Bitcoin Forum
February 08, 2023, 04:39:46 AM *
News: Community Awards results
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Received Bitcoins were instantly gone  (Read 343 times)
AlwaysTheTeddy (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 5


View Profile
September 14, 2022, 06:30:34 PM
 #1

Hey, im kinda of a noob in bitcoin in general so please bear with me.
I sent some bitcoin to my electrum wallet as soon as they appeared in there as unconfirmed there appeared a secound payment order. That payment order was for that exact amount (it was empty before) and it sent the coins i just received to god knows where. Now both are fully confirmed and i kinda dont know what to do.
Anyone got some advice?
1675831186
Hero Member
*
Offline Offline

Posts: 1675831186

View Profile Personal Message (Offline)

Ignore
1675831186
Reply with quote  #2

1675831186
Report to moderator
1675831186
Hero Member
*
Offline Offline

Posts: 1675831186

View Profile Personal Message (Offline)

Ignore
1675831186
Reply with quote  #2

1675831186
Report to moderator
"With e-currency based on cryptographic proof, without the need to trust a third party middleman, money can be secure and transactions effortless." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1675831186
Hero Member
*
Offline Offline

Posts: 1675831186

View Profile Personal Message (Offline)

Ignore
1675831186
Reply with quote  #2

1675831186
Report to moderator
stompix
Legendary
*
Offline Offline

Activity: 2422
Merit: 4685



View Profile
September 14, 2022, 06:42:32 PM
 #2

Was that wallet freshly installed or have you used it before, if the first case, where did you download it from?

AlwaysTheTeddy (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 5


View Profile
September 14, 2022, 06:50:01 PM
 #3

Was not the first time, had it for a long time
LoyceV
Legendary
*
Offline Offline

Activity: 2842
Merit: 13195


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
September 14, 2022, 07:38:05 PM
 #4

It sounds like your wallet got compromised. Maybe someone got your seed phrase, maybe you have malware, or maybe the version of Electrum you downloaded is the malware.
I wouldn't trust anything on your computer anymore. To be safe: disconnect the internet, backup your data, wipe your computer, and reinstall it.
Then, don't use that Electrum wallet anymore. Create a fresh one, or better, get a hardware wallet and keep your seed phrase offline.

wd1
Jr. Member
*
Offline Offline

Activity: 48
Merit: 2


View Profile
September 14, 2022, 07:40:46 PM
 #5

I hope it wasn't a lot. Please get a hardware wallet and store your seed phrase offline if you are dealing with any kind of significant funds.
hosseinimr93
Legendary
*
Offline Offline

Activity: 1932
Merit: 3446



View Profile
September 14, 2022, 08:06:00 PM
Last edit: September 14, 2022, 08:28:12 PM by hosseinimr93
 #6

Now both are fully confirmed and i kinda dont know what to do.
There's nothing you can do. Bitcoin transactions are irreversible
The only thing you can do now is to avoid sending any more fund to your wallet and as mentioned above, format your computer and install a fresh operating system.

Take note that if you want to be completely secure in the future, you should install electrum on air-gapped device.
If you can't do that for any reason, it's recommended to use a hardware wallet.

Marvelman
Full Member
***
Offline Offline

Activity: 700
Merit: 113


View Profile
September 14, 2022, 10:52:23 PM
 #7

Was not the first time, had it for a long time

You are probably no longer the sole owner of that wallet, i.e. someone else has access to your private key or seed phrase. Did you share your private key with someone or did someone else create that wallet for you? Whatever the case, consider that wallet compromised and you have no way to get your coins back unless you know the perpetrator.

██████████ BitcoinCleanUp.comDebunking Bitcoin's Energy Use ██████████
██████████                Twitter#EndTheFUD                 ██████████
BitMaxz
Legendary
*
Offline Offline

Activity: 2786
Merit: 2411


Bull market is coming?


View Profile
September 14, 2022, 11:47:24 PM
 #8

Was not the first time, had it for a long time

How long? If the wallet was created with Electrum version below 3.4.4 and it's currently installed in your device or PC then it will give you the notice to download the latest version with a link if you updated it using the link it will lead you to a phishing site and then if you downloaded and installed it in your device/PC then your wallet is already compromised.

Electrum.org remove the warning but a few months ago you can see this warning below on their website.

Code:
Warning: Electrum versions older than 3.3.4 are susceptible to phishing. Do not download Electrum from another source than electrum.org, and learn to verify GPG signatures.

So before you install Electrum or update it make sure you always verify the Electrum to make sure you have the original Electrum installer. There are many people who suffer from this a year ago so be careful with any phishing sites.

About your current case if the transaction is still unconfirmed yet I think you can double spend the transaction and transfer it to your new wallet.

hosseinimr93
Legendary
*
Offline Offline

Activity: 1932
Merit: 3446



View Profile
September 15, 2022, 06:28:02 AM
Merited by BitMaxz (1)
 #9

About your current case if the transaction is still unconfirmed yet I think you can double spend the transaction and transfer it to your new wallet.
Since OP made this topic, the mempool has been emptied several times. Therefore, even if the transaction in the question has been made with the fee rate of 1 sat/vbyte, it has been surely confirmed and there is no way to double spend it.
Also, it was mentioned in the OP that both transactions (the one made by OP and the one made by the hacker/thief) have been confirmed.

LoyceV
Legendary
*
Offline Offline

Activity: 2842
Merit: 13195


Thick-Skinned Gang Leader and Golden Feather 2021


View Profile WWW
September 15, 2022, 07:17:39 AM
 #10

About your current case if the transaction is still unconfirmed
See:
both are fully confirmed

DireWolfM14
Copper Member
Legendary
*
Online Online

Activity: 1736
Merit: 3638


Join the world-leading crypto sportsbook NOW!


View Profile WWW
September 15, 2022, 02:59:02 PM
 #11

I sent some bitcoin to my electrum wallet as soon as they appeared in there as unconfirmed there appeared a secound payment order. That payment order was for that exact amount (it was empty before) and it sent the coins i just received to god knows where. Now both are fully confirmed and i kinda dont know what to do.

This sounds a lot like the behavior of that malicious version of Electrum that plagued the community around the end of 2018.  Do you remember from where you downloaded Electrum?  I'm not going to ask you to disclose any information you want to keep private, but I'm curious if you would be willing to share the address to where you coins were sent?  No big deal if not, if my suspicion is accurate, the coins probably just moved from there to a mixing service, anyway.

I also encourage you to heed LoyceV's warnings and advice; back up what you need from the device, then purge the OS and reinstall it.  I also suggest that you read this post before installing Electrum again.

[GUIDE] How to Safely Download and Verify Electrum [Guide]

NeuroticFish
Legendary
*
Offline Offline

Activity: 3206
Merit: 5776


Looking for campaign manager? Contact icopress!


View Profile
September 15, 2022, 03:07:21 PM
 #12

As all have said, the wallet is compromised. Maybe your OS too.
This means that you should no longer use any address of that wallet, this means that you should create safely (fresh OS, maybe hardware wallet) a completely new wallet.

I think that the rest was covered by the previous posts.

AlwaysTheTeddy (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 5


View Profile
September 15, 2022, 03:13:41 PM
Merited by LoyceV (4), DireWolfM14 (1)
 #13

Okay so to answer all the questions

No it was not a lot thankfully

I have used that wallet for a long time now and it always worked like normal in all that time i didnt update it form my original version (3.3.Cool

The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol

No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.

@DireWolfM14 It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Wallets fucked anyways

And thanks for all the help guys, appreciate it
DireWolfM14
Copper Member
Legendary
*
Online Online

Activity: 1736
Merit: 3638


Join the world-leading crypto sportsbook NOW!


View Profile WWW
September 15, 2022, 03:27:21 PM
 #14

It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00

The only danger in sharing the information above is breaching your privacy, no security risks exist.

But I did notice a clue that's tells me you got scammed somehow; the fee rate that was applied to the outbound transaction:



227 sats per v-Byte is a huge overpayment on fees.  It's a typical tactic used by scammer scripts that force huge fees to make sure the scam transaction gets confirmed in the next block, and prevents the victim from double spending the transaction in an attempt to thwart the theft.

I also see that you've used the same address as recently as last month with no ill affects.  That makes me think that something on your system must have changed after August 21.  Do you recall installing any new software, or making some adjustments to your OS in the past few weeks?

AlwaysTheTeddy (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 5


View Profile
September 15, 2022, 04:27:05 PM
 #15

in that timeframe i downloaded a single PDF file about some unrelated stuff

didnt really go on any dodgy websites or opened any e-mails

Kinda weird i dont know how i couldve been compromised

Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org
DaveF
Legendary
*
Offline Offline

Activity: 3010
Merit: 4968


I DO NOT TRADE on Telegram or Skype or Discord.


View Profile WWW
September 15, 2022, 06:17:51 PM
 #16

in that timeframe i downloaded a single PDF file about some unrelated stuff

didnt really go on any dodgy websites or opened any e-mails

Kinda weird i dont know how i couldve been compromised

Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org

Sadly something could have been something sitting dormant for months before they decided to take your BTC

If your wallet was compromised a while ago they probably had a bot sitting there monitoring transactions, waiting for one above a certain amount to be sent to you. If that big transaction did not after a certain amount of time they just grab whatever comes in and move on.

-Dave

Marvelman
Full Member
***
Offline Offline

Activity: 700
Merit: 113


View Profile
September 15, 2022, 07:06:04 PM
Merited by DaveF (1), nc50lc (1)
 #17

Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation. I still think that someone made a manual transaction after receiving notification about the incoming transaction. The OP may have some spyware on his/her computer, or the private key (seed phrase) was leaked in some other way. But of course, it is impossible to know for sure.

██████████ BitcoinCleanUp.comDebunking Bitcoin's Energy Use ██████████
██████████                Twitter#EndTheFUD                 ██████████
GxSTxV
Sr. Member
****
Offline Offline

Activity: 322
Merit: 288



View Profile
September 15, 2022, 07:17:55 PM
 #18

Okay so to answer all the questions

No it was not a lot thankfully

I have used that wallet for a long time now and it always worked like normal in all that time i didnt update it form my original version (3.3.Cool

The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol

No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.

@DireWolfM14 It was sent to this adress: bc1qzwmd424kpgdl6n57fe8cxlre9v3e2jwzcgxl53
Dont know if this is safe to share: https://blockstream.info/tx/1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
Wallets fucked anyways

And thanks for all the help guys, appreciate it
You received the amount on your wallet then after 10 minutes that amount has been sent again to that address you mentioned, i can’t say if your wallet is infected by something as the honeypot bots that keep withdrawing any money received in honeypot wallet. But to be sure now since that bitcoin is gone forever i suggest that you clean your computer and change the wallet you are using

This is the transactions from your wallet https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr

█▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
█░░░░░░░░░▄▄████▄▄
█░░░░░░░░███▀▀▀▀███▄
█░░░░░░░███▀░░░░░███░▄▄▄▄▄▄
█░░░░░░░███▄▄░░░░███████████▄
█░░░░░▄████████▄█████▀░░░░▀██▄
█░░░░███▀░░▀▀███████▄░░░░░░███
█░░░░███░░░░░▄█████████▄▄▄███
█░░░░▀███▄▄▄▄███▀░░▀▀██████▀
█░░░░░░▀████████░░░░░░███
█░░░░░░░░░░░░███▄▄▄▄▄███
█░░░░░░░░░░░░░▀▀█████▀▀
█▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
EndBlock.io
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.
│   Last Wallet to Reset Blocks, Wins The  JACKPOT   │
.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
███████████████████████████████
███████████████████████████████
███████████████████████████████
██████████▀▀▀▀▀▀▀▀█████████████
██████████░░▄▄▄▄░█▄▀███████████
██████████░░▄▄▄▄▄▄▄░░██████████
██████████░░▄▄▄▄▄▄▄░░██████████
██████████░░▄▄▄▄▄▄▄░░██████████
██████████░░▄▄▄▄▄▄▄░░██████████
██████████▄▄▄▄▄▄▄▄▄▄▄██████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████▀█████████▀▀▀▀█▀████████
███████▌░▀▀████▀░░░░░░░▄███████
███████▀░░░░░░░░░░░░░░▐████████
████████▄░░░░░░░░░░░░░█████████
████████▄░░░░░░░░░░░▄██████████
███████▀▀▀░░░░░░░▄▄████████████
█████████▄▄▄▄▄▄████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
█████████████████████▀▀▀███████
███████████████▀▀▀░░▄░░▐███████
█████████▀▀▀░░░░▄▄▀▀░░░████████
███████▄▄▄░░▄▄█▀▀░░░░░▐████████
███████████▌▐▀░░░░░░░░█████████
████████████▄░▄█▄▄░░░▐█████████
████████████████████▄██████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
██████████▀▀▀██████▀███████████
███████▀░░░░░░░▀█▀░░░▀█░███████
███████░░░░░░░░░█░░░░░█░███████
███████▄░░░░░░░▄█▄░░░▄█░███████
██████████▄▄▄██████▄███████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
DireWolfM14
Copper Member
Legendary
*
Online Online

Activity: 1736
Merit: 3638


Join the world-leading crypto sportsbook NOW!


View Profile WWW
September 15, 2022, 07:33:35 PM
Merited by NeuroticFish (1), Marvelman (1)
 #19

Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation. I still think that someone made a manual transaction after receiving notification about the incoming transaction. The OP may have some spyware on his/her computer, or the private key (seed phrase) was leaked in some other way. But of course, it is impossible to know for sure.

What makes you think it took ten minutes for the scam transaction to be initiated?  To me it looks like it was generated instantly after the OP's wallet received the Tx.



I checked three different block explorers and they all show the two transactions with identical timestamps.

NeuroticFish
Legendary
*
Offline Offline

Activity: 3206
Merit: 5776


Looking for campaign manager? Contact icopress!


View Profile
September 15, 2022, 09:50:11 PM
Merited by Marvelman (1)
 #20

Not sure if the script is the culprit here. The outgoing transaction is 10 minutes after the incoming one. Scripts are usually activated immediately after the first confirmation.

Sorry, but you're wrong. The two transactions:
Code:
ddcfe5fd98cf4418c926b0d9b61b8fdcc85f0034614b3c1a5530a7c821b357ab
1d7e75d00847a550983185c6cd3ceb011f5ad5daefd81f62f38fef061482ff00
were both mined/included in the same block (754092). You can look that up on mempool.space. No 10 min difference.

Of course then that they have both same timestamp, as DireWolfM14 said.
And this is usually automatic.

Still, manually made transaction should not be ruled out, since one could have been notified when the tx was sent and not at the moment of getting confirmed, allowing (giving time) somebody spend the unconfirmed input (I expect the scripts work exactly the same, just faster), which will have the same result: both tx in the same block.

Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!