Electrum Wallet Hacked

[pegasus9847]

I recently opened electrum wallet to discover that 7.26 BTC was sent to an unknown address on Oct. 2.  I keep this wallet on a thumb drive, and the last time it had been connected online was late August.  If anyone has had a similar experience or could offer any thoughts on how this happened, I'd appreciate it.  Thanks.

[1714841245]

1714841245

[1714841245]

1714841245

[1714841245]

1714841245

[Coin-Keeper]

The thumb drive still had to be connected to a computer in order to go online with it.  Your computer most likely has a virus/malware on it.  If you want to post the TX here we can take a look to try and help.  Is there any chance you did a transaction and the 7.26 BTC was moved by Electrum to a change address in the same wallet?  You would still see the balance in your Electrum wallet, but the original address would appear empty.  This is how Electrum operates to protect you.

[pegasus9847]

Thanks for responding.
This is the TX;

View on BTC.com
Bitcoin TRANSACTION
8884292a996c1515acade6d6c2ac3cbb4fa7079c3bd504249ee1e151049636b4

[aplistir]

The thumb drive still had to be connected to a computer in order to go online with it.  Your computer most likely has a virus/malware on it.  If you want to post the TX here we can take a look to try and help.  Is there any chance you did a transaction and the 7.26 BTC was moved by Electrum to a change address in the same wallet?  You would still see the balance in your Electrum wallet, but the original address would appear empty.  This is how Electrum operates to protect you.

Could be malware, but that is not the only possibility.
Could have been a weak private key or brainwallet
Could be someone who had access to your USB-key. Who knows

I do not think any bitcoin wallet checks that a private key is not weak. But of course it is extremely unlikely, because there are so many possible keys.

[Lucius]

I recently opened electrum wallet to discover that 7.26 BTC was sent to an unknown address on Oct. 2.  I keep this wallet on a thumb drive, and the last time it had been connected online was late August.  If anyone has had a similar experience or could offer any thoughts on how this happened, I'd appreciate it.  Thanks.

Unfortunately you are not the only one who lost BTC in a similar way and what is the cause of this we can only guess.Since you have your wallet on thumb drive there is a possibility that there is someone other than you use this drive and stole your coins.But more likely that you somehow exposed your seed/private keys on your PC/laptop and hacker found a way to steal them.

The only safe way for keep you coins safe is hardware wallet in case you need to access them on a daily basis,or paper wallet like cold storage.Identical theft case like yours has been recently reported here : https://bitcointalk.org/index.php?topic=2320352.msg23565839#msg23565839

[cynical]

hmm strange one this.
is your pen drive encrypted or is it a standard plug and play drive?
I have no idea how this might have happened, just throwing another question into the mix

[pegasus9847]

Thanks to all who responded.  Just a little background, although thumb drive was standard, I password protected the individual files with Axcrypt.  I was using Malwarebytes and Eset full security but I think I found a files that could be the culprit to all this.  It was something like service.hostexe* and when I clicked on it, a pop-up appeared asking for a password and username. I did some research on this and it is described as a threat, although there is no way to know if this was responsible for the hack.  When I deleted it, it aromatically reinstalled itself upon reboot. It went undedected, but for any one who is curious, it was found in app data...roaming.  I have since reformatted my hard drive and it is no longer there. One this I noticed was that when you unplug a thumb drive from a pc, it writes some of the files to your hard drive which seems counterintuitive since one point of using an external drive is for privacy.

I know there is nothing I can do at this point, but I hope this helps someone in the future.

[Coin-Keeper]

I see that you found your answer.  Sucks though because that's 50 Grand in coin.  Others reading along here, please consider either going "cold" wallet or hardware wallet.

[Lucius]

Thanks to all who responded.  Just a little background, although thumb drive was standard, I password protected the individual files with Axcrypt.  I was using Malwarebytes and Eset full security but I think I found a files that could be the culprit to all this.  It was something like service.hostexe* and when I clicked on it, a pop-up appeared asking for a password and username. I did some research on this and it is described as a threat, although there is no way to know if this was responsible for the hack.  When I deleted it, it aromatically reinstalled itself upon reboot. It went undedected, but for any one who is curious, it was found in app data...roaming.  I have since reformatted my hard drive and it is no longer there. One this I noticed was that when you unplug a thumb drive from a pc, it writes some of the files to your hard drive which seems counterintuitive since one point of using an external drive is for privacy.

I know there is nothing I can do at this point, but I hope this helps someone in the future.

I'm interested in how you got caught that virus/malware if you have Eset and Malwarebytes(is this premium or free version?)because it should be good protection.My antivirus is scan every file which is try to download to my PC,and firewall + Malwarebytes Premium for now proved to be adequate protection.

Do you have your seed/private keys backup on your PC/laptop maybe?

It seems that you have on your computer RAT(remote access trojan),and it is good that you formatted hard drive.Hardware wallet is only safe way to store BTC these days since hackers find ways how to steal our coins.

[cynical]

Thanks to all who responded.  Just a little background, although thumb drive was standard, I password protected the individual files with Axcrypt.  I was using Malwarebytes and Eset full security but I think I found a files that could be the culprit to all this.  It was something like service.hostexe* and when I clicked on it, a pop-up appeared asking for a password and username. I did some research on this and it is described as a threat, although there is no way to know if this was responsible for the hack.  When I deleted it, it aromatically reinstalled itself upon reboot. It went undedected, but for any one who is curious, it was found in app data...roaming.  I have since reformatted my hard drive and it is no longer there. One this I noticed was that when you unplug a thumb drive from a pc, it writes some of the files to your hard drive which seems counterintuitive since one point of using an external drive is for privacy.

I know there is nothing I can do at this point, but I hope this helps someone in the future.

thanks for posting back into the board. interesting information.
i wonder how many drives are infected with this?
is this infection targeted to crypto files i wonder?


EDIT ***********
https://malwaretips.com/blogs/svchost-exe-virus-removal/

'The original system file svchost.exe is located in C:\Windows\System32 folder. Any file named “svchost.exe” located in other folder can be considered as a malware.'

[pegasus9847]

The file "servicehost.exe* seems to nest itself in the C: Drive, at least that was my finding.  I don't know if this virus is specifically engineered to hunt crypto currencies.  From what I read, this is a generic virus that can compromise pretty much anything on your computer that is vulnerable.  I didn't find it on my thumb drive, but like I stated in an earlier post, windows will write files to your hard drive even after the thumb drive is removed without your knowledge.  This is something that people should take note of as there is no pop-up notification to inform you that this is occurring.