
https://blockchain.info/tx/94ae29d606571789199c5b36321ed4c5729a8ba1062fa79a377c0cd2dea2efa6

I found something strange –
Both transaction listed 2 recipients (I wasn’t even aware it’s possible to send money to multiple addresses at once):
one recipient address was the provided ShapeShift’s address and the amount transferred is as intended. BUT! the second address was unknown to me and much larger amount of bitcoins was transferred.
What I also noticed was that these transaction, using Multibit HD, were made from addresses which have been previously used to receive payments to my wallet. Meaning that no new addresses were generated especially for this transaction, I thought that should be good practice.
Now I don’t really pay attention to that part of procedure in transactions as I recall reading that one of Multibit HD features is that it generates new address for each transaction constantly. Maybe I’m mistaken.

An Important point is that the transactions with the 2 recipients summed a total amount of bitcoins which was totally equal to the amount I received previously using the same address. So for example if I received 3 bitcoins to my address and later used that same address to send 1 bitcoin to ShapeShift, an exploit was to drain and the send the 2 other bitcoins left to another address simaltounasley.

From what I describe, could have my wallet / address been breached?
Is there a way for a malicious act to exploit any of the mentioned above?
Maybe it has something to do with transaction malleability?

Please anyone shed some light or guide me to a solution / education.

Thanks!

[1715033941]

1715033941

[1715033941]

1715033941

[1715033941]

1715033941

[HCP]

No "malicious acts"... what you're seeing is "change addresses" in action.

To break it down... in this transaction: https://blockchain.info/tx/e6cfaf4858af0d105973382588d31700dc11a97efde576c2b6d11a1311c07d84

You spent an "Unspent Transaction Output", also known as a UTXO, worth 0.01 BTC... from address: 1FYnsK8Zqt89bvTVhXVvvfi9pVFE2LQhrL
Of that 0.01 BTC:
- you gave 0.001 BTC to address: 1E37CUCsdibNpieqS6uKoeNEnjksDbwDZb
- you used 0.0005 BTC as the miners fee
- you had 0.0985 BTC leftover (0.01 - 0.001 - 0.0005), which got sent to YOUR "change address": 1JY13j7kpNDzHtk3koVHayUmkFqwbFYG3U

So your coins are still in your "wallet", just in a change address, as opposed to a receiving address.

The big issue you have now is accessing it. If you have your 12 word seed (and I really hope you do!) you can find your change addresses really easily:

Option #1:
Simply restore your seed using "Breadwallet" (on iOS/Android Devices) or "Simple Bitcoin Wallet" (Android only)... this will enable quick access to the coins stuck in your broken MultiBitHD wallet, but I don't recommend long term use of these apps. I would suggest you restore and then send ALL your coins from Breadwallet/SBW to another wallet.

NOTE: Breadwallet/SBW are the only wallets I know of that are compatible with MBHD seed/derivation path.

Option #2:
1. create an offline copy of: https://iancoleman.github.io/bip39/ (instructions at the bottom of the page)
2. put your seed at the top where it says "Mnemonic seed"
3. In the "Derivation Path" section, Click the "BIP32"
4. For "client", select MultiBitHD (the "Bip32 Derivation Path) should say: m/0'/0
5. Copy all the "Receive" addresses/private key pairs from the bottom of page (you may need to click "show more" a few times to find ALL you "Receive" addresses used)
6. Now, chance the "client" to "custom"... and set the "BIP32 Derivation Path" to: m/0'/1
7. Now all the addresses/private keys listed at the bottom will be your "change addresses"

Specifically you want to get the private keys for the two addresses in the transactions you've linked above:
1JY13j7kpNDzHtk3koVHayUmkFqwbFYG3U
1JkCceVDSXcWtkmmwrcv8w22Y3tfFZbBXY

And possibly any other change addresses from transactions that you've made.

Option #3:
Slightly more technical... but if are comfortable with installing Python and running Python scripts... I have written some scripts that can find all the address/keys with coins from your MultiBit HD wallet file

Good luck!

[yinon]

I have tried that 2nd approach you suggested prior to asking here. although those necessary private keys (change addresses) were not found on the first 3000 rows so I figured I'm not looking in the right direction and stopped going further down the pipe, I missed it. 
Breadwallet just went through all the available wallet keys and it took a while but finally recovered.

Thank you for that enlightening answer, it helped to understand the issue and procedure.