transferred funds to electrum and they disappeared

[randomkindness]

Hi,
totally new to bitcoin. needed it to make a payment. I transferred funds from a Kraken account to my electrum wallet. The funds arrived, and the day later, they were transferred automatically, to some address I don't know.
Any idea what happened, where my money is, how to get it back (it was a significant amount)

this is the transaction id: 46312bb744778e6d207224d763289715498c1b197af201b625efb653ccfff6ac


thank you

[jackg]

What version of electrum are you using? There are 2 vulnerabilities I know of:
1. Versions below 3 can have json injections which means they can get your seed info if you visit a dodgy site or have something dodgy downloaded.
2. Versions below 3.3.5 (I think) can be attacked by a phisihg server (giving a warning message)

There are other plausible vulnerabilities though if you have software that is old/unverified on your machine...

[BitcoinGirl.Club]

Sorry to hear you lose brother. Most possibly your wallet was compromised and the hacker took the fund away from your wallet. I hope this was not a big sum for you.

[hosseinimr93]

According to the transaction you posted, the fund has been sent to 13k4rgQ6b9LdBt6pvgLR5MSV6wAhujFpgq. This address has already been mentioned in a thread made by another victim.
Unverified transaction fron Electrum wallet

Edit: And in the following topic in reddit
Bitpay wallet hacked - what went wrong?

You have probably installed a fake version of Electrum or your system has been compromised.

[bob123]

What version of electrum are you using? There are 2 vulnerabilities I know of:
1. Versions below 3 can have json injections which means they can get your seed info if you visit a dodgy site or have something dodgy downloaded.

This vulnerability requires the wallet to be open and unencrypted while at the same time browsing on a malicious website.

2. Versions below 3.3.5 (I think) can be attacked by a phisihg server (giving a warning message)

This vulnerability only shows a fake message with a link to malware. It doesn't do anything else.


OP, your coins are gone.
You either 1) didn't install the original electrum, but malware. Did you verify the PGP signature? or 2) installed the original electrum but your machine is compromised because of malware you downloaded before/after installing electrum.

[randomkindness]

thanks for your responses. it's version 4.01. I downloaded it from electrum.org. Can that really be wrong?
It's over 1200 euro that is missing...

[bob123]

thanks for your responses. it's version 4.01. I downloaded it from electrum.org. Can that really be wrong?

If you downloaded it from electrum.org, the probability that you installed malware is pretty low (not impossible tho).
The chances are higher that it wasn't electrum.org but a malicious website which does look exactly like the original one.

The other option would be that your machine already was compromised.

[randomkindness]

does it look to you peops like the bottom line is that i lost it and that i shouldn't look further?

[randomkindness]

i didn't make any transaction yet. just transferred from kraken to wallet, wanted to make the payment from the wallet the next day, but balance was zero. that was it.

any suggestions as to what to do about a compromised computer? good antimalware software?

[hosseinimr93]

does it look to you peops like the bottom line is that i lost it and that i shouldn't look further?

Unfortunately, you have lost that money forever.
Your coins are now in a wallet which belongs to a hacker. Since bitcoin transaction are irreversible, you can do nothing.  

[bob123]

does it look to you peops like the bottom line is that i lost it and that i shouldn't look further?

Unfortunately, yes.
If your funds have been transferred out of your wallet, you are out of luck.

any suggestions as to what to do about a compromised computer? good antimalware software?

Did this happen on your computer (windows?) or your mobile?
This address has been mentioned at least 2 times already where people lost their funds. Both times this was on a mobile phone.

The first thing would be to find out whether you have installed a malicious version of electrum or whether your PC is compromised.
Did you install it or did you use the standalone executable?

If you used the standalone executable or still have the installer, you could verify the PGP signature.
If it is the signed one, electrum is legit and your device has been compromised in a different way. If it is not, it was a malicious electrum clone.

The safest way to remove any malware is to create a backup of your important data and reinstall your OS.
If this has "only" been caused by the malicious electrum version, you might be fine by simply removing it from your system (again: installed / standalone?). No guarantee tho.

[BitMaxz]

any suggestions as to what to do about a compromised computer? good antimalware software?

For me, I suggest you reformat/reinstall a fresh OS before you install any antimalware/antivirus in your PC/Laptop.

You can use Kaspersky Total security I used this for many years and I never experienced any issue(Virus/malware) on my Laptop.


Do you have a transaction ID from Kraken? I just want to know because Kraken is a scam exchange so there's a possibility that the transaction is double spent, you received but it sent to other wallets?

Can you put your Bitcoin address here and the transaction made from Kraken to your wallet?

[hosseinimr93]

Do you have a transaction ID from Kraken? I just want to know because Kraken is a scam exchange so there's a possibility that the transaction is double spent, you received but it sent to other wallets?

Can you put your Bitcoin address here and the transaction made from Kraken to your wallet?

That's not the case.
The OP has already posted the ID of the transaction made from his/her wallet to a hacker.
https://www.blockchain.com/btc/tx/46312bb744778e6d207224d763289715498c1b197af201b625efb653ccfff6ac

So, the following transaction should be the transaction sent from Kraken to his/her personal wallet.
https://www.blockchain.com/btc/tx/c03d97a77eff0c81ec7f7b3d6b77690c5f3e5565d6b138252271b2f068f9507e

Also, according to following topics, the address which the fund has been sent to belongs to a hacker.
Unverified transaction fron Electrum wallet
Bitpay wallet hacked - what went wrong?

[randomkindness]

any suggestions as to what to do about a compromised computer? good antimalware software?

Did this happen on your computer (windows?) or your mobile?
This address has been mentioned at least 2 times already where people lost their funds. Both times this was on a mobile phone.

The first thing would be to find out whether you have installed a malicious version of electrum or whether your PC is compromised.
Did you install it or did you use the standalone executable?

If you used the standalone executable or still have the installer, you could verify the PGP signature.
If it is the signed one, electrum is legit and your device has been compromised in a different way. If it is not, it was a malicious electrum clone.

The safest way to remove any malware is to create a backup of your important data and reinstall your OS.
If this has "only" been caused by the malicious electrum version, you might be fine by simply removing it from your system (again: installed / standalone?). No guarantee tho.

i used the installer and still have the installed version. how can i look up the signature?

[BitMaxz]

~snip~

That's why I ask the address and the transaction ID from Kraken to his wallet to make sure that he owns the address from the transaction above.
And I'm pointing Kraken here which has many old scam issues and I think Kraken sent bitcoin to his address with a low transaction fee and send to his address and the Kraken make another transaction with a higher fee with the same input and sent it to another address(Hacker's address) so that the first transaction can be invalid. I just want to clarify everything to find the issue and give the right solution.

i used the installer and still have the installed version. how can i look up the signature?

You must download both the Electrum exe file and the .exe.asc file you can find the .exe.asc file on https://electrum.org/#download on the right side with a name "signature"

We have a guide here on the forum to verify the signature of the Electrum installer you can follow any guide below.

- How to verify Electrum (for Windows, Linux and Mac)
- How to Verify Your Electrum Wallet on Windows

[randomkindness]

@bitmax, transaction id from kraken to my wallet: c03d97a77eff0c81ec7f7b3d6b77690c5f3e5565d6b138252271b2f068f9507e

[DaveF]

You can also do a test to see if your machine has been compromised in some way.

NOTE THIS IS A POSITIVE ONLY TEST. IT CAN PROVE THAT YOUR MACHINE *HAS* MALWARE. IT DOES NOT PROVE IT DOES NOT HAVE MALWARE.

Log back into Kraken.

Open Electrum

Copy / paste your receiving address from Electrum into Kraken.

Now check to see if it matches what is displayed by Eelectrum if it does not then you have a clipboard hijacker.

If it does then do a search on the address, most addresses associated with frauds have been discussed online and if you see it then you are either have malware OR you have a compromised version of electrum.

Even if all is good, this does not mean that you are safe. As I said, you can only prove that you have a problem. If it all looks good, all that means is that you are not showing signs of the problem NOW.

-Dave

[hulla]

thanks for your responses. it's version 4.01. I downloaded it from electrum.org. Can that really be wrong?
It's over 1200 euro that is missing...

Yes, it is . The latest electrum wallet is 4.0.2 not 4.0.1

You can also do a test to see if your machine has been compromised in some way.

NOTE THIS IS A POSITIVE ONLY TEST. IT CAN PROVE THAT YOUR MACHINE *HAS* MALWARE. IT DOES NOT PROVE IT DOES NOT HAVE MALWARE.

Log back into Kraken.

Open Electrum

Copy / paste your receiving address from Electrum into Kraken.

Now check to see if it matches what is displayed by Eelectrum if it does not then you have a clipboard hijacker.

If it does then do a search on the address, most addresses associated with frauds have been discussed online and if you see it then you are either have malware OR you have a compromised version of electrum.

Even if all is good, this does not mean that you are safe. As I said, you can only prove that you have a problem. If it all looks good, all that means is that you are not showing signs of the problem NOW.

-Dave

It definitely not a clipboard hijacker attacks because the OP said he only send his BTC from kraken to his personal wallet which the tx ID shows the BTC was moved after kraken sent it to his personal wallet.
Is either OP computer is compromised or the wallet but if it the wallet and I dont think OP downloaded the wallet on electrum.org.

[DaveF]

It definitely not a clipboard hijacker attacks because the OP said he only send his BTC from kraken to his personal wallet which the tx ID shows the BTC was moved after kraken sent it to his personal wallet.

Sorry, I totally missed that part, I was reading & posting from a phone.
But 4.0.1 was released on the 3rd, 4.0.2 was released yesterday / today depending on your time zone so the OP having 4.0.1 is a valid possibility.

-Dave

[HCP]

i used the installer and still have the installed version. how can i look up the signature?

You said you had 4.0.1, so you will need to look for the version of the installer that you used here: https://download.electrum.org/4.0.1/

Then download the matching .asc file... so if you used the installer named "electrum-4.0.1-setup.exe", you would need to download "electrum-4.0.1-setup.exe.asc". Then follow the directions  for your OS here: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/