Unable to use the seed from a wallet file to make any transaction

[Hexcolyte]

Decrypting the file is very easy. Go to wallet > password and enter your password in the first field only and click save. Then go to file > save copy to save a copy of the file somewhere convenient and then open it up in a  plain text editor like notepad

Thanks for your tip, upon decrypted the file, the content is just what has shown on the Electrum client, with same addresses, same transactions record, but wrong keystore.

Some info:
seed_version: 17
seed_type: standard
Keystore type: bip32

[Abdussamad]

You said before that you get asked the password at the very start when opening the old wallet file. Was this always the case or was it possible in the past for you to open the wallet file and view transactions without having to enter a password? The password would only have been required when sending bitcoins.

[Hexcolyte]

You said before that you get asked the password at the very start when opening the old wallet file. Was this always the case or was it possible in the past for you to open the wallet file and view transactions without having to enter a password? The password would only have been required when sending bitcoins.

Opening a previously opened wallet does not require password, only when I am doing sensitive action, or when opening another wallet from disk, then Electrum will asks me for password.

[HCP]

Just to clarify... there are THREE states for an Electrum wallet with regards to encryption and password:

1. Unencrypted - Wallet file is in Plain Text, private keys are in plain text. No password required for opening or doing "sensitive actions"
2. Password Protected - Wallet file is in Plaint Text, but private keys are encrypted with password. No password is required for opening, but you need the password when doing "sensitive actions"
3. Fully Encrypted - Wallet files is completed encrypted, private keys are also encrypted. Password is required when opening the wallet... and also when doing "sensitive actions".

These is on a WALLET level... so different wallets can have different levels of password protection/encryption.

[Hexcolyte]

Just to clarify... there are THREE states for an Electrum wallet with regards to encryption and password:

1. Unencrypted - Wallet file is in Plain Text, private keys are in plain text. No password required for opening or doing "sensitive actions"
2. Password Protected - Wallet file is in Plaint Text, but private keys are encrypted with password. No password is required for opening, but you need the password when doing "sensitive actions"
3. Fully Encrypted - Wallet files is completed encrypted, private keys are also encrypted. Password is required when opening the wallet... and also when doing "sensitive actions".

These is on a WALLET level... so different wallets can have different levels of password protection/encryption.

I am not sure what is the type of my wallet, when creating wallet, I simply input the password following the Electrum instruction, so I am thinking it should be password protected.
When I open Electrum application, it sometimes pop out an install wizard, telling me to provide password for a wallet I previously opened.
Not sure if my understanding is correct or not, afaik, opening wallet in a single session does not require password, but if I restart my computer, it will starts asking me for password.
If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.

[Abdussamad]

Well you have malware on that PC. It modified the wallet file and replaced the addresses with the malware author's. Your bitcoins are gone and nothing can be done to get them back. The only thing you can do now is to format the hard drive and reinstall the operating system. This is the only way to ensure that the malware doesn't cause you problems in future.

Sorry for your loss.

[HCP]

If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.

If you don't see ANY plain text when you open the wallet file in a text editor... and it's all just random chars, you have full encryption.

However, reading through all the symptoms, I think Abdussamad is correct. If the wallet file is using the same seed etc, but showing different addresses, then it would appear that the wallet file was tampered with somehow

[Hexcolyte]

If I open the wallet file in plain text, it shows random characters and numbers, not plain addresses or private key.

If you don't see ANY plain text when you open the wallet file in a text editor... and it's all just random chars, you have full encryption.

However, reading through all the symptoms, I think Abdussamad is correct. If the wallet file is using the same seed etc, but showing different addresses, then it would appear that the wallet file was tampered with somehow

Yeah I have accepted the fact that the wallet file has been tampered, and understand that there is close to zero chance for it to be recovered, just not sure how that happened.

When I am creating wallet, I am very careful with the process, and that wallet is not my first time so I am fully aware of the process. So it's either my computer has been compromised or simply human error.

[nc50lc]

Yeah I have accepted the fact that the wallet file has been tampered, and understand that there is close to zero chance for it to be recovered, just not sure how that happened.

When I am creating wallet, I am very careful with the process, and that wallet is not my first time so I am fully aware of the process. So it's either my computer has been compromised or simply human error.

Before showing the white flag, can you tell us some (non-sensitive) information regarding the wallet,
For more efficient deductions:

• Where did you downloaded that portable Electrum?
• Do the original wallet's bitcoin addresses starts with "3", "1" or "bc1"?
• Do the newly restored wallet's addresses start with the same character?

Also, double check on any blockexplorer if the addresses with balance reflect the same transactions as your "inbound" transactions.
I'm currently downloading Electrum Portable v3.1.3 to try to reproduce this.
-edit-
Works just fine, definitely not a bug of Electrum Version 3.1.3 Portable.

[Hexcolyte]

Where did you downloaded that portable Electrum?

From electrum.org, double checked from my browsing history.

Do the original wallet's bitcoin addresses starts with "3", "1" or "bc1"?

It starts with 1

Do the newly restored wallet's addresses start with the same character?

Yes, all of the addresses start with 1

Also, double check on any blockexplorer if the addresses with balance reflect the same transactions as your "inbound" transactions.

I have only used the address for receiving fund, never tried to send before. Also the address with fund is the only address I used from that wallet.
There is no weird transaction as far as I am concern.

Works just fine, definitely not a bug of Electrum Version 3.1.3 Portable.

If there was such a big issue with that version of client it would have already known by many, but I am thinking there might be some specific condition of my computer which triggered this problem.
I have verified the exe I downloaded, so it is basically impossible for me to use an infected client, it is also hard to interpret wallet creation process.

[bob123]

I have verified the exe I downloaded, so it is basically impossible for me to use an infected client

Well, that's not completely true..

There are several possibilities how an malicious actor can modify your electrum wallet even tho you have verified the signature before and the .exe itself being the correct one.

These techniques include (and are not limited to) malware which is nested into your system and waits for you to open electrum.
Once electrum is opened, it hooks itself into the process and injects dll's to maliciously modify the creation process of your wallet.

This is just one example on how someone COULD foist one an 'infected client' without the client itself being infected.


I am not saying that this has happened. But it is definitely not impossible. And also definitely more probable on a windows machine than on Linux/macOS.

[Hexcolyte]

I have verified the exe I downloaded, so it is basically impossible for me to use an infected client

Well, that's not completely true..

There are several possibilities how an malicious actor can modify your electrum wallet even tho you have verified the signature before and the .exe itself being the correct one.

These techniques include (and are not limited to) malware which is nested into your system and waits for you to open electrum.
Once electrum is opened, it hooks itself into the process and injects dll's to maliciously modify the creation process of your wallet.

This is just one example on how someone COULD foist one an 'infected client' without the client itself being infected.


I am not saying that this has happened. But it is definitely not impossible. And also definitely more probable on a windows machine than on Linux/macOS.

Thank you, I agree with you, that's definitely a possibility.

But I can't find any information regarding Electrum wallet modification malware exists on the internet. If there is, someone should try to improve Electrum and prevent this from happening again.

[bob123]

But I can't find any information regarding Electrum wallet modification malware exists on the internet.

I never said that it does exist.. but it would be a possibility.

In case it would exist, it probably wouldn't be that known. A single developer / group of developers could try to spread the malware themselves.
This wouldn't attract attention until a lot of users face that problem/malware.

If there is, someone should try to improve Electrum and prevent this from happening again.

This scenario is not that easy to circumvent.
You'd need to built electrum to NOT trust the system it is installed on.

And if you can't trust the system you are trying to install the software on, .. you shouldn't keep any private-/sensitive- information or cryptocurrencies on that machine at all..

Preventing injection is definitely possible, but not that necessary.
It is way easier for an attacker to simply gain access to the private keys once you open electrum. Injecting dll's into electrum just to counterfeit the wallet creation process seems to be a bit of an overkill to me.


And as i have already mentioned.. this is just ONE approach to modify the address you see. There are way more.
If electrum should be secured against each of these.. Thomas would need a few more developers who only focus on the security. This isn't feasible (and unnecessary since you have to trust the host machine when storing private keys, no need to try to defend against each possible attack when your own machine is compromised..).


Edit:
To clarify potential misconceptions regarding the safety/security of electrum:

What i have mentioned above is applicable to EVERY software. This is nothing specific to electrum (or any other specific application).

The branch which probably suffers the most from injections is the gaming industry.
They have teams of engineers and developers only working on anti-cheat mechanisms. There is no solution or technology which prevents this happening.
This is a cat-and-mouse game.