Foreign Transaction on 13.02.18 (BTCs stolen?)

[KryptoPaul]

Hey,
im using an electrum wallet and a pretty safe setup, unfortunately it seems like my BTCs (~0.02BTC) were "stolen". on 13.02.18
someone (not me) made a transaction of full amount. Usually you would say i got malware or a keylogger but look now look at the receivers "wallet":
bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5 (and the transaction ID for details: a85cb7ff23ac5371d6dff9a623b80e516cfe2009072169b3cdb48442c63a982c)
according to blockchain.info thats not even a legit wallet adress... before i stop: im using the electrum 3.0.5 full node wallet since the beginning of february, as there was
found a security issue in all versions of 3.0.4 and earlier. 
has anyone experienced similar things or can explain to me what happened there? for the very uncertain case someone can bring me back my BTCs
i will of course give you a small bounty
kind regards

[jackg]

Hey,
im using an electrum wallet and a pretty safe setup, unfortunately it seems like my BTCs (~0.02BTC) were "stolen". on 13.02.18
someone (not me) made a transaction of full amount. Usually you would say i got malware or a keylogger but look now look at the receivers "wallet":
bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5 (and the transaction ID for details: a85cb7ff23ac5371d6dff9a623b80e516cfe2009072169b3cdb48442c63a982c)
according to blockchain.info thats not even a legit wallet adress... before i stop: im using the electrum 3.0.5 full node wallet since the beginning of february, as there was
found a security issue in all versions of 3.0.4 and earlier. 
has anyone experienced similar things or can explain to me what happened there? for the very uncertain case someone can bring me back my BTCs
i will of course give you a small bounty
kind regards

BTC.com says it's a valid bitcoin address. https://btc.com/bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5

Try my address to the left (ending in 6ez) and you'll see blockchain.info says the address doesn't exist, or there's an incorrectly placed 0 or something like that).

Have you installed/been anywhere where a virus could be installed? Any free services that seem to good to be true (downloading/watching content that would have required money to produce).

[KryptoPaul]

i dont think so, well who knows. thanks anyway

[jackg]

i dont think so, well who knows. thanks anyway

Anyway, your Bitcoins appear to be sat in this address bc1qq5zvcqrn886rkxyzc5ue6nlw9mc02ha9se3hhy. One leap after the leap from yours. Not sure why they'd do that, maybe it went to a mixer or something and that's where it remains.

You might want to keep a look out for that to see if the coins move to an exchange as you might be able to ge their identity from the exchange it moves into.

[HCP]

Hey,
im using an electrum wallet and a pretty safe setup, unfortunately it seems like my BTCs (~0.02BTC) were "stolen". on 13.02.18
someone (not me) made a transaction of full amount. Usually you would say i got malware or a keylogger but look now look at the receivers "wallet":
bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5 (and the transaction ID for details: a85cb7ff23ac5371d6dff9a623b80e516cfe2009072169b3cdb48442c63a982c)
according to blockchain.info thats not even a legit wallet adress...

That's simply because blockchain.info have not properly updated their systems to deal with "bech32" addresses... aka "bc1" addresses.

Other block explorers, like btc.com, which have been updated, work fine:
Address: https://btc.com/bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5
Transaction: https://btc.com/a85cb7ff23ac5371d6dff9a623b80e516cfe2009072169b3cdb48442c63a982c

before i stop: im using the electrum 3.0.5 full node wallet since the beginning of february, as there was
found a security issue in all versions of 3.0.4 and earlier.  
has anyone experienced similar things or can explain to me what happened there?

The simple answer is that your private keys (and/or seed mnemonic) have been compromised.

Have you done any of the following prior to Feb 13th:
- Entered your seed mnemonic into any websites/wallet apps to claim bitcoin forks?
- Entered your private keys into any websites/wallet apps to claim bitcoin forks?
- Imported your wallet into an "Electrum Clone" to claim bitcoin forks?
- Downloaded and used any wallets for bitcoin forks or altcoins?
- Stored your seed mnemonic "digitally" (ie. in a text file on your computer or email or dropbox/google drive etc)?

Additionally, did you double check that the version of Electrum v3.0.5 that you downloaded was from www.electrum.org ? There have been a LOT of scam copies of the Electrum website (electrumsource.org, electrumwallet.org etc) over the last couple of months... have you checked your browser history? Have you checked the digital signature of the wallet installer?

for the very uncertain case someone can bring me back my BTCs

If you didn't send that transaction, then only the person who controls the address bc1qq5zvcqrn886rkxyzc5ue6nlw9mc02ha9se3hhy can give your coins back (as that is where they are now sitting)... and I'd guess the chances of that happening are somewhere between slim and none



Just out of curiosity, when you upgraded to v3.0.5... did you happen to experiment at all with SegWit wallets etc in Electrum? It looks like the original address your coins were sent to, received a little test transaction for 5000 satoshi's immediately prior to receiving your coins, see the transaction history: https://btc.com/bc1qrxg3evc3jlnhqle2uhauag708ltzumaskj2nx5

This transaction: https://btc.com/d9476a428e3fe213245559d40cf15470036b5caec20582ecadb4cba0f17520e6
then 7 minutes later: https://btc.com/a85cb7ff23ac5371d6dff9a623b80e516cfe2009072169b3cdb48442c63a982c
then 10 days later the coins were moved: https://btc.com/a267c230b2b67eb1f21114f5f636a1cec683d14f45ac832032b21e893f1c0cef