ELECTRUM WALLET HACKED

[ElectrumHACKED]

Guys, please help:

On the 30th of November my electrum wallet was hacked:

Tx ID: 89abc9415125c304773b68bad4dd37456b2f459d035a73c19eea722ab78acc0b

No one knew the seeds, no one got access to my computer.

It seems many other addresses were ''scrapped'', but my seeds were extended.

Question, how should I proceed? Can anyone help me figure out the hackers addresses?
I'd like to finally, recover the funds if the hackers are stupid enough to sell them on exchanges.

Ps. It was 0.91 Bitcoin, not a very large sum, but I'm willing to share the funds if recovered!

[1714306711]

1714306711

[1714306711]

1714306711

[BitcoinGirl.Club]

18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S
Is this your address? The funds are on this address. If it's not your address than possibly this is the hackers address.


You need to tell the full story. However there are nothing can be done I believe since the funds are confirmed. The only way if he moves them into a KYC verified exchange and the exchange can freeze the fund.

Edit:
I guess your computer was infected with malware. When you copy and pasted the address you wanted to send some coins then this malware changed your sending address and replaced it with the hackers address. Is this what you went through by any chance?

[ElectrumHACKED]

18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S
Is this your address? The funds are on this address. If it's not your address than possibly this is the hackers address.


You need to tell the full story. However there are nothing can be done I believe since the funds are confirmed. The only way if he moves them into a KYC verified exchange and the exchange can freeze the fund.

Edit:
I guess your computer was infected with malware. When you copy and pasted the address you wanted to send some coins then this malware changed your sending address and replaced it with the hackers address. Is this what you went through by any chance?

- That's what I'm hoping, that the hackers attempt to sell them on a KYC exchange.

- I never attempted to transfer out, it was a holding address only.

[BitcoinGirl.Club]

- That's what I'm hoping, that the hackers attempt to sell them on a KYC exchange.

I have no idea how to aware the exchanges so that they can concentrate on this address.

There is a site called bitcoinwhoswho the best you can do is to list that address in sites like this and alert the community.

- I never attempted to transfer out, it was a holding address only.

There must be some error, mistake from your side. Somehow the seeds were compromised without your knowledge or there are no way for anyone to target the address and run a program to find your keys.

Edit:
There are no need to create same topic in more than one board
https://bitcointalk.org/index.php?topic=5300864.0

You can easily move this topic to any section you want.

[ElectrumHACKED]

- That's what I'm hoping, that the hackers attempt to sell them on a KYC exchange.

I have no idea how to aware the exchanges so that they can concentrate on this address.

There is a site called bitcoinwhoswho the best you can do is to list that address in sites like this and alert the community.

- I never attempted to transfer out, it was a holding address only.

There must be some error, mistake from your side. Somehow the seeds were compromised without your knowledge or there are no way for anyone to target the address and run a program to find your keys.

Edit:
There are no need to create same topic in more than one board
https://bitcointalk.org/index.php?topic=5300864.0

You can easily move this topic to any section you want.

I don't know what to do or where to post it, sorry I'll move it on the most appropriate.

Literally, the only computer which got the wallet has never been exposed on internet, I have no idea how could they do it, but they did.

The receiving address, after mixing is this: bc1qx65xcxz6dfsge2g4eaerercslh83y66wrpm79r
Seems an exchange

[BitcoinGirl.Club]

The receiving address, after mixing is this: bc1qx65xcxz6dfsge2g4eaerercslh83y66wrpm79r
Seems an exchange

The hacker obviously used a mixer to hide his trace but I am curious how would you know that the quoted address was the output address of the mixer?

I do not have much analytical knowledge to understand a move unless there are any easy open tool.

[Easteregg69]

Mark this one and find the thief.

Who uses mixers for laundry? A place to start.

[mocacinno]

The receiving address, after mixing is this: bc1qx65xcxz6dfsge2g4eaerercslh83y66wrpm79r
Seems an exchange

The hacker obviously used a mixer to hide his trace but I am curious how would you know that the quoted address was the output address of the mixer?

I do not have much analytical knowledge to understand a move unless there are any easy open tool.

If the hacker used a mixer, there is no way what his receiving address is. That's the point of a mixer...

The only thing i see is this transaction: 89abc9415125c304773b68bad4dd37456b2f459d035a73c19eea722ab78acc0b
It uses 3 unspent outputs to fund address:18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S
https://www.kycp.org/#/89abc9415125c304773b68bad4dd37456b2f459d035a73c19eea722ab78acc0b

Afterwards, the unspent output funding address 18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S is spent funding 2 addresses:
bc1ql72syjwvm4m9lwajpaylaxvj9lxc2tzn706ruj (value 0.1)
1KgiSi5wrVYumSskG3GPaaE2MSRdFKyzj7 (value 0.81399400)

the first address is funded with a round amount... This might be because of a self transfer, or a transfer to an exchange...
bc1ql72syjwvm4m9lwajpaylaxvj9lxc2tzn706ruj belongs to a huge wallet: https://www.walletexplorer.com/wallet/000003e028959c0b
So it's probably some sort of active service or exchange...

If the thief's first transaction went to a mixer's deposit address (18Y8B6CJFEMS93zgSPycySNkBNbFwhvE2S), the rest of the trace might belong to somebody completely different... That's how mixers work.

[TryNinja]

Try to keep the discussion going on a single topic. Otherwise, itt becomes a mess with people repeating the same thing over and over again.

Anyways:

edit 2: The hacker may have sent your coins to Kucoin. Try to contact them? https://vivigle.com/BitWallet/wallet?address=bc1qx65xcxz6dfsge2g4eaerercslh83y66wrpm79r

[Lucius]

~snip~

ElectrumHACKED, did you make an Electrum update before hacking or did you do anything else with the wallet? If no one has access to the seed and the computer, still hack somehow had to happen - my guess is that you downloaded the fake Electrum wallet, or you have some nasty trojan on the computer (Remote access trojan).
You can track your funds and contact any exchange that comes to your mind, but unfortunately a hacker is a lot of steps ahead of you given how much time has passed.

Not that I want to kill your hope, but after a month and a half go looking for a thief who may have used a mixer, an almost impossible mission.

[NotATether]

Was the seed phrase leaked at any point of the wallet's lifetime? If so then they must have brute-forced the extended words too. It's the only likely possibility I can think of.

Did you generate the seed phrase from Electrum or did you generate one from a website? Perhaps the website was compromised or malicious, and in case you didn't also get extended words from there as well, then they were probably brute-forced as I wrote above.

[bob123]

No one knew the seeds, no one got access to my computer.

Then the last option would be that you sent the funds yourself.

If this is not the case, then someone actually knew your mnemonic code, seed or private key. Or someone had access to your computer.
If your OS is windows 7 for example, that's already a strong indication for what happened.

Question, how should I proceed?

You should find out how that happened.
It your machine is compromised, more of your data is at risk (e.g. accounts, passwords, mail addresses, etc..).

Did you download any new software in the few days/weeks before 30.10 ? Did you open your wallet before your BTC got stolen?