Unverified transaction fron Electrum wallet

[talliar]

Electrum version 3.3.7. installed on Xiaomi mi9t pro. Nowhere else. Password protection has been enabled. On April 1, the wallet had 1.23595057 btc. Today I switched to a wallet to transfer part of the funds and was very surprised. Wallet balance 0. It turned out that on April 3rd at 23:05 a transaction was sent for the total balance. The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq No one has access to the phone. Electrum has been downloaded from the official site. I know about phishing and always carefully check everything. Never updated the application. I download all applications for the phone only through the play market. Please tell me how this happened? What have I done wrong? for what reason have I lost all my savings?

[DireWolfM14]

When you created the wallet did you write down the seed phrase on a piece of paper, and store it somewhere to which only you have access?  If you are correct that you don't have a malicious version of Electrum, then I would suspect that someone may have found your seed phrase.  Is that possible?

The other thing you said is that you downloaded it from the official site, do you mean you downloaded the APK file, or did you click the link to google play?

[hosseinimr93]

I just searched the address on Google and found following post on Reddit.
Bitpay wallet hacked - what went wrong?

And since there are several transactions sent to that address, seems that it belongs to a hacker.

[talliar]

When you created the wallet did you write down the seed phrase on a piece of paper, and store it somewhere to which only you have access?  If you are correct that you don't have a malicious version of Electrum, then I would suspect that someone may have found your seed phrase.  Is that possible?


the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.


The other thing you said is that you downloaded it from the official site, do you mean you downloaded the APK file, or did you click the link to google play?

Sorry, correct is "i downloaded this electrum from google play. I check it twice.

[DireWolfM14]

the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.
~
Sorry, correct is "i downloaded this electrum from google play. I check it twice.

Well, as hosseinimr93 pointed out, that address appears to belong to a hacker/scammer.  It's unlikely your seed phrase was compromised, but it's very likely you did not install the official Electrum app from google.  I know you were trying to be careful, but at this point it's the most likely scenario.  You can check your google account to see which app you have installed, and compare it to the app to which official Electrum website directs.

Here's the official website link: https://electrum.org/#home
And, the link to the official app on google play: https://play.google.com/store/apps/details?id=org.electrum.electrum

If you have the real app installed the play store will inform you as such:

[HCP]

This is indeed puzzling and concerning... if all that OP has said is true regarding their OpSec (only installed from Play Store, seed on paper in safe etc) then theoretically their funds should be "safe" from such events.

installed on Xiaomi mi9t pro.

Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled?

[Rath_]

Could this be a possible vector? The fact that it is a Xiaomi device? They run a custom version of the Android OS right? Is it root-enabled?

It is not rooted by default and it would take some effort to do so. They use a modified version of Android but I wouldn't suspect them because of that. Most manufacturers modify Android heavily. Also, they aren't a completely random Chinese brand.

[HCP]

I'm not blaming the brand or implying that they are the thieves... I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

@OP, is your device rooted?

[BitMaxz]

How did you create your wallet from Electrum mobile? If someone created it for you he might be the one who stole your Bitcoin. Or if the seed backup is created from other wallets like Bitpay?

If not, then there might be a keylogger in your device. Actually Xiaomi Phones is not secured as Samsung with Knox.

A similar case and address can be found below the same as hosseinimr93 posted above.
- [uncensored-r/Bitcoin] Bitpay wallet hacked - what went wrong?

That's why I suspected that this address is controlled by Bitpay? I'm not sure but if your seed backup is created from Bitpay and imported it to Electrum mobile... Maybe?

[nc50lc]

The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq -snip-

Looks like it's being used to receive hacked bitcoins not exclusive to Electrum, the chance of being fake Electrum the culprit slim.
It was reported here: https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq, expand the "scam alert" portion.

What are the other installed applications you have in your phone?
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.

[HCP]

And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.

He already did up in Post #4... it was just a bit hidden in the "bad" quoting:

the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.

Like I said, if everything he said is true... it's very puzzling and concerning.

[joniboini]

I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.

[talliar]

the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me.
~
Sorry, correct is "i downloaded this electrum from google play. I check it twice.

Well, as hosseinimr93 pointed out, that address appears to belong to a hacker/scammer.  It's unlikely your seed phrase was compromised, but it's very likely you did not install the official Electrum app from google.  I know you were trying to be careful, but at this point it's the most likely scenario.  You can check your google account to see which app you have installed, and compare it to the app to which official Electrum website directs.

Here's the official website link: https://electrum.org/#home
And, the link to the official app on google play: https://play.google.com/store/apps/details?id=org.electrum.electrum

If you have the real app installed the play store will inform you as such:

https://i.ibb.co/zs11q09/Capture.jpg

When i use your link, i see Oткpыть, it's translate like Open.  This means that the electrum is installed from official page :
https://i.ibb.co/Z1JkPHv/Screenshot-2020-04-06-09-25-28-001-com-android-vending.png

I'm not blaming the brand or implying that they are the thieves... I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

@OP, is your device rooted?

No. The phone was bought in the official store and in order not to violate the warranty, I did not do anything with the official firmware

How did you create your wallet from Electrum mobile? If someone created it for you he might be the one who stole your Bitcoin. Or if the seed backup is created from other wallets like Bitpay?

If not, then there might be a keylogger in your device. Actually Xiaomi Phones is not secured as Samsung with Knox.

A similar case and address can be found below the same as hosseinimr93 posted above.
- [uncensored-r/Bitcoin] Bitpay wallet hacked - what went wrong?

That's why I suspected that this address is controlled by Bitpay? I'm not sure but if your seed backup is created from Bitpay and imported it to Electrum mobile... Maybe?

I create my seed by Electrum mobile.
Never used other wallets, this was not necessary

The transaction was send to address unknown to me: 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq -snip-

Looks like it's being used to receive hacked bitcoins not exclusive to Electrum, the chance of being fake Electrum the culprit slim.
It was reported here: https://bitcoinwhoswho.com/address/13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq, expand the "scam alert" portion.

What are the other installed applications you have in your phone?
And please answer the question in post#2, where did you stored your 12-word seed phrase? <-- must be the issue.

All applications on the phone are downloaded from the play store. These are applications from banks, cards, food delivery services and instant messengers. After the money was stolen, I carefully scanned the entire list, all the applications are pretty famous.

"the seed phrase is written on a piece of paper and is hidden in my personal safe. no one can access her. besides this, I specially changed the word order on paper, the correct order is known only to me."

I'm questioning the fact that this wallet was installed on an Android device and it appears that it can be relatively easily rooted and flashed with all sorts of different/custom ROMs: https://forum.xda-developers.com/mi-9t/development

Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.

My phone have official firmware. If this can help to understand the situation, then today I will write a complete list of all applications on the phone.

[Lucius]

talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

[Csmiami]

talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

If this is the outgoing transaction he is talking about, he received the coins on April 1st into 2 different addresses. Both of them had had a lot of movement in the previous days, so if I had to take a guess, they came from a mixer/exchange/similar.

It may be a long shot, but I've read about user installing the "Houseparty" app had had many data leaks and some even lost BTC. Since we are in lockdown, it's likely he installed it, and it would be inside the "pretty famous" list of apps.

[talliar]

talliar, you say that on April 1 your coins are still in the wallet - so something is happened in the next 2 days with your phone. Try to remember if you downloaded an app during that period, did you notice anything strange on your phone?

For how long you keep your coins in that wallet, do you have 1+BTC for a long time, or you just transfer that amount on April 1?

these days my family and I were cleaning the area around the house (we have something like a farm in the village). these days I almost did not use the phone. mainly telegram and viber for communicating with parents. I can definitely say that I did not install new applications (the latter was installed two weeks ago, this is soundcloud), and I can definitely say that these days I did not go into the electrum and did not perform any operations. On April 1st, I checked in the evening that a friend had returned my debt. I know many cases where hackers replaced links. I know cases when they replaced the address and bitcoins went to the address of hackers. but so far I could not find cases when this happened without any actions of the owner.that is why I want to understand in detail how this happened. Because while I do not understand this, I do not think it is safe for me to reuse this application. I'm sorry for my English, this is not my native language, in part, I use a translator. Here is a screenshot of the latest wallet transactions. https://i.ibb.co/yWjtqnG/Screenshot-2020-04-06-15-26-40-976-org-electrum-electrum.png

[khaled0111]

/*

Electrum version 3.3.7

When did you download your wallet?
3.3.8 is the latest version available for download by default since July 11 2019. If you downloaded your wallet after that date then most probably you got phished and downloaded a fake one. */

Sorry for your loss!

quote]
OP is using mobile version of Electrum, and latest version for Android is 3.3.7.0 from July 3, 2019.

thank you for the clarification and correcting me. my bad

[Lucius]

~snip~

As Csmiami observed, there is a lot of transactions in and out based on that ss you posted, but at this point it is impossible to say how without your permission that last transaction occurred. If your seed is in personal safe, and your phone is safe from malware, then some hacker is obviously found a way to use some kind of exploit in Android OS or in the model of phone you are using.

What you definitely did wrong was that you kept such a large amount in your phone wallet, and that you did not use a hardware wallet or cold storage.

When did you download your wallet?
3.3.8 is the latest version available for download by default since July 11 2019. If you downloaded your wallet after that date then most probably you got phished and downloaded a fake one.

OP is using mobile version of Electrum, and latest version for Android is 3.3.7.0 from July 3, 2019. According to everything he posted, we're pretty sure he didn't install a fake wallet - otherwise he would have been hacked long before April 3.

[Pmalek]

All applications on the phone are downloaded from the play store. These are applications from banks, cards, food delivery services and instant messengers. After the money was stolen, I carefully scanned the entire list, all the applications are pretty famous.

An application downloaded from the Play Store doesn't necessarily mean that it is safe to use. The apps can be "famous" like you said but are you 100% sure that all your apps are genuine and trustworthy? Try to check the total number of downloads, ratings and comments on the Play Store, especially the negative comments and bad ratings. Do any of them mention the loss of money or private data?   

[BitMaxz]

No, I never heard of this application and did not install it on the phone. I am from Russia, sometimes new trends go up to us sometimes)

How about Guard Provider app or any anti-virus pre-installed on your phone?

Read this article below.
- Xiaomi phones came with security flaw preinstalled

Since before I don't trust any Chinese phones because there are lots of security vulnerabilities like Xiaomi phones.
If you know well that you downloaded it from trusted sources the only thing that I suspected is the preinstalled apps from your phone(Like the Guard app mention from the article.).