Bitcoins stolen from Electrum wallet

[qbits]

Regrettably, I have discovered today that my bitcoins were stolen, I had them in Electrum wallet for years with no problem.
I'm not sure how, as I did not use the wallet for 6 months and funds have disappeared about a month ago.

Some made it to the Huobi exchange... and yes I've tried contacting them.
What else should I do? Does posting my wallet addresses here help?

[1715372081]

1715372081

[1715372081]

1715372081

[1715372081]

1715372081

[1715372081]

1715372081

[1715372081]

1715372081

[hatshepsut93]

You can try posting the addresses or reporting it to the police, but there's practically no chance that your coins will be returned.

What you need to do now is to analyze how your coins were stolen, so that it won't happen again in the future. Did you store your seed in your email, cloud storage or your computer? Could your coins have been physically compromised, i.e. someone physically stole/copied your seed? Did you use some unsecure wallet generation method, like picking the seed words manually? Do you use a cold storage setup, or did you access your wallet from a live machine? Is the password on your wallet file strong?

[LeGaulois]

Nothing you can do, transactions are irreversible. You will be considered extraordinarily lucky if Huobi blocks the coins and give back to you.
Don't waste your time with the police, they will hardly be able to do something, not even to understand a transaction

The most important thing now is to check your machine for a vulnerability (virus, malware,...) and to try to understand what could have happened to you and how you could have been robbed...

If it has been done with a malicious Electrum update, malware, or something else.

[HCP]

Regrettably, I have discovered today that my bitcoins were stolen, I had them in Electrum wallet for years with no problem.
I'm not sure how, as I did not use the wallet for 6 months and funds have disappeared about a month ago.

What version of Electrum were you using? And did you ever do the digital signature verification when you installed it?

[qbits]

What version of Electrum were you using? And did you ever do the digital signature verification when you installed it?

3.3.8, last time I used it before yesterday's discovery was in February, download was from osx app store

[qbits]

You can try posting the addresses or reporting it to the police, but there's practically no chance that your coins will be returned.

What you need to do now is to analyze how your coins were stolen, so that it won't happen again in the future.
- have no clue how

 Did you store your seed in your email, cloud storage or your computer?
- no, only on my personal file server on private network since 2013

Could your coins have been physically compromised, i.e. someone physically stole/copied your seed?
- have no idea, one wallet is safe, only default_wallet is compromised

Did you use some unsecure wallet generation method, like picking the seed words manually?
- no

 Do you use a cold storage setup, or did you access your wallet from a live machine?
- live machine

 Is the password on your wallet file strong?
- yes

[NeuroticFish]

so that it won't happen again in the future.

From the things you've posted, the keeping the seed in electronic format can be a weak point, I have no other clue. Or maybe somebody stole directly from your phone or your phone's files.

But one idea to prevent this for the future would he a hardware wallet. You generate safely a new seed in the wallet, you send the coins there, keep the seed only on paper (multiple copies) and you are good.

[bob123]

To me it seems that there are 2 likely scenarios:

1) Your mobile is compromised. This is quite unlikely because you said you have 2 wallet files stored there but only 1 got compromised.
Further your wallet was password protected and since you didn't open it for 5 months it is quite odd that it got emptied 1 month ago.

2) Your mnemonic code somehow got exposed. That's what i would guess. You stored your mnemonic on a file server. Is there a (any) route from your file server to the internet? If yes, then most likely your file server somehow got compromised.

Number 2) would be my guess. What kind of software is running on your file server, which version? How is it running inside of your network (old PC, etc..)? Do you have a firewall set up?

[hatshepsut93]

What you need to do now is to analyze how your coins were stolen, so that it won't happen again in the future.
- have no clue how

 Did you store your seed in your email, cloud storage or your computer?
- no, only on my personal file server on private network since 2013

Could your coins have been physically compromised, i.e. someone physically stole/copied your seed?
- have no idea, one wallet is safe, only default_wallet is compromised

Did you use some unsecure wallet generation method, like picking the seed words manually?
- no

 Do you use a cold storage setup, or did you access your wallet from a live machine?
- live machine

 Is the password on your wallet file strong?
- yes

If there's a 5 month gap between last time you accessed coins and the theft, it might mean that some malware stole your wallet file and bruteforced your password. You might want to move the coins from your other wallet to a freshly created one in isolated environment.

Your story is pretty strange, but I've seen similar stories before, and it's usually discovered that a seed or wallet file were stored insecurely and a malware incident or online hacking took place.

[qbits]

To me it seems that there are 2 likely scenarios:

1) Your mobile is compromised. This is quite unlikely because you said you have 2 wallet files stored there but only 1 got compromised.
Further your wallet was password protected and since you didn't open it for 5 months it is quite odd that it got emptied 1 month ago.

2) Your mnemonic code somehow got exposed. That's what i would guess. You stored your mnemonic on a file server. Is there a (any) route from your file server to the internet? If yes, then most likely your file server somehow got compromised.

Number 2) would be my guess. What kind of software is running on your file server, which version? How is it running inside of your network (old PC, etc..)? Do you have a firewall set up?

file server is a qnap server and yes about a month ago I had to upgrade firmware on it however I doubt this would be the cause.
Firewall, yes, it is there but I doubt it is of much help if the exposure came from a malware or something like that as computers do have to have access to file server files...

[qbits]

What you need to do now is to analyze how your coins were stolen, so that it won't happen again in the future.
- have no clue how

 Did you store your seed in your email, cloud storage or your computer?
- no, only on my personal file server on private network since 2013

Could your coins have been physically compromised, i.e. someone physically stole/copied your seed?
- have no idea, one wallet is safe, only default_wallet is compromised

Did you use some unsecure wallet generation method, like picking the seed words manually?
- no

 Do you use a cold storage setup, or did you access your wallet from a live machine?
- live machine

 Is the password on your wallet file strong?
- yes

If there's a 5 month gap between last time you accessed coins and the theft, it might mean that some malware stole your wallet file and bruteforced your password. You might want to move the coins from your other wallet to a freshly created one in isolated environment.

Your story is pretty strange, but I've seen similar stories before, and it's usually discovered that a seed or wallet file were stored insecurely and a malware incident or online hacking took place.

can wallet be bruteforced? How long would it take for a 8 char (small+caps+digits)? Quite some time I would assume.

[joniboini]

can wallet be bruteforced? How long would it take for a 8 char (small+caps+digits)? Quite some time I would assume.

It would depend on what machine the hacker use and the entropy of your password. You can try some tools to predict how long it would take to crack your password such as https://tmedweb.tulane.edu/content_open/bfcalc.php.

[Pmalek]

Unfortunately, there is very little you can do in terms of getting your Bitcoin back. What you should do now is change the way you handle sensitive information to prevent similar incidents in the future.

- Don't save your seed on your computer, file server, or any other digital media. Write it down by hand on a piece of paper and keep it safe.
- If for some reason you absolutely must save it in on a computer, (there shouldn't be one, but just in case) at least make sure it is password protected and/or encrypted.

I hope your bad experience wont be a reason to turn your back on Bitcoin. 

[bob123]

can wallet be bruteforced? How long would it take for a 8 char (small+caps+digits)? Quite some time I would assume.

Within ~5 months?  I would guess so, yes.
But this depends on the hardware the attacker is using and the efficiency.

I'd still believe that your file server has been somehow compromised.

[HCP]

3.3.8, last time I used it before yesterday's discovery was in February, download was from osx app store

OSX App Store? I wasn't aware that Electrum was available on the Mac App-Store...

The only legit location I know of is the download section at electrum.org (https://electrum.org/#download)

Is it possible you downloaded a fake version from the app store? Is it still listed on the OSX App Store? Can you provide a link?

[abuya55]

The only thing you can do now is to analyze how this happened. Maybe you should buy a hardware wallet or create a paper wallet. 

[Lucius]

OSX App Store? I wasn't aware that Electrum was available on the Mac App-Store...

My search results confirm that the OSX App Store does not contain Electrum for download. But there’s Electron Cash (BCH wallet), and something called Electrum Unity, but that has nothing to do with the crypto wallet. If the OP can confirm that he actually download Electrum from there, it is possible that it was a fake wallet that was removed.

https://www.apple.com/us/search/electrum?src=globalnav

[qbits]

3.3.8, last time I used it before yesterday's discovery was in February, download was from osx app store

OSX App Store? I wasn't aware that Electrum was available on the Mac App-Store...

The only legit location I know of is the download section at electrum.org (https://electrum.org/#download)

Is it possible you downloaded a fake version from the app store? Is it still listed on the OSX App Store? Can you provide a link?

I miss-spoke. I downloaded it using brew, which is kind of command line GNU store:

Code:

macbook:Downloads arijan$ brew cask list
blender        chromium       electrum       gimp           handbrake      inkscape       inssider       onyx           processing     scribus        vlc            xquartz

[Lucius]

I miss-spoke. I downloaded it using brew, which is kind of command line GNU store:

Brew definitely offers Electrum installation options, now the only question is whether anyone uses this method to distribute fake wallets. Since you did not make a signature verification and did not download the program from the official site, it seems that this is the reason why you were hacked. Of course it is possible that you took the wrong step elsewhere, but my bet would go in this direction.

Code:

https://brew.sh/