BTC MISSING INVESTIGATION - ELECTRUM WALLET

[qpool17]

r/Electrum - Missing BTC & Electrum Address not showing up anymore on ELECTRUM WALLET
Hey guys,

Hope everyone is well. This is a very weird situation and im hoping someone can provide some input on it.

I recently sent 2 transactions from my Coinbase account to my friends Electrum Wallet address:

bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t

Please find details of the transactions below.

https://www.blockchain.com/btc/address/bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t

My problem is that:

Most funds do not show ( he only received 0.004/0.01611 BTC) on his electrum wallet on an address that DOES show which is bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa .
2)The Address I sent it to ( bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t ) has disappeared from my friends Electrum wallet.

Honestly, I have never seen this happen before and I'm looking for some input on the situation.

please find the transaction hash's below as well:

Transaction #1:

ac5a0a85fd07e3b8175de59e0e0944912b3be5d9e7ee728499778aeaaa82b33c

Transaction #2:

9ed2ce7aa4d6ee6bba10de58eb6865c4ade96ac356f54c462b06b777da48b457

What confuses me is that if this was the wrong address, how would you justify the last transaction seen where that address sends some of the funds (0.004) to the visible Electrum wallet address while still keeping the majority of it.

Help is much appreciated!

[1714577230]

1714577230

[Lucius]

I recently sent 2 transactions from my Coinbase account to my friends Electrum Wallet address:
bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t

That address has so far recorded three transactions, two incoming and one outgoing, and all three occurred on August 10 of this year. So this "recently" of yours does not correspond to that address.

My problem is that:
2)The Address I sent it to ( bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t ) has disappeared from my friends Electrum wallet.
Honestly, I have never seen this happen before and I'm looking for some input on the situation.

What I would conclude from everything is something very simple and it is called clipboard malware - which would mean that your friend's computer is infected with malware that replaced his legitimate BTC address with a fake one - the BTC address cannot disappear by itself, it is always part of the created wallet.

[NeuroticFish]

2)The Address I sent it to ( bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t ) has disappeared from my friends Electrum wallet.

Did it disappear or was never there?
A filter (like used and unfunded) can make addresses disappear, but for a good reason.
But I think that the address may have never been there - he can check in console with

Code:

ismine("bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t")

Then we can see whether it's a clipboard malware or something else.

[qpool17]

Did it disappear or was never there?
A filter (like used and unfunded) can make addresses disappear, but for a good reason.
But I think that the address may have never been there - he can check in console with

Code:

ismine("bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t")

Then we can see whether it's a clipboard malware or something else.

I had him do a share screen and tried the ismine code and output was False. But what I’m confused about is that if it was the wrong address, then how would that address send only 0.004 to an address that DOES show up on his electrum wallet (meaning this one bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa). You get what I mean ?

[qpool17]

That address has so far recorded three transactions, two incoming and one outgoing, and all three occurred on August 10 of this year. So this "recently" of yours does not correspond to that address.

regarding the technicallity of it being "recent". I had posted this on reddit a while back and never really got a good reasoning other than malware. So I decided to post it here to see if i can get alternate opinions.

What I would conclude from everything is something very simple and it is called clipboard malware - which would mean that your friend's computer is infected with malware that replaced his legitimate BTC address with a fake one - the BTC address cannot disappear by itself, it is always part of the created wallet.

But can you provide any justification or reasoning for this address (bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t) to send 0.004 to an Electrum address that DOES show up in the wallet ? (bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa)

[jackg]

I had him do a share screen and tried the ismine code and output was False. But what I’m confused about is that if it was the wrong address, then how would that address send only 0.004 to an address that DOES show up on his electrum wallet (meaning this one bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa). You get what I mean ?

I'm not sure why it'd do that but the malware could keep a copy of the legitimate address and do something with that later (it could certainly use it to get more information on the users they infect).

It'll be very hard to work out why this has been done unless the person who programmed it says, it could also be a mistake or an attempt to mask funds that have been stolen.

[qpool17]

I'm not sure why it'd do that but the malware could keep a copy of the legitimate address and do something with that later (it could certainly use it to get more information on the users they infect).

It'll be very hard to work out why this has been done unless the person who programmed it says, it could also be a mistake or an attempt to mask funds that have been stolen.

Hmm that could possibly make sense i guess i havent thought about that. Still not convinced since the funds are still in that fake wallet untouched. Im just trying to make sense of all this its drilling a hole in my brain lol

[bitbollo]

Why not try to recover again the wallet using 12 words seed? First of all make a backup and be assured he own all words.
After he try to reload again this wallet... just because for what I know , malware clipboard modify the address AFTER you copy and paste, if he was correctly seeing the address this means it was already generated by that electrum wallet?!

[qpool17]

Why not try to recover again the wallet using 12 words seed? First of all make a backup and be assured he own all words.
After he try to reload again this wallet... just because for what I know , malware clipboard modify the address AFTER you copy and paste, if he was correctly seeing the address this means it was already generated by that electrum wallet?!

This is the only thing we havent tried yet tbh but after running the ismine code in Electrum and it saying the address doesnt belong to the wallet didnt think restoring the wallet would do anything but i guess no harm in trying.

[suzanne5223]

Why not try to recover again the wallet using 12 words seed? First of all make a backup and be assured he own all words.
After he try to reload again this wallet... just because for what I know , malware clipboard modify the address AFTER you copy and paste, if he was correctly seeing the address this means it was already generated by that electrum wallet?!

The wallet address in the subject was never among the OP friend electrum wallet, and the trick is just the clipboard attack in which the attackers always create a wallet address that looks almost identical to the victim's wallet.
But what I don't understand is the reason why the attackers sent 0.004BTC back to the victim's wallet address after the attack.

[qpool17]

Why not try to recover again the wallet using 12 words seed? First of all make a backup and be assured he own all words.
After he try to reload again this wallet... just because for what I know , malware clipboard modify the address AFTER you copy and paste, if he was correctly seeing the address this means it was already generated by that electrum wallet?!

The wallet address in the subject was never among the OP friend electrum wallet, and the trick is just the clipboard attack in which the attackers always create a wallet address that looks almost identical to the victim's wallet.
But what I don't understand is the reason why the attackers sent 0.004BTC back to the victim's wallet address after the attack.

Yes this is whats so confusinggg. Also the stolen funds have been untouched since then which is also weird. Like why would you steal but not use or transfer the funds to your main wallet afterwards i guess

[nc50lc]

I recently sent 2 transactions from my Coinbase account to my friends Electrum Wallet address:

My best guess is, the address bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t is from an imported wallet.
The key point is the transaction that spent one of your deposit returns the 'change' to the same address which is the default behavior of imported wallets.
The receiver bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa which belongs to your friend's wallet however, looks like from a standard wallet based from its txn history.
Also, the two addresses couldn't be from the same wallet because the last transaction wouldn't make sense (otherwise, sent to the same wallet).

Some things he can try:

Maybe he has two or more wallet files?
And forgot that he received it to the other wallet and sent 0.004 to the other.
He can check it in the menu: "File->Open".

He can try to generate more addresses and see if it'll show up:
Go to 'Console' tab ("View->Show Console" to enable), then type: [wallet.create_new_address(False) for i in range(1000)]
But as I mentioned, it might not be in the wallet where bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa belongs.

Lastly, investigate if he's telling the truth.
Is your "friend" an acquaintance or just someone you have contact with?

[Pmalek]

Lastly, investigate if he's telling the truth.
Is your "friend" an acquaintance or just someone you have contact with?

To expand on what nc50lc is saying, if it turns out that you made a mistake somehow sending those coins, do you own this "friend" money that could incentivize him to lie to you to get more?

A clipboard malware is easy to identify. Find any address online, copy and paste it somewhere else on the infected machine, and if a different address gets pasted and not the one you originally copied, it's a clipboard malware. If the same address gets pasted, it's not. Do this on your friend's computer. 

[hosseinimr93]

Lastly, investigate if he's telling the truth.

I feel the receiver is trying to trick the OP.

OP made two transactions to bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t.
The receiver is saying that this address isn't mine. My address is bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa.
(Please someone correct me if I have understood anything incorrectly).
OP's friend made a transaction from bc1q...j5t to bc1q...nsa without knowing all bitcoin transactions are public and it's very east to track the fund.
Both addresses are probably owned by OP's friend.

It can't be a copy-paste malware.
Why should the hacker send back the fund to the correct address?

[nc50lc]

Lastly, investigate if he's telling the truth.

I feel the receiver is trying to trick the OP.
-snip-
OP's friend made a transaction from bc1q...j5t to bc1q...nsa without knowing all bitcoin transactions are public and it's very east to track the fund.

I also followed-up a question to that because I don't know if OP's friend is the poster of a Reddit thread with the same title (link),
Because for some reason, this topic has "friend" as the receiver while the original Reddit thread is all first person.

[qpool17]

I recently sent 2 transactions from my Coinbase account to my friends Electrum Wallet address:

My best guess is, the address bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t is from an imported wallet.
The key point is the transaction that spent one of your deposit returns the 'change' to the same address which is the default behavior of imported wallets.
The receiver bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa which belongs to your friend's wallet however, looks like from a standard wallet based from its txn history.
Also, the two addresses couldn't be from the same wallet because the last transaction wouldn't make sense (otherwise, sent to the same wallet).

Some things he can try:

Maybe he has two or more wallet files?
And forgot that he received it to the other wallet and sent 0.004 to the other.
He can check it in the menu: "File->Open".

He can try to generate more addresses and see if it'll show up:
Go to 'Console' tab ("View->Show Console" to enable), then type: [wallet.create_new_address(False) for i in range(1000)]
But as I mentioned, it might not be in the wallet where bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa belongs.

Lastly, investigate if he's telling the truth.
Is your "friend" an acquaintance or just someone you have contact with?

I copied this and sent it to him but just waiting for a reply back on the outcome.

Lastly, investigate if he's telling the truth.

I feel the receiver is trying to trick the OP.
-snip-
OP's friend made a transaction from bc1q...j5t to bc1q...nsa without knowing all bitcoin transactions are public and it's very east to track the fund.

I also followed-up a question to that because I don't know if OP's friend is the poster of a Reddit thread with the same title (link),
Because for some reason, this topic has "friend" as the receiver while the original Reddit thread is all first person.

No I’m the author for that post too but I used a first person perspective just to make the situation easier to understand I guess if that makes any sense. I can edit/delete/remove that post if you want so you can believe me lol.

Lastly, investigate if he's telling the truth.
Is your "friend" an acquaintance or just someone you have contact with?

To expand on what nc50lc is saying, if it turns out that you made a mistake somehow sending those coins, do you own this "friend" money that could incentivize him to lie to you to get more?

A clipboard malware is easy to identify. Find any address online, copy and paste it somewhere else on the infected machine, and if a different address gets pasted and not the one you originally copied, it's a clipboard malware. If the same address gets pasted, it's not. Do this on your friend's computer. 

The receiver is a close friend and I dont owe him any money but the contrary that anytime he needed money I always offered to help.

When the situation happened initially I did check from both ends if it could?ve been some sort of clipboard malware and it wasn?t from both my side and his side. We both tried to copy paste addresses the same way the transaction happened and the addresses came out correct from both ends. (From when he copied his address from his wallet, then pasted it on discord, then I copied it from there and pasted it in coinbase to send.)

Lastly, investigate if he's telling the truth.

I feel the receiver is trying to trick the OP.

OP made two transactions to bc1qcj3f0kllhwctsvgud4k9zv5gxqf574fm2qlj5t.
The receiver is saying that this address isn't mine. My address is bc1qfg0a4ns3z4ud2d90t8hfgc2a2x6j65y7j3rnsa.
(Please someone correct me if I have understood anything incorrectly).
OP's friend made a transaction from bc1q...j5t to bc1q...nsa without knowing all bitcoin transactions are public and it's very east to track the fund.
Both addresses are probably owned by OP's friend.

It can't be a copy-paste malware.
Why should the hacker send back the fund to the correct address?

I also don’t think it could be copy paste malware because as you said why would the hacker send some funds to the correct address it doesn’t make sense.

Could there be any chance at all that this could be some sort of technical issue or glitch from either Coinbase or his Electrum Wallet ? (I’m 100% sure it’s obv not from the blockchain lool)

[moderator's note: consecutive posts merged]

[hosseinimr93]

I also don’t think it could be copy paste malware because as you said why would the hacker send some funds to the correct address it doesn’t make sense.

Right. Since the 0.004 BTC transaction has been made to the correct address, it can't be a clipboard malware.

Given the transactions made, I feel both addresses are owned by your friend. If you are sure that your friend is honest enough, as stated by nc50lc above, a possibility is that your friend has multiple wallets and is looking at the wrong wallet.  

Could there be any chance at all that this could be some sort of technical issue or glitch from either Coinbase or his Electrum Wallet ?

No. There is no problem from electrum or coinbase.
If bc1.............nsa address wasn't owned by your friend, I would say your friend may be using a fake version of electrum. That doesn't seem to be the case here.

[qpool17]

I also don’t think it could be copy paste malware because as you said why would the hacker send some funds to the correct address it doesn’t make sense.

Right. Since the 0.004 BTC transaction has been made to the correct address, it can't be clipboard malware.

Given the transactions made, I feel both addresses are owned by your friend. If you are sure that your friend is honest enough, as stated by nc50lc above, a possibility is that your friend has multiple wallets and is looking at the wrong wallet.  

But this would also mean that he would have consciously sent the 0.004BTC to his other address (bc1q…nsa) right ?

To my knowledge all he said was I only received 0.004BTC instead of 0.01611BTC.

Another thing I’m thinking is that let’s assume it was clipboard malware, and the hacker DID have the initial address it was supposed to be sent to (bc1q…nsa), how likely do you think that the hacker would only send a small part of the funds back ? I know it wouldn’t make any sense but do you think it’s technically possible ?

Honestly the last justification I want to resort to is that my friend did something dishonest.

[Pmalek]

Another thing I’m thinking that if it was clipboard malware, and the hacker DID have the initial address it was supposed to be sent to (bc1q…nsa), how likely do you think that the hacker would only send a small part of the funds back ? I know it wouldn’t make any sense but do you think it’s technically possible?

Well technically, if the address where you made those 2 transactions doesn't belong to your friend and someone else is in control of its private key, that other person wouldn't need to move those coins at all. It's his address and bitcoin transactions are irreversible.

1 hour after you made the last of your two transactions from Coinbase, your friend or whoever moved 0.004 BTC to another address.
https://mempool.space/tx/85006bcc25ed3ad370482f108eb8dc5ed6737a83ee0d5e0918f3ebeed39b302f

It's weird that your friend claims he only received 0.004 BTC, which is the exact amount that was moved to the bc1q...3rnsa address. Someone made that transaction and your friend claims that's all he received. Weird coincidence. Are you close enough to visit him at his home to see all this for yourself and look him in the eye when you ask about that last transaction?

[hosseinimr93]

But this would also mean that he would have consciously sent the 0.004BTC to his other address (bc1q…nsa) right ?

It's impossible that you make a transaction to an address and then a partial amount of the fund is sent to another address automatically.
The only person who can make a transaction from an address in the one who owns the private key of the address. No one else could make that transaction.

Another thing I’m thinking is that let’s assume it was clipboard malware, and the hacker DID have the initial address it was supposed to be sent to (bc1q…nsa), how likely do you think that the hacker would only send a small part of the funds back ? I know it wouldn’t make any sense but do you think it’s technically possible ?

That's technically possible. But It's very unlikely that a hacker would do this.

Honestly the last justification I want to resort to is that my friend did something dishonest.

Unfortunately, it seems so.