Bitcoin stolen from Electrum wallet

[adamtyelor1]

This morning I created an Electrum wallet (3.1.0) and transfered 1BTC. 1 hour later 2 withdraws were made, and now my wallet is empty. I lost the 1 BTC I had there.

I had 2 FA activated how is that even possible.

Please help me.

[1714052467]

1714052467

[1714052467]

1714052467

[1714052467]

1714052467

[1714052467]

1714052467

[1714052467]

1714052467

[1714052467]

1714052467

[adamtyelor1]

The 2 transaction TX were:

6f99b1fe0040443d8dcf2bb1793a26148989f386769c0296645a3171fc32ee4f
48a8c22d0ba6ae103d2e2da068b814e701f73af38c7aa556ab12e0cf27d23e17

The IP from which they connected to the wallet must be known to Electrum! Also how come it didn't ask the hacker 2FA to withdraw?

Please help.

[Near28]

Check your Download-History, did you load Electrum from the original electrum.org website?

[buwaytress]

So your Electrum wallet address is which? Can you show the transaction you made to your wallet? The tx ids you've shared seem to be the one transferring it out. If the first tx is yours, then the 2nd only transferred out 0.015+ BTC. How about a more detailed description? Are you sure your wallet's fully synced(green button, bottom right) and your balance (bottom left) is 0?

Like you said, if 2fa was enabled, doesn't seem likely. Also, if this was your first transaction with Electrum 2FA, it should have spent the fee to TrustedCoin.

[bob123]

This morning I created an Electrum wallet (3.1.0) and transfered 1BTC. 1 hour later 2 withdraws were made, and now my wallet is empty. I lost the 1 BTC I had there.

I had 2 FA activated how is that even possible.

Also how come it didn't ask the hacker 2FA to withdraw?

If you really had 2FA 'activated' the most likely 2 things which happened (in my opinion) are those:
1) You have downloaded a malicious version of electrum and therefore didn't have any real 2FA activated.
2) You are completely compromised. Someone has access to a) your PC and b) has either cloned your mobile or cloned your GA code(s).

You should definetely scan your system for any malware. And to be on the safe side you should setup a fresh OS install.

Additionally, the next time you are going to store BTC: Make sure to store relatively high amounts (like 1 BTC is currently) safe offline (hardware or paper wallet).

[adamtyelor1]

I downloaded from the official website, but I found a malware "remcos" on my computer, and they keylogged everything.

I traced the stolen bitcoins to Binance, unsure what I can do from here.

[stevegee58]

I downloaded from the official website, but I found a malware "remcos" on my computer, and they keylogged everything.

I traced the stolen bitcoins to Binance, unsure what I can do from here.

It doesn't cost you anything to inform Binance and see where it takes you.

Regarding malware, I'm gonna guess you're a Windows user.  Stop that and switch all your crypto activities to Linux.

[BitMaxz]

There are many phishing sites these days, and mostly they are abusing the free service from google or bing ads.

they are promoting a fake electrum because its mostly use by many bitcoin users and they can target and choose only new users with adwords or bing ads. I have basic seo knowledge and I know how to setup the adwords and bing ads I use them for a long time when promoting a whitehat niche so I know those scammers doing..

I already posted a sample of a fake website here in the forum you can check my post here

https://bitcointalk.org/index.php?topic=2958844.msg30441754#msg30441754

I heard someone downloaded a fake electrum, but in LTC version past few days ago and maybe this is the website where you download the electrum.

Code:

http://electrumltc.org/

If the site is different better to share with us the correct website so that we can report it immediately to google or bing ads. to remove this fake website.

[adamtyelor1]

Thanks for the answers. I downloaded the software from this page:

https://electrum.org/#download

It is the official version I would say. But they used the REMCOS malware to keylog everything and stole my money like this.

[stevegee58]

You're assuming remcos was packaged with Electrum.  It's more likely that you were already infected.

[NeuroticFish]

Thanks for the answers. I downloaded the software from this page:

https://electrum.org/#download

It is the official version I would say. But they used the REMCOS malware to keylog everything and stole my money like this.

I guess that they didn't just keylog everything, they also copied some of your files (at least the wallet file).
Since they logged all, they have your password too, so they could access your private keys, even if you had the 2FA.

All in all, your money was not stolen from Electrum. It was stolen .. from you.
Very sad story

You should have really check your computer for viruses before trying to keep one Bitcoin on it...

[adamtyelor1]

I didn't say the Electrum wallet was infected, but yea my computer was infected by this malware at some point, and they used it to hack my Electrum wallet and withdrew the funds.

[HCP]

I suspect they didn't "hack" your wallet, or your 2FA... they will have keylogged the seed when you had to enter it during wallet setup.

By using the seed they will have been able to restore the 2FA wallet in "disabled" mode, with two private keys in the wallet file, allowing them to create and sign transactions while bypassing TrustedCoin's 2FA system.

An unfortunate, and costly, lesson about the dangers of malware and cryptocurrency

I traced the stolen bitcoins to Binance, unsure what I can do from here.

Pretty much nothing. I doubt Binance will care and to be honest, aside from "your word", there is no way to prove they were actually "stolen". Yes, they were transferred... but there is no way to prove that this was an unauthorised transfer, as the thief "proved" ownership by signing the transaction with the private keys...

Cryptocurrency can be a harsh mistress. 

[pushups44]

Wow. Very good advice on this thread. Some of the interesting ones: use Linux, a hardware wallet when possible, and make sure you always, always check for malware before doing transactions.

[stevegee58]

Here's something else to consider.  I'm a Linux user but you still have to be careful since there *are* Linux exploits.  The only reason Windows seems more vulnerable to hacking is that it's low-hanging fruit to hackers i.e. there are way more Windows users than any other OS.

For the truly paranoid, one could use  something like Qubes that spins up a fresh VM every time you do something.  If a VM instance is infected it doesn't matter because the VM template is always secure in the future.

It sounds like OP's computer was infected with remcos beforehand by a bad actor.  Someone with physical access may have installed it or it may have been delivered by a tainted download.  Either way, OP has multiple opportunities to tighten up his security.

[d0nsly]

You were infected either via RAT or someone snickly installed the virus without your knowledge..
best you could do is by re-installing the OS and tightening your securities, do not downloaded anything else unless it really important to you..

Sorry for you loss

[eternalgloom]

I downloaded from the official website, but I found a malware "remcos" on my computer, and they keylogged everything.

I traced the stolen bitcoins to Binance, unsure what I can do from here.

It doesn't cost you anything to inform Binance and see where it takes you.

Regarding malware, I'm gonna guess you're a Windows user.  Stop that and switch all your crypto activities to Linux.

While I really love Linux, advice like this doesn't accomplish anything, makes you sound really elitist.
You can safely use a hardware wallet and be a Windows user. Even using desktop wallets is fine 99% of the time, if you take some basic security precautions.

Usually wallets get hacked because the user installed malware that he downloaded himself, direct attacks are very unlikely, especially if you don't have a big amount of coins.
If you have a big amount of crypto assets, invest in a hardware wallet.

Another important thing to note is that an unconfigured Linux desktop might be a bit safer than Windows by default, but it's not completely safe either.
An uninformed Linux user can do much more damage to his own system than an uninformed Windows user

[bitmover]

If you use windows, you need to take a few precautions:

-Use Firefox latest version
-Download uBlock Extension + Decentraleyes Extension
-Download Malware bytes, updated it daily
-Use windows 10, updated it daily/weekly
-Before downloading anything try it here http://virustotal.com/
-Use windows defender updated.

These are very basically steps. If you had follows them, you wouldn't be infect... ublock will block most of those phishing sites and malware bytes will take care of the rest.

Inform Binance and show them all information you have (screenshots, keylogger, eletrum..)

Personally, i don't trust windows wallets. I prefer to use webwallets like blockchain.info or mobile wallets like coinomi or samourai. Even if you computer if infected, you probably woudn't be robbed....

Hardwallet are much better and should be used if you have more than 1 in my opinion.

[stevegee58]

While I really love Linux, advice like this doesn't accomplish anything, makes you sound really elitist.
You can safely use a hardware wallet and be a Windows user. Even using desktop wallets is fine 99% of the time, if you take some basic security precautions.

I'm completely unconcerned with how I sound.  I'm only concerned with evidence-based strategies that work.

Usually wallets get hacked because the user installed malware that he downloaded himself, direct attacks are very unlikely, especially if you don't have a big amount of coins.
If you have a big amount of crypto assets, invest in a hardware wallet.

Absolutely.  I don't have any hard statistics I can quote but it seems likely that 99% of malware is inadvertently installed by the users themeselves.

Regarding hardware wallets: for me the jury's still out.  I don't like being dependent on a hardware device in case something goes wrong with it.
Electrum is an open source program that I can run directly from source code without installation.  That's very empowering.

Another important thing to note is that an unconfigured Linux desktop might be a bit safer than Windows by default, but it's not completely safe either.
An uninformed Linux user can do much more damage to his own system than an uninformed Windows user

Yup.  Like any power tool you can do useful work with it or also cut your own hand off.  Taking responsibility for your own actions and safety isn't quick and easy; you have to do actual work.

[bob123]

Even using desktop wallets is fine 99% of the time, if you take some basic security precautions.

I wouldn't say 99%.. but it definetely can be somehow safe.
But there are still exploits which simply arent fixed yet and are a perfect entry point for malware targeting crypto user.
There are things which you can't protect yourself from with a desktop wallet.

Additionally the 'basic security precautions' are probably not achievable/doable for 90%+ of the daily windows user.

Regarding hardware wallets: for me the jury's still out.  I don't like being dependent on a hardware device in case something goes wrong with it.
Electrum is an open source program that I can run directly from source code without installation.  That's very empowering.

You can enjoy the electrum GUI and still have the security of a hardware wallet.
When creating a wallet in electrum you have the choice to add a HW wallet (which will hold the private keys / do the TX signing).