Have I benn stolen?

[dga205]

Hi, I am new in bitcoin.
Today I opened Electrum to see mi bitcoins, and I see that there is a transaction of all my bitcoin to somewhere, and my balance now is 0
I have the last version of electrum with 2 factor authentication, how is it posible???

The transaction is https://blockstream.info/tx/3f57e4cced0899f6dd39d35323bcb38b0e737b1642b95d57222a03c543d11a74

[1714931740]

1714931740

[1714931740]

1714931740

[1714931740]

1714931740

[jackg]

You have 2 factor authentication via trusted coin (the mobile authenticator thing)? Yes?

Did you download from a phishing link thag was sent in an old version of electrum or did you use the electrum.org website? Was the old version of electrum you updated from (if you updated) below 3.3.5?

And did you just open the wallet and discover the coins were gone or did you do anything else too?

[dga205]

You have 2 factor authentication via trusted coin (the mobile authenticator thing)? Yes?

Did you download from a phishing link thag was sent in an old version of electrum or did you use the electrum.org website? Was the old version of electrum you updated from (if you updated) below 3.3.5?

And did you just open the wallet and discover the coins were gone or did you do anything else too?

Hi, yes, I have 2 factor authentication via trusted coin, using the mobile authenticator.
I have downloades the electrum from the official site electrum.org. I have installed electrum in a virtual machine with linux in an external hard drive.
I just open the wallet and coins where gone. The transacion was today 2 hous ago

[bob123]

Did you install any new software?

Also, if you had a 2FA wallet, can you confirm that you actually had to enter a 2FA code when sending a transaction?
Where is your mnemonic code (the 12 words) stored? Digitally? On a piece of paper?
Did you - at any time - enter your mnemonic code somewhere? Were you asked to enter your 2FA code at some point where you didn't initiate a transaction?

Unfortunately it really seems that you have been stolen.
Answering the questions above would help clearing up the situation.

[dga205]

Did you install any new software?

Also, if you had a 2FA wallet, can you confirm that you actually had to enter a 2FA code when sending a transaction?
Where is your mnemonic code (the 12 words) stored? Digitally? On a piece of paper?
Did you - at any time - enter your mnemonic code somewhere? Were you asked to enter your 2FA code at some point where you didn't initiate a transaction?

Unfortunately it really seems that you have been stolen.
Answering the questions above would help clearing up the situation.

I have installed electrum in linux, nothing else is insatlled.
I have never sended to anywhere, so, I have never entered the 2FA, and I was not asked to enter the 2FA
I used a password manager to store the mnemonic code, I have been using this password manager for years.

[AdolfinWolf]

Did you install any new software?

Also, if you had a 2FA wallet, can you confirm that you actually had to enter a 2FA code when sending a transaction?
Where is your mnemonic code (the 12 words) stored? Digitally? On a piece of paper?
Did you - at any time - enter your mnemonic code somewhere? Were you asked to enter your 2FA code at some point where you didn't initiate a transaction?

Unfortunately it really seems that you have been stolen.
Answering the questions above would help clearing up the situation.

I have installed electrum in linux, nothing else is insatlled.
I have never sended to anywhere, so, I have never entered the 2FA, and I was not asked to enter the 2FA
I used a password manager to store the mnemonic code, I have been using this password manager for years.

Assume that the password manager is compromised then, or the machine running the password manager.

Note: never store your mnemonics online. An attacker can bypass(?) 2FA on electrum if he knows your mnemonic phrase, which is most likely what happend here.

Without further details, I can't give you any advice other than to thoroughly check your system(s) for malware, and perhaps do a factory reset.

You have, unfortunately, most definitely irreversibly lost access to your bitcoins.

[bob123]

~snip~

Then there are 2 more questions:

• Where did you store your mnemonic code? Digital? Piece of paper? Where located?
• Did you verify the signature of electrum prior to installing/running it?

[dga205]

~snip~

Then there are 2 more questions:

• Where did you store your mnemonic code? Digital? Piece of paper? Where located?
• Did you verify the signature of electrum prior to installing/running it?

Hi.
I have stored the mnemonic code in a password mannager (https://pwsafe.org/) I have been using it for years and it is updated. I saved the encripted file in google drive.
I downloaded electrum from the oficial site, but I hav not verify it when installed. I have the file that I have downloaded and I just verify it.

gpg --verify Electrum-4.0.3.tar.gz.asc
gpg: asumiendo que los datos firmados están en 'Electrum-4.0.3.tar.gz'
gpg: Firmado el vie 11 sep 2020 13:05:35 -03
gpg:                usando RSA clave 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Firma correcta de "Thomas Voegtlin (https://electrum.org) <thomasv@electrum.org>" [desconocido]
gpg:                 alias "ThomasV <thomasv1@gmx.de>" [desconocido]
gpg:                 alias "Thomas Voegtlin <thomasv1@gmx.de>" [desconocido]
gpg: ATENCIÓN: ¡Esta clave no está certificada por una firma de confianza!
gpg:          No hay indicios de que la firma pertenezca al propietario.
Huellas dactilares de la clave primaria: 6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

[o_e_l_e_o]

-snip-

That signature checks out, so provided you have not opened your wallet with any other version of Electrum, then that is not the issue.

The most likely culprit based on what you have told us here is that you stored your seed phrase on Google drive. I'm not familiar with Google accounts as I have never used them, but they seem to provide a way to check all your recent logins: https://support.google.com/mail/answer/45938?hl=en. Are there any IP addresses on that list which you do not recognize?

[BitMaxz]

Hi.
I have stored the mnemonic code in a password mannager (https://pwsafe.org/) I have been using it for years and it is updated. I saved the encripted file in google drive.
I downloaded electrum from the oficial site, but I hav not verify it when installed. I have the file that I have downloaded and I just verify it.
~snip~

Take note the mnemonic code he talking about is the seed phrase backup it must be 12 words phrase that you can use for recovering your wallet.

What I think is that you might be using a different wallet and maybe you forgot that you created another wallet before in the same wallet?
If you have the 12 words seed backup you can make a new wallet and use that backup to recover your wallet.
Let's see if your wallet is different after you restored your backup seed.

[logfiles]

What I think is that you might be using a different wallet and maybe you forgot that you created another wallet before in the same wallet?
If you have the 12 words seed backup you can make a new wallet and use that backup to recover your wallet.
Let's see if your wallet is different after you restored your backup seed.

The transaction was sent out today (about 7 hours ago), probably a few minutes before or when OP was in the process of accessing his account. Something is not right but it very likely a thief somehow accessed his 12 word seed phrases especially with the bad practice of keeping it online.

[NotATether]

-snip-

That signature checks out, so provided you have not opened your wallet with any other version of Electrum, then that is not the issue.

The most likely culprit based on what you have told us here is that you stored your seed phrase on Google drive. I'm not familiar with Google accounts as I have never used them, but they seem to provide a way to check all your recent logins: https://support.google.com/mail/answer/45938?hl=en. Are there any IP addresses on that list which you do not recognize?

He mentioned that the file on Google Drive was encrypted.

Google sends you a security warning in a Gmail message about attempts to log in, and successful logins and gives you the IP address, country and browser the login was made from. If someone broke into OP's account the next thing they would do is change the password to lock OP out of their Google account, so something tells me they stole the mnemonic Pwsafe program he was using.

Maybe OP has malware on his computer that's written to take passwords from Pwsafe while it was opened or unlock, or it could even be rudimentary mnemonics-stealing clipboard malware like what some other people were hit with.

OP, you should run an anti-virus scan on your Windows to see if any malware is detected.

[o_e_l_e_o]

He mentioned that the file on Google Drive was encrypted.

Doesn't mean an attacker couldn't have gained access. Most people use passwords which are short, non-random, and easily bruteforced. A lot of people reuse passwords. If the password on his Google account is the same as the password on the password manager database, then the encryption achieves almost nothing.

Google sends you a security warning in a Gmail message about attempts to log in, and successful logins and gives you the IP address, country and browser the login was made from.

You get an email every time there is a login? Even if his password has been exposed in a database leak and the attacker therefore logged in successfully on the first attempt? And if someone accesses the account, nothing to stop them from deleting said emails.

If someone broke into OP's account the next thing they would do is change the password to lock OP out of their Google account

And alert OP that his account has been compromised? No, much better to change nothing except download a copy of the password manager database to bruteforce locally.

OP, you should run an anti-virus scan on your Windows to see if any malware is detected.

Agreed.

[NotATether]

Google sends you a security warning in a Gmail message about attempts to log in, and successful logins and gives you the IP address, country and browser the login was made from.

You get an email every time there is a login? Even if his password has been exposed in a database leak and the attacker therefore logged in successfully on the first attempt? And if someone accesses the account, nothing to stop them from deleting said emails.

I should've clarified, you only get an email when a new IP address logs in, not from an IP address you logged in with before. That would make excessive amounts of email otherwise.

[goinmerry]

The rat might be likely close to you. Do you have a person/s around you that have knowledge about the basic of sending bitcoin?

There is always a mandatory verification of new IP logs by default. And if that involved Google account you use on the web was also regularly login to your phone, there's a verification needed on that phone before anyone can log in to your account elsewhere.

So I think the rat uses the same IP as yours that's why it doesn't trigger the additional verification. Then maybe you have a saved draft of your important credentials in your email like the security you have applied on your Google drive.

There are also things you aren't aware that you did before. Have a full scan of your system right away.

[bob123]

Based on the information, the most probably scenario is that your windows installation is compromised.

Just because you have electrum installed on a linux virtual machine, it still is completely accessible from host system (in your case: windows).
While a compromised virtual machine means your host stays safe (if there is no sandbox vulnerability), this definitely is not the case when your host is compromised. A compromised host always means that your virtual machine automatically is compromised too.

I hope you didn't rely on the virtualization as a security measurement.

OP, you should run an anti-virus scan on your Windows to see if any malware is detected.

While an AV scan could definitely confirm an infection, in case of a negative result it can not guarantee that you aren't compromised.
So if it the result says there is no malware, do not blindly trust it.

It is still worth a try tho.


The other likely scenario i could imagine is that someone has access to either your computer or your google account / storage.

[starseeker]

To summarize:

Wallet - Electrum - Being used on VM with linux
Mnemonic - Stored on password manager && G Drive (encrypted)
Funds lost a few hours before OP accessing the wallet.

The points of failure that I can see are either your VM is rigged or Your password manager is compromised.

Kindly add any other details necessary.

[sheenshane]

If OP installed the right version from the official website of Electrum and using a password manager, there's no way that OP's account can be hacked.  AFAIK, a trusted password manager can be able to block the malware infection if there is and also can be detected by AV.  All stated above by the OP was to draw my assumption that someone who stole OP's computer that knows everything, I hope OP will clarify this since I'm just assuming that it is.

Keep your keys in the password manager isn't a good practice.  Because this isn't good to keep a valuable asset, the password manager is just software that can be compromised.  Possible all software could have a bug and easy to compromise.

Anyway, the scammer address where your Bitcoin sent was still there.

[dga205]

Hi.
thanks to everyone for reply.

I have remembered that I have installed electrum firts in Windows, I generated the seed in Windows, and when installed electrum in Linux, I have restored the wallet using the seed generated en Windows. I found that when reinstalled electrum in windows, the wallet where there.

About google account, now I changed the password and enable 2FA. May be the passfordsafe file was taken from the windows files system, and not from google drive.

I have scanned the pc with diferent AV, windows defender, malwarebyt, ccleaner, etc, and not virus were found.

 

[HCP]

Unless you explicitly put in your 2FA code somewhere (or someone has access to your 2FA device/phone), then the only logical explanation is that your 12 word seed mnemonic has been compromised. It is the only way for a thief to gain access to 2 of the 3 private keys needed to sign transactions from an Electrum 2FA wallet (aside from providing the transaction and 2fa code to TrustedCoin).

Even if they got the old wallet file from Windows, that file doesn't contain the full 2FA seed mnemonic, they would still need your 2FA device/code.

Either a keylogger on one of your devices has intercepted the seed during creation/restoration of your wallet, or someone has accessed the encrypted copy and managed to bruteforce the password. Was the password "simple"? How many characters and did it use lower/UPPER/numb3r5/symb@!s?

[o_e_l_e_o]

I have remembered that I have installed electrum firts in Windows, I generated the seed in Windows, and when installed electrum in Linux, I have restored the wallet using the seed generated en Windows.

With the additional information you have provided, we can say that this is now the most likely route of your seed phrase being compromised. As bob123 has said, running a VM does not necessarily protect the contents of the VM from malware or attacks on your host system. As soon as you have to type your seed in to any device with an internet connection, you should consider it compromised and move your funds to a new wallet.