Sorry for posting in here but it is somehow technical too. I put it on the main board and it got drowned by other posts very quickly.
A friend of mine recently got his trezor wallet cleaned out and we are trying to figure out what happened.
He gave me his ypub key and I imported it into Electrum to look at his transaction history.
His last legit transaction was 2 weeks ago but yesterday he got two extra withdrawals.
A test transaction was followed by a complete withdrawal of the entire wallet.
https://www.blocktrail.com/BTC/tx/7a2f637bcd6f30a02c298c64022d4148c58d9587ed6e2191a3a758ad40c6fda2https://www.blocktrail.com/BTC/tx/7d708a9dc692ce79170a411563ebdcc4110bdfadfdfe1c726b8fb5d3d0bc17bfIMHO, the fact that there were 2 transactions points towards a compromised seed.
The test tx actually returns most of the wallet amount back into the change address - which is a single use p2sh-p2wpkh address.
Then the change address itself is cleared in the 2nd tx.
The thief knows how to generate private keys for the entire hierarchical wallet. AFAIK, that requires the seed.
So, it looks like a targetted attack. My friend says he never put his seed online, never took a picture of it, etc.
He only kept it on a piece of paper, getting to it would imply someone who knows him.
But the receiving address has activities that I don't understand then.
https://www.blocktrail.com/BTC/address/18abkVcsfwvNHxFM1jN5WLAY9irB91FwTHThe address appear when he lost his funds and was itself cleared one day later.
However, it also sees the transfer of over 1000 btc as if it was the staging area of a large scale attack.
Does anyone know what has happened there?
Thanks,
--h
