New Electrum vulnerability? Unknown transaction (Fraud, Theft) 4.3.4 AppImage

[btcfreak123]

I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?

[goldkingcoiner]

I had a strange issue with a BTC transfer. When i broadcasted a (small) transaction from my address/coin (which I marked as "spend" in the coins tab) - at the same time -  another transaction initiated with a very large amount from my other coin address in the same wallet to an unknown address and the funds were moved 1h later from there to a Binance address.

I am 99% sure I don't have any malware / viruses / keyloggers etc. (all checked multiple times, even rootkit scanners) on my (Debian/Linux) system and also the AppImage I have used many times before and after (!) that "hack" without problems and is originally from Electrum.org and GPG-verified! I also never downloaded or updated (by phishing messages etc.) any other version.

The weired thing is something just drained my second BTC address but not the other ones in the same wallet (with the same password!)

My fear is that there is a new (unkonwn) vulnerability of Electrum out that allows malicious servers to inject code as in the old JSON-RPC port vulnerability (prior to 3.0.4). A malware on my PC also would have drained all BTC addresses entirely and not just picked a single one or at least would have repeatedly tried to initiate transactions, but I have used the same electrum program and wallet and addresses after this attack without issues.

The second transaction was initiated at the same time I have entered my wallet password (to sign my TX) and hit "broadcast".

Has anoybody had a similar case?

If it was a "electrum stealer program" - how do they work exactly and what programs are known/discovered? Is the above described behaviour typical for such a software or a malicious Electrum server?

Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?

[BitMaxz]

I don't think Electrum servers can able to do that since Electrum only request for these data like address history and balances, block headers, UTXOs, etc.
There's no way that they can do or control your wallet.

How exactly did you create your wallet? Did you create your wallet somewhere else? I mean outside the Electrum wallet from that PC/Laptop?

If not, and you created your wallet on the same device, there's a possibility there's something in your PC that you don't know leaks your wallet private keys.

I'd like to know how you installed this Linux and where you downloaded it. Are you sure that you downloaded the Linux OS from a legit source?
Because if you downloaded it from somewhere other than the trusted source, there's a possibility it's already infected with malware. Scanning it with any antivirus won't work; that's why I don't download an OS randomly.

There are lots of free OS mods out there, but all of them are already infected with malware that can't be easily scanned by any antivirus.

If I want to use a wallet on a Linux-based OS, I am more comfortable using Tails, which has built-in Electrum. Electrum already provided a guide for this. If you are interested in the future, check their guide below.

- https://github.com/spesmilo/electrum-docs/blob/master/tails.rst