The wallet itself made two transactions!

[ulyashkin.am]

Good afternoon. A very unpleasant situation happened. I wanted to make a mass payment on bitcoin-addresses using the functionality of Electrum. Replenished the purse at 0.15 BTC
https://blockchain.info/en/tx/6a42ea66026653758c08d14e946a64e19794a408a937bf329445b0a7e57f2924
after which, almost immediately, a transaction appeared in the wallet to output a completely unknown address to me:
https://blockchain.info/tx/ecf39b1efd1a93923f2ab568a1c2b1cfd88c7a9f730c5e22db3305bd2299de6f for the amount of 0.1485 BTC. I did not commit it.

For the sake of the experiment, I re-added the purse to 0.05BTC - the situation repeated. Immediately there was a transaction to output to another completely unknown to me address.
Replenishment to 0.05 BTC: https://blockchain.info/tx/a14911f71e6ae99f5a38e5d789d30d31b6ae65e91584364853e4fa8b78efeb24
Formed output to 0.0495 BTC:
https://blockchain.info/tx/1030397a12a983b8818a4af309c05fd42dece6a82b3cd58e8fb21c3522bd2435

I did not make this conclusion either. How could this happen?
https://yadi.sk/i/EMOMFYUL3WGLDG - screenshot of the program window I enclose. At the time of the incident, the version of Electrum 3.0.5

[pooya87]

there is a good chance that your wallet have been compromised. someone has your seed and has set up a script to watch all your addresses (old and new) and whenever you send some funds to any of these addresses it is automatically spent to the addresses he controls.

stop using this wallet, run a virus scan to see if you have any malware on your computer and start using cold storage.

[eddie13]

Did you by chance claim any forks with that seed?

[ulyashkin.am]

stop using this wallet, run a virus scan to see if you have any malware on your computer and start using cold storage.

Of course, I do not use it anymore. I was surprised at the speed with which the bitcoins were withdrawn. Almost instantly. However, I used the same purse in the mobile application BitPay. When Elektrum was closed, the received transaction in a small number of coins was not spent. Opened the electrum - also was not spent. What about the vulnerability, when coinciding cases of opening a malicious site and purse at the same time?

[pooya87]

Of course, I do not use it anymore. I was surprised at the speed with which the bitcoins were withdrawn. Almost instantly.

it is just a small script with a node watching this address and spending coins that it receives immediately.

However, I used the same purse in the mobile application BitPay.

i am not sure how BitPay wallet works but it got me thinking whether you actually own the private keys to those addresses?
for example you sent 0.15BTC to this address: 1JwwG2TbXxwRxV9mFg8hqKrvt3WZH4uD2j
was this address created by your Electrum wallet which has a seed or did you generate this address using BitPay and do you have access to its private key?

What about the vulnerability, when coinciding cases of opening a malicious site and purse at the same time?

this particular vulnerability existed in versions from 2.6 to 3.0.4, you said your version is 3.0.5

[ulyashkin.am]

Unfortunately, I do not remember which wallet originally created the initial key pair. Access to the private key BitPay is, I'll try now to generate from it the other branches. Suddenly these addresses come from the parent key of the BitPay wallet?

[nc50lc]

What about the vulnerability, when coinciding cases of opening a malicious site and purse at the same time?

Aside from the vulnerable versions, double check the site where you've downloaded your Electrum.
There are couple of fake sites which are almost identical to the original electrum site, excluding the recently taken-down electrum.com (not identical but claiming to be legit) which offers malware electrum downloads.

The official site is: electrum.org - No other alliterations, subdomains or url extensions.
If you want to use Electrum, create a new mnemonic SEED phrase using the application itself, offline/online.
Any pre-generated SEEDs can be compromised during the creation or transfer, its security flaw wasn't brought by electrum.

[Ayanamirs]

Did you checked the PGP signature?

[bob123]

This definitely means your private keys/seed are/is compromised.
It would be interesting to find out how this happened.


These are the (most probable) possibilities:

• [1] An attacker has a copy of your seed or private keys (This would be the best case)
• [2] You have downloaded a malicious version of electrum
• [3] Your system (or maybe whole network) is compromised (Worst case)

To exclude [3] (with a high probability), you can do a full malware scan. A scan with no results does not always mean your system is clean, but the chances are 'good'.

To exclude [2], you could simply hash the executable of electrum and post it here, so we can compare it with ours.
First, tell us which version of electrum you are running (installed/portable, windows/linux, .. ), then open the command prompt (search for 'CMD', assuming you are on windows) and enter: certUtil -hashfile C:\path\to\electrum.exe sha256.
Then reply with the result. The output of the portable version (3.1.2) for example would be: d42391fe8069be5ebfab9d3e1e4f4f8dbd0e36d80bc841677d76359510e22b6e

[1] can never be excluded to 100%. But chances are high it is the case if [2] and [3] seem unlikely. 

[Mahanton]

Good afternoon. A very unpleasant situation happened. I wanted to make a mass payment on bitcoin-addresses using the functionality of Electrum. Replenished the purse at 0.15 BTC
https://blockchain.info/en/tx/6a42ea66026653758c08d14e946a64e19794a408a937bf329445b0a7e57f2924
after which, almost immediately, a transaction appeared in the wallet to output a completely unknown address to me:
https://blockchain.info/tx/ecf39b1efd1a93923f2ab568a1c2b1cfd88c7a9f730c5e22db3305bd2299de6f for the amount of 0.1485 BTC. I did not commit it.

For the sake of the experiment, I re-added the purse to 0.05BTC - the situation repeated. Immediately there was a transaction to output to another completely unknown to me address.
Replenishment to 0.05 BTC: https://blockchain.info/tx/a14911f71e6ae99f5a38e5d789d30d31b6ae65e91584364853e4fa8b78efeb24
Formed output to 0.0495 BTC:
https://blockchain.info/tx/1030397a12a983b8818a4af309c05fd42dece6a82b3cd58e8fb21c3522bd2435

I did not make this conclusion either. How could this happen?
https://yadi.sk/i/EMOMFYUL3WGLDG - screenshot of the program window I enclose. At the time of the incident, the version of Electrum 3.0.5

Even with that 0.003 balance had been swept out until the last satoshi. The thing on here that you had seen that output of 0.25 bitcoins you should didn't tend to put up another 0.05 balance because its clearly seen that someones do have the access of your wallet. All transactions which haven't done by you do signifies someone do have your seed this is the most possible case why this thing do happen and that's an easy money for that hacker and as suggested above never use that wallet again. Clean your pc or better to reformat it then install electrum then store up seed not on cloud.

[ulyashkin.am]

Thank you for your advice. Understood, the system itself is clean. The key was compromised.

[bob123]

Thank you for your advice. Understood, the system itself is clean. The key was compromised.

Of course the key was compromised. If it hasn't been compromised, no transaction could have been made with this private key.
The important question is HOW it got compromised.

Do you arleady know how it happened? Did you enter it on a website? Missing/Lost backup?
If you are not sure about how this happend, it would be careless to assume the system is clean.
A simple, self-coded malware is NOT being recognized by anti virus software. Fooling AV software is way easier than it should be..

So unless you are 100% sure how the key got compromised, i'd suggest to be more carefully when storing cryptos on your PC again.

 

[Thirdspace]

I don't think that your wallet has been compromised,
I think you just misinterpreted the situation or forgot what you've done or something else
if stolen, funds should have already been moved around by the thief to cover his track

Code:

14xJg5VL5of4KgSCzUHx4HQkzXBnSQ2Van - (Unspent) 0.1485 BTC
12QnQv3nXs8KoEawMkUXfM8AKiJDWbJ2Ty - (Unspent) 0.0495 BTC

both are still there unspent, and both has 2nd output (change) sent back to you

Code:

1H1GettgMQbqTCE68fGfcZzVjXPuXgcW1X - (Spent) 0.00129707 BTC
16UUSqso7c9gyqV3ZVZnqRtY6DdbFnBHvE - (Spent) 0.00029707 BTC

notice the weird unique number? 29707... it can't be coincidence

[bob123]

I don't think that your wallet has been compromised,
I think you just misinterpreted the situation or forgot what you've done or something else

Do you have any suggestion what it might be? The only conclusion i have is a compromised wallet. 

To summarise:
1) OP has received 0.15 BTC to 1JwwG2TbXxwRxV9mFg8hqKrvt3WZH4uD2j.
2) About 13 minutes later this transaction appeared (fee of 89.79 sat/B and an odd second output) moving his funds.
3) OP received another 0.05 BTC to 134CGzVV4yzE99ahYngjn8KpfTiy8ATiKR.
4) About 4,5 minutes later this transaction appeared (fee of 89.79 sat/B and an odd second output) moving his funds.

Now when looking at the (overpaid) fee and the time interval between those transactions, it is very well imaginable (in my eyes) that his seed/wallet is compromised and a script is checking those addresses for deposits frequently.
Additionally it seems like the change also has been transferred out after ~10 minutes.
I guess the script has generated a transaction with a change (to OP's wallet). And the next time this address has been scanned by the script, it generated another transaction.


IMO this indicates a (poorly) written automatic script to check known private keys for a corresponding balance + OP's seed is compromised.


I'd be happy to hear another possibility of what might have happened !  -  Feel free to post what you think !

[HCP]

Do you have any suggestion what it might be? The only conclusion i have is a compromised wallet. 

IMO this indicates a (poorly) written automatic script to check known private keys for a corresponding balance + OP's seed is compromised.

Yeah... I'd have to agree with the compromised wallet scenario.

It would seem that it is most likely the "seed" that has been compromised (or at the very least the Master Private Key, possibly the entire wallet file if it had no password)... I suspect this is why there was some "change" going back into the wallet during the two transactions that transferred coins out. It's really the only way for an external script/wallet to be able to generate the change addresses.

Otherwise, it would have meant the OP was just messing around and accidentally sent coins to some place they didn't mean to... but you'd think someone might remember messing about click buttons inside a wallet app sending coins to themselves/random addresses

Granted, it is a little unusual that the stolen UTXOs haven't been moved on... but perhaps it's an old script running on a server somewhere that the thief has forgotten about?