Electrum hacked

[yonton]

I downloaded electrum last year and I just checked my balance today and it’s all gone. Some withdrew everything in July 2018. How is this possible?

[1715412109]

1715412109

[1715412109]

1715412109

[1715412109]

1715412109

[jackg]

Most likely a virus.

If you didn't have a password set, then a JSON rpc call can be made to get your seed and send a payment from a website so maybe that caused an issue somewhere...?

Without any more information on where it is and your general browsing behaviour we can't really give you much...

[yonton]

Most likely a virus.

If you didn't have a password set, then a JSON rpc call can be made to get your seed and send a payment from a website so maybe that caused an issue somewhere...?

Without any more information on where it is and your general browsing behaviour we can't really give you much...

I had a password for the wallet but not the Json file?

[Rickorick]

Whats the address the coins went to?

[jackg]

I had a password for the wallet but not the Json file?

JSON is a way to represent data, you don't have a JSON file that you create in electrum, the server will generate some sort of json file for your electrum to use and can call for your public keys using json? The issue was that other sites were using requests fro JSON files to draw out seeds and master private keys instead...

Was it a fairly complex virus? Are you sure you didn't move the bitcoins yourself also (It's been a month at least so you might have forgotten you moved them).

[yonton]

No i didn’t move them, it was a substantial amount for me and a big loss. My wallet was emptied then they repeatedly withdrew small amounts from my mining profits that were going to that address. Over 3 btc

[Abdussamad]

where did you download electrum from? check your browser history and find out the exact url.

[yonton]

I can’t remember, it was last year and I’ve had much more in that wallet so if it was a bogus electrum link they would have emptied my account a long time ago when there was more in it.

[nc50lc]

When you created that wallet, was it a "new seed", an imported seed from somewhere else or imported private key(s)?

-snip-
The issue was that other sites were using requests fro JSON files to draw out seeds and master private keys instead...

Depends if he still uses the vulnerable versions of Electrum, but password-protected wallets were still safe from being hacked (Read link).
Possibly, your Seed or private keys backups were compromised in July or earlier months, did you have a backup stored somewhere?

[yonton]

When you created that wallet, was it a "new seed", an imported seed from somewhere else or imported private key(s)?

-snip-
The issue was that other sites were using requests fro JSON files to draw out seeds and master private keys instead...

Depends if he still uses the vulnerable versions of Electrum, but password-protected wallets were still safe from being hacked (Read link).
Possibly, your Seed or private keys backups were compromised in July or earlier months, did you have a backup stored somewhere?

It was a new seed and I did have a file on my pc with my private key. Do you think they would have found it?

[nc50lc]

It was a new seed and I did have a file on my pc with my private key. Do you think they would have found it?

I'm afraid that this must be the case.
Once your PC got compromised, there's no stopping the hacker from getting that file.
Leaving a backup inside the same machine where the wallet was is a total security risk.

[vit05]

What is your OS? Only you used this computer? If they invaded your computer, they left a trail and the attacker is still in it. It would be important before formatting your computer trying to find what they used to hack into. Honestly, in these cases it is best to try to exhaust all possibilities of social engineering before assuming it is an online invasion. A seed can be much more easily copied by someone with access for a few minutes to the PC than in an invasion.

[Lucius]

I downloaded electrum last year and I just checked my balance today and it’s all gone. Some withdrew everything in July 2018. How is this possible?

We have many cases like yours here, just use search option in this forum with keywords "electrum" "hacked" "stolen" and you will get many results. It is possible that you download fake version of Electrum, especially if you are using search engine. Last year there is so many fake Electrum sites which use Google ads to be displayed at the top of the search results. If you download something like that, hacker is just wait to you send some coins to wallet and then game is over for you.

The fact that you have seed stored in your PC it's just one of the possible ways how hacker can steal your coins. It may be result of Remote Access Trojan, or as some members mentioned it can be work of some family member/friend who had access to the computer.

[yonton]

What is your OS? Only you used this computer? If they invaded your computer, they left a trail and the attacker is still in it. It would be important before formatting your computer trying to find what they used to hack into. Honestly, in these cases it is best to try to exhaust all possibilities of social engineering before assuming it is an online invasion. A seed can be much more easily copied by someone with access for a few minutes to the PC than in an invasion.

It was on windows 8.1, I have removed the hard drive already and installed a new one. I live alone and only my son is with me but it’s possible my land lord could have entered my place?? Do you think an online invasion is unlikely? What is strange is that I had another wallet on the drive that was not touched.

[jackg]

No i didn’t move them, it was a substantial amount for me and a big loss. My wallet was emptied then they repeatedly withdrew small amounts from my mining profits that were going to that address. Over 3 btc

If you plan to continue trying to mine then I'd suggest you use an air gapped computer and a strong password...
The 3BTC is somewhat potentially irreversible, I'll take a look at that address if they were all on there and see if there's anything they've gone to like an exchange.

What is your OS? Only you used this computer? If they invaded your computer, they left a trail and the attacker is still in it. It would be important before formatting your computer trying to find what they used to hack into. Honestly, in these cases it is best to try to exhaust all possibilities of social engineering before assuming it is an online invasion. A seed can be much more easily copied by someone with access for a few minutes to the PC than in an invasion.

It was on windows 8.1, I have removed the hard drive already and installed a new one. I live alone and only my son is with me but it’s possible my land lord could have entered my place?? Do you think an online invasion is unlikely? What is strange is that I had another wallet on the drive that was not touched.

Anything is possible. I don't think it's unlikely a virus was sent to you...

When you created that wallet, was it a "new seed", an imported seed from somewhere else or imported private key(s)?

-snip-
The issue was that other sites were using requests fro JSON files to draw out seeds and master private keys instead...

Depends if he still uses the vulnerable versions of Electrum, but password-protected wallets were still safe from being hacked (Read link).
Possibly, your Seed or private keys backups were compromised in July or earlier months, did you have a backup stored somewhere?

It was a new seed and I did have a file on my pc with my private key. Do you think they would have found it?

Yes but some information could still be drawn, if he got one of his private keys at the time, a call could be made to get that one and his xpub would have been available on his memory to be drawn if he had decrypted his wallet by that point for example...

[bob123]

It was a new seed and I did have a file on my pc with my private key.

Did you have single private keys stored in the text file ? Or was it your (12-/18-/24- word) mnemonic seed ?

And what funds have been accessed ? Those whose private keys were stored in that file ? Or also from other addresses ? 

IMO it is very likely that your PC somehow got compromised. Either by downloading/executing malware or through a vulnerability.

If you had electrum running all the time (e.g. in autostart) the possibility would exist that some malicious website you have entered could exploit a vulnerability in electrum to steal your funds.
But since your wallet file was password protected, this is not the case here.


For the future.. never have a digital backup stored on the same machine. You shouldn't even have a digital backup at all stored anywhere except completely offline.
And note that a digital backup NEVER replaces a physical (analogous) backup.

[Abdussamad]

Yes but some information could still be drawn, if he got one of his private keys at the time, a call could be made to get that one and his xpub would have been available on his memory to be drawn if he had decrypted his wallet by that point for example...

The vulnerability didn't let you access memory. You could only do things via the json rpc interface. If you had a password on your wallet then private key/seed were not accessible. They could have still gotten to the xpub if full wallet file encryption wasn't being used but the xpub doesn't let you spend bitcoins.

Also the user entering the wallet password to access it via the GUI didn't mean that malicious JSON RPC requests wouldn't require a password.

That's why we say if you had a reasonably secure password you were not vulnerable

[pooya87]

Yes but some information could still be drawn, if he got one of his private keys at the time, a call could be made to get that one and his xpub would have been available on his memory to be drawn if he had decrypted his wallet by that point for example...

The vulnerability didn't let you access memory. You could only do things via the json rpc interface. If you had a password on your wallet then private key/seed were not accessible. They could have still gotten to the xpub if full wallet file encryption wasn't being used but the xpub doesn't let you spend bitcoins.

Also the user entering the wallet password to access it via the GUI didn't mean that malicious JSON RPC requests wouldn't require a password.

That's why we say if you had a reasonably secure password you were not vulnerable

not to mention that you needed to have your wallet open alongside a malicious website that could make a malicious call to try and access your wallet! and you shouldn't have had any ad blocker on your browser since they block these kinds of scripts.
OP doesn't seem to have opened his wallet for a year!


to OP: since you had bitcoin from last year, did you happen to try and claim some fork coins (like bitcoin-cash, gold, private,....) with your private key(s)? because that might have been the way you leaked them yourself.

[yonton]

I had a note pad file with my wallet words on my pc, I think that is how they got it. I haven’t claimed any forks but I have opened the wallet a few times to look at my coins. Since the hack I have disconnected the hard drive.

[bob123]

I had a note pad file with my wallet words on my pc, I think that is how they got it.

Very well imaginable :/
Such sensitive information should only be stored offline without the possibility to be accessed by stranger.

At least an encryption with a password which is long enough (stored offline) should be done before keeping sensitive data on your PC.

I haven’t claimed any forks but I have opened the wallet a few times to look at my coins.

It is unlikely that the RPC vulnerability led to your coins getting lost.

This would have required you to have:
1) Your wallet open
2) Your wallet NOT password protected (which it is according to your posts)
3) Visiting a malicious site which tries to exploit the vulnerability

.. at the SAME time. It is pretty 'safe' to assume that this was not the way your data got leaked.

Since the hack I have disconnected the hard drive.

Note that simply disconnecting the hard drive doesn't change anything.
If your system was/is infected, simply changing hard drives won't change much.

You need to make sure to completely fresh install a new OS. In most cases this is enough.
There are still some cases (e.g. root kits) where installing a new OS won't help, but those are rare.