Transaction not desired with all my bitcion

[JFOUD]

Hi

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday. Before that, my wallet wasn't on any device, I juste had my seed written on a piece of paper. Today, I opened the wallet and I saw that a transaction was made with all my bitcoin and the balance is now 0 btc.

Anyone know if it's related to the upgrade of electrum or the bitcoins were juste stolen? Is that anything I can do to recover my bitcoin?

 

[BrewMaster]

when did the transaction occur? all the transactions that are mined in a block, have a timestamp. if you see the details of them in your wallet or on a block explorer you can see that time.

if this happened in the past when you created the wallet that means your seed was compromised then. possibly because either you downloaded a fake Electrum or you had some malware on your computer that stole it (did you verify the signature back then?)

if the transaction happened the  day you recovered your wallet with Seed then it means this new wallet was possibly fake or you have a malware now. (did you verify the signature of the downloaded wallet now?)

- if it is stolen then no there is nothing you can do about it.

[JFOUD]

The transaction happened the day I recover the wallet, yesterday.

How can I verify the signature of the wallet ?

[BrewMaster]

The transaction happened the day I recover the wallet, yesterday.

How can I verify the signature of the wallet ?

you will need to also download the signature file which is found alongside the wallet installation file you downloaded. it is a .asc file. for instance this is the link to this signature for "windows installer" file:
https://download.electrum.org/3.2.3/electrum-3.2.3-setup.exe.asc

then you also need the public key of the signer (Thomas V.) who is the developer of Electrum. the key hash is found on https://electrum.org and it is 0x2BD5824B7F9470E6

now depending on what kind of OS you have you need a program that can verify this signature. for linux it is most probably already installed. only use:
gpg --verify {signature.asc} {file.tar.gz or file.exe}
and it should read "good signature" in the result.

for windows use gpg4win https://www.gpg4win.org/ and read this article: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

[JFOUD]

Ok but if the transaction is done it is too late anyway no?

[BrewMaster]

Ok but if the transaction is done it is too late anyway no?

yes, unfortunately if the transaction is confirmed* then there is no way to reverse it.

* a confirmed transaction will show up with a green check mark beside it and in its details it will show "status: {a number larger than 6} confirmations"

[Lucius]

Hi

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday. Before that, my wallet wasn't on any device, I juste had my seed written on a piece of paper. Today, I opened the wallet and I saw that a transaction was made with all my bitcoin and the balance is now 0 btc.

Anyone know if it's related to the upgrade of electrum or the bitcoins were juste stolen? Is that anything I can do to recover my bitcoin?

 

Unfortunately you made a mistake in downloading fake Electrum or you have some malware/RAT/keylogger on your PC. This is not first time we see that people lose coins in this way, backup of seed/private keys is most important - but it is also important to use it only on clean device.

This is just a warning to all those who have backup of seed/private keys in some safe places, be extremely careful when you download any crypto wallet and double check your OS with good AV/Antimalware.

If you find out which way you are hacked it would be good to write here, especially in the case of a fake Electrum site.

[HCP]

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday.

Can I ask where you downloaded this "last version of electrum" from?

It would be useful for others to know if there is (another) fake Electrum website operating so we can try contacting domain hosts/google etc to try and get it taken down and/or removed from Google listings.

[JFOUD]

I downloaded from the real website (electrum.org). I still not understand how the problem happened.

[Lucius]

I downloaded from the real website (electrum.org). I still not understand how the problem happened.

Can you confirm that this is the site from where you download Electrum ? https://electrum.org/#home

If you are not a victim of the fake wallet, then you lost BTC in a way that something on your PC is stolen your seed words. It could be any kind of malware or keylogger which is monitor all your actions and collect data. Did you maybe try to scan your device with AV or antimalware and see do you have anything suspicious on the device?

[JFOUD]

Yes I confirm it was from https://electrum.org/#home

I scanned the PC with Avast (free version) and Malwarebyte and nothing was found...

[bob123]

Did you verify the signature ?

Even if you download it from the official source, a Man-in-the-middle attack could replace the original client with a malicious one.
Verifying the signature is the only way to make sure you are using the correct version.

If you are too lazy to verify the signature, at least check the hash of the file.

To check the hash, please do the following (assuming you are on windows):

• Open the command promt (WIN-key + R  -> then enter 'cmd')
• Enter: certUtil -hashfile C:/path/to/your/electrum/file.exe sha256

Then please post the output here and tell us which version of electrum you are using. I am then going to download the correct file and verify that the hash is the same.
If this is the case, your client was non-malicious and we have to look further how your coins got stolen.

[Thirdspace]

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday. Before that, my wallet wasn't on any device, I juste had my seed written on a piece of paper. Today, I opened the wallet and I saw that a transaction was made with all my bitcoin and the balance is now 0 btc.

is it mnemonic seed or just a private key? how did you generate your seed?
this sound like a case of "paid by bitcoin address' private key"
and a bitcoin address or txid may help us figure out what happened

[Lucius]

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday. Before that, my wallet wasn't on any device, I juste had my seed written on a piece of paper. Today, I opened the wallet and I saw that a transaction was made with all my bitcoin and the balance is now 0 btc.

is it mnemonic seed or just a private key? how did you generate your seed?
this sound like a case of "paid by bitcoin address' private key"
and a bitcoin address or txid may help us figure out what happened

JFOUD clearly states that it is a seed written on a piece of paper - I doubt that OP is write his private key on paper. It is also very likely that seed is generated by Electrum wallet, just because he/she is try to use same wallet to access his coins.

Also you miss fact that coins are gone after he import seed in Electrum, that means that something has happened after that step - fake wallet, keylogger, malware or anything like that...

[JFOUD]

Did you verify the signature ?

Even if you download it from the official source, a Man-in-the-middle attack could replace the original client with a malicious one.
Verifying the signature is the only way to make sure you are using the correct version.

If you are too lazy to verify the signature, at least check the hash of the file.

To check the hash, please do the following (assuming you are on windows):

• Open the command promt (WIN-key + R  -> then enter 'cmd')
• Enter: certUtil -hashfile C:/path/to/your/electrum/file.exe sha256

Then please post the output here and tell us which version of electrum you are using. I am then going to download the correct file and verify that the hash is the same.
If this is the case, your client was non-malicious and we have to look further how your coins got stolen.

Here the output I have :
a0 ac b5 93 de 3b 9b a3 c5 30 79 34 c7 95 41 ed 69 50 1a e2 7b 0e 10 70 6a 63 87 34 46 8d 20 9f

I have to precise that I downloaded the "standalone executable" version of Electrum .

[JFOUD]

I installed last version of electrum on my computer and enter my seed to recover my wallet yesterday. Before that, my wallet wasn't on any device, I juste had my seed written on a piece of paper. Today, I opened the wallet and I saw that a transaction was made with all my bitcoin and the balance is now 0 btc.

is it mnemonic seed or just a private key? how did you generate your seed?
this sound like a case of "paid by bitcoin address' private key"
and a bitcoin address or txid may help us figure out what happened

JFOUD clearly states that it is a seed written on a piece of paper - I doubt that OP is write his private key on paper. It is also very likely that seed is generated by Electrum wallet, just because he/she is try to use same wallet to access his coins.

Also you miss fact that coins are gone after he import seed in Electrum, that means that something has happened after that step - fake wallet, keylogger, malware or anything like that...

It is a mnemonic seed of 12 words generated by Electrum when I first created the wallet long time ago (something like 5 years ago).
What to you mean by " a case of "paid by bitcoin address' private key" "
Here is the transaction ID  : 1622b47a2371fcabebe5735c6d68fb3e5491a2d2073a51fc9cf2b7ad60965dfd

[Thirdspace]

Here is the transaction ID  : 1622b47a2371fcabebe5735c6d68fb3e5491a2d2073a51fc9cf2b7ad60965dfd

please ignore my previous post, I assumed wrong
I'm sorry for your loss, it's quite a good amount of bitcoin
and the thief also cleaned out your BCH as well 3 days afterward
https://bch.btc.com/cf9aa60c3118744089fbe6bad181f4f36c390d84d0c525f03d83f2ea23a1681a

[Abdussamad]

Did you verify the signature ?

Even if you download it from the official source, a Man-in-the-middle attack could replace the original client with a malicious one.
Verifying the signature is the only way to make sure you are using the correct version.

If you are too lazy to verify the signature, at least check the hash of the file.

To check the hash, please do the following (assuming you are on windows):

• Open the command promt (WIN-key + R  -> then enter 'cmd')
• Enter: certUtil -hashfile C:/path/to/your/electrum/file.exe sha256

Then please post the output here and tell us which version of electrum you are using. I am then going to download the correct file and verify that the hash is the same.
If this is the case, your client was non-malicious and we have to look further how your coins got stolen.

Here the output I have :
a0 ac b5 93 de 3b 9b a3 c5 30 79 34 c7 95 41 ed 69 50 1a e2 7b 0e 10 70 6a 63 87 34 46 8d 20 9f

I have to precise that I downloaded the "standalone executable" version of Electrum .

This is not the correct sha256sum:

http://termbin.com/c7bh

That last line contains the correct checksum. I suggest you check your browser history to verify the exact url you downloaded electrum from. In the past we've seen users insisting that they downloaded from the official site but when we ask them to check their browser history it turns out that they got it from some fake site.

[bob123]

Here the output I have :
a0 ac b5 93 de 3b 9b a3 c5 30 79 34 c7 95 41 ed 69 50 1a e2 7b 0e 10 70 6a 63 87 34 46 8d 20 9f

I have to precise that I downloaded the "standalone executable" version of Electrum .

Did you use version 3.2.3 ?

These are the correct hashes:

Code:

MAC:
$ sha256sum electrum-3.2.3.dmg 
6f95797f73e0822fc37afd445981874ae61f231165f16440e521a4bcf4396758  electrum-3.2.3.dmg

Standalone Windows:
$ sha256sum electrum-3.2.3.exe 
86db45fd961cd432c8bf6825a69fe3f48142cce8ef2f9626beee4a8c143ff242  electrum-3.2.3.exe

Portable Windows:
$ sha256sum electrum-3.2.3-portable.exe 
281997bf8e578e1f88289ba6d4132b8ce3e78912aaa372b49d8745701980e7dd  electrum-3.2.3-portable.exe

Unfortunately you have downloaded a non-original electrum (probably malicious one). 

I guess you either have downloaded it from a fake site (more probable) or have been victim of a MITM attack (less probable).
Can you do as Abdussamad said and check from which site you have downloaded it (e.g. through browser history) ?

[JFOUD]

It seems that you are right. I found this adress in my history  https://electrun.net/ . But my browser block the site because it is not secure. Is it possible that the site was accessible 15 days ago and not know?