Received Bitcoins were instantly gone

[Marvelman]

What makes you think it took ten minutes for the scam transaction to be initiated?  To me it looks like it was generated instantly after the OP's wallet received the Tx.

I checked three different block explorers and they all show the two transactions with identical timestamps.

Most interesting. I used the "stupid" blockchain.com explorer, and it shows a 10 minute difference (I wasn't paying attention to the block number at the time).


https://www.blockchain.com/btc/address/bc1qwqrkxuq89fnka9lxn4c6d35s5v7aps72cr94xr

But when I look at each transaction individually, I noticed that it says "Received Time 2022-09-14 19:20", and when I move my mouse over the text, a pop-up appears "Time this transaction was broadcast to the network, YYYY -MM-DD". It appears that blockchain.com explorer shows the transaction time when it was broadcast, and not when it was confirmed, so again it turns out that there is a 10 minute difference between these two transactions (unless I misunderstood something here).

[DireWolfM14]

~

That is quite interesting, because the OP also made it sound like it was instant;

I sent some bitcoin to my electrum wallet as soon as they appeared in there as unconfirmed there appeared a secound payment order.

I don't use blockchain, and haven't in a while.  What a shitshow their front page for the explorer has become.  Anyway, I used mempool.space, blockstream, and blockchair, (and a locally hosted mempool as well,) they all show the timestamp of both transactions as 17:30 UTC.

ETA; I just noticed that the Blockstream specifies the timespamp is indeed that of the block hash.  Blockchain must post the time the transaction was broadcast, but it's possible that it doesn't treat a  transaction with ab unconfirmed parent the same way.

[nc50lc]

No i created the wallet myself and never shared it with anyone, kinda guess that means my whole system is compromised right? because how would anyone have access without that.

The wallet file is the least of your concern as long as it's password protected (with a strong password).
What you might have stored/shared to a vulnerable environment are the seed phrase (12-words) or a backup - any of your private key, etc.

That said, are any of those stored online, cloud storage, on a device or paper that can easily be accessed?
If so, you should keep the seed phrase in a safe offline environment the next time you create an Electrum wallet. [e.g.: exclusively written on paper/steel plate in your vault(s)]

The original setup was the electrum 3.3.8 from the real electrum.org. After this incident i updated it (like someone mentioned that could be the problem) to the newest version with the link the update notification provided. Again this was AFTER everything i described happened. Thought maybe it would be there like normal on a new version lol

Since your initial setup is v3.3.8, you can rule-out the malicious server message to upgrade to a malware version.
The update notification that you received was most likely the in-app "update-check" notification, it'll open right after you launch Electrum, not after a transaction.

But you still can't rule out the possibility that you've downloaded the update from a fake source.
To mitigate that, you always have to verify Electrum before using/installing it to your PC.

[AlwaysTheTeddy]

to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other

[BitMaxz]

in that timeframe i downloaded a single PDF file about some unrelated stuff

didnt really go on any dodgy websites or opened any e-mails

Kinda weird i dont know how i couldve been compromised

Unrelated bc it happened after the incident, but i downloaded the new electrum update from the original electrum.org

Sorry to hear that you can't able to recover your funds I thought that your transaction is still unconfirmed.
The only thing that you can do right now is to scan the whole PC/Laptop to know if you are really compromised.
And next time if you are going to open your old wallet always make sure to do it on an offline device you can still make a raw transaction from your public key and imported it to a watch-only Electrum wallet. That way it can help to protect and avoid malware or virus that automatically sends BTC to another wallet that you don't own.

[nc50lc]

to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other

That must be Window's notification when you receive/sent a transaction in Electrum (or similar if you're on other OS).

The malicious notification is actually just an additional error message that's sent by a malicious server after deliberately failing to send a transaction.
But in the "fixed versions" including v3.3.8, that was replaced by hard-coded messages which can't be altered by the selected server.

[DaveF]

to clarify i get a little noise notification when receiving a transaction or when an outgoing one is started and i got the two pings within max 2 secounds of each other

At this point assume the machine is compromised as is any information on it.

Any saved information, any website logins, may have been compromised. Yes, it could have been just something that stole your electrum information. Do you want to find out next week you have no money in your bank because when you logged into their portal a while ago your credentials were stolen?

As I said a few posts up, more and more funds are not stolen the moment your machine is compromised but weeks or possibly months later as the try to get as much of your information as possible.

-Dave

[o_e_l_e_o]

so again it turns out that there is a 10 minute difference between these two transactions (unless I misunderstood something here).

There is a 10 minute difference between when blockchain.com's site says it first saw those two transaction. This is not the same as there being a 10 minute difference between those two transactions being broadcast. There could have been problems with propagation, problems with blockchain.com's node, problems with its mempool, problems updating their website, and so on. The point is that transactions are not timestamped; only blocks are timestamped. You can pay attention to when any specific node first sees a transaction if you like, but that is not representative of the wider network. The only network-wide consistent way to timestamp a transaction is by the block it was included in (and even then the block timestamp can vary by around a 3 hour window when compared to the actual time).

Or perhaps OP's transaction was immediately spent by another transaction, and then 10 minutes later when it still hadn't confirmed the attacker replaced that transaction with a second higher paying transaction. We don't know.

[hosseinimr93]

Or perhaps OP's transaction was immediately spent by another transaction, and then 10 minutes later when it still hadn't confirmed the attacker replaced that transaction with a second higher paying transaction.

There's another transaction on blockchain.com explorer trying to spend the same UTXO from OP's address.
The transaction had been made with exactly the same fee rate and is invalid now. Click here to see that.  

I don't really know what exactly caused that 10 minute difference on blockchain.com, but it may have something to do with this invalid transaction.

[o_e_l_e_o]

-snip-

Ahh, there's your answer then.

The invalid transaction you linked to there was timestamped at the same time as OP's original transaction (17:20). Call this Transaction A. The transaction which confirmed was timestamped 10 minutes later, which is the same time it was confirmed (17:30). Call this Transaction B.

Both these transactions were likely broadcast seconds apart. The invalid Transaction A was seen by blockchain.com, and so it was timestamped at the time it was first seen (17:20). However, this transaction was later rejected when the conflicting Transaction B was confirmed in block 754,092, which is timestamped 17:30. The first time blockchain.com saw Transaction B was when it received block 754,092, since it previously rejected Transaction B for being a double spend and conflicting with Transaction A, which was already in its mempool. And so it gave Transaction B the timestamp of 17:30, despite Transaction B being in other nodes' mempools prior to this.

This explains why blockchain.com's timestamps are all over the place and confirms OP's story that the funds were swept immediately.

[hosseinimr93]

--------------

Thanks for the great explanation.
So, it seems that there were (at least) two people with access to OP's wallet.
Both used an automated program to steal OP's fund and the one who made transaction B was luckier than the one who made transaction A.

[o_e_l_e_o]

So, it seems that there were (at least) two people with access to OP's wallet.

I'm not 100% sure about that. It's very strange that both Transaction A and Transaction B paid the exact same amount in fees. It could be that two different people/bots were watching the account as you say, and they were both happening to use the same generic sweeping script which therefore set the same fee, I suppose. Or perhaps it was a single person/bot whose script had a bug causing it to broadcast multiple identical transactions (except that it used a new receiving address each time).

We'll never know, but the answer is academical at this point I suppose.

[Pmalek]

The coins are unfortunately gone and you have to forget about them. The question now is what happened and what you can do to prevent it from happening again. You have obviously made mistakes in your digital world that led you to get compromised or hacked.

After you accessed your Electrum wallet prior to having it completely emptied, you mentioned you downloaded a .pdf file. Can you tell us more about that file even though it isn't crypto-related? Malware can be hidden in .doc, .pdf., or even image files. It can get on your system once you run it or even a preview is enough.

Unless you learn what happened, similar mistakes can happen again in the future.