Electrum 4.3.2 Lost Funds

[jackjjohnson]

I seem to have lost funds on my Electrum wallet. I keep most of my BTC in offline paper wallets. I import to an Electrum wallet as needed, to send to Coinbase, pay bills as needed, etc. My security practices could be considered extreme, to many people. There are 40 normal transactions on this wallet. I restored from seed, same issue.

On 2022-10-29 15:03 about $300 balance seemed to disappear from Electrum 4.3.2 wallet
The wallet's last transaction was 2022-10-09 made by myself.
The OS is latest Ubuntu Long Term Support, updated several times a week.
Never install bootleg, illegal or questionable programs/packages.
The OS install itself is on encrypted drives, with very long passwords.
Electrum is run directly from Python sources, without installing: python3 Electrum-4.3.2/run_electrum
The Electrum executable matches ThomasV's GPG signature.
Electrum's network connection is being proxied on TOR, through localhost.
Coinbase account and normal banking account is unaffected.
Phone is never used for wallet.
There is one user, and root is disabled.
Nobody else has physical access.
Every program, service and web site in use has a different username and long password, managed by KeePassXC
Lightning is not being used.
No social media is used.
No file sharing, there is no wallet malware. I can copy/paste addresses without them being changed.
I store a backup of the wallet on Pcloud's Crypto directory. Unlike most cloud storage, this has end to end encryption.
I store an external hard drive with /home data (including wallet info) off-site rotation encrypted with very long PW.
Looking at it's transaction ID of b7aee9ebf54c3f7f97ace1e63b81a5f073419e6a86ef69937711295090d6af79 I see a message, "Exact payment amounts (no change)

On https://en.bitcoin.it/wiki/Privacy#Exact_payment_amounts_.28no_change.29 I see:
Payments that send exact amounts and take no change are a likely indication that the bitcoins didn't move hands.

Does anyone have any suggestions on possibly what happened? I waited a few days before reporting in case there was some sort of wide-spead problem, but I do not hear of one.

TIA

[1715184994]

1715184994

[1715184994]

1715184994

[IIrik11]

I seem to have lost funds on my Electrum wallet. I keep most of my BTC in offline paper wallets. I import to an Electrum wallet as needed, to send to Coinbase, pay bills as needed, etc. My security practices could be considered extreme, to many people. There are 40 normal transactions on this wallet. I restored from seed, same issue.

On 2022-10-29 15:03 about $300 balance seemed to disappear from Electrum 4.3.2 wallet
The wallet's last transaction was 2022-10-09 made by myself.
The OS is latest Ubuntu Long Term Support, updated several times a week.
Never install bootleg, illegal or questionable programs/packages.
The OS install itself is on encrypted drives, with very long passwords.
Electrum is run directly from Python sources, without installing: python3 Electrum-4.3.2/run_electrum
The Electrum executable matches ThomasV's GPG signature.
Electrum's network connection is being proxied on TOR, through localhost.
Coinbase account and normal banking account is unaffected.
Phone is never used for wallet.
There is one user, and root is disabled.
Nobody else has physical access.
Every program, service and web site in use has a different username and long password, managed by KeePassXC
Lightning is not being used.
No social media is used.
No file sharing, there is no wallet malware. I can copy/paste addresses without them being changed.
I store a backup of the wallet on Pcloud's Crypto directory. Unlike most cloud storage, this has end to end encryption.
I store an external hard drive with /home data (including wallet info) off-site rotation encrypted with very long PW.
Looking at it's transaction ID of b7aee9ebf54c3f7f97ace1e63b81a5f073419e6a86ef69937711295090d6af79 I see a message, "Exact payment amounts (no change)

On https://en.bitcoin.it/wiki/Privacy#Exact_payment_amounts_.28no_change.29 I see:
Payments that send exact amounts and take no change are a likely indication that the bitcoins didn't move hands.

Does anyone have any suggestions on possibly what happened? I waited a few days before reporting in case there was some sort of wide-spead problem, but I do not hear of one.

TIA

if u imported a paper wallet with a private key into electrum how can u restore it with the seed?

did u check the address of the imported key?

electrum should have sent the change back to the same address if no other address was in the wallet.

but incase u used the 'sweep' function then the funds should be in ur wallet.

[jackjjohnson]

Thanks for the response. I did use 'sweep' to get the paper wallet into Electrum wallet, then used from there for months.  When I said I had restored from seed, that was the Electrum wallet, that had successfully held the funds as needed for a long time.

[IIrik11]

is this not one of the address in ur wallet : 1PguUmsPEeR6UzheDbVMH1avsew4qCjFsa

from the transaction u mentioned above, the funds were sent to this^ address and then they were moved.

btw, i don't know how secure pcloud is but backing up ur wallet to a cloud is wrong.

as soon as u do that u should consider it compromised.

[NotATether]

I store a backup of the wallet on Pcloud's Crypto directory. Unlike most cloud storage, this has end to end encryption.

You will always get attacked through the weakest link and it has been well-described how dangerous placing unencrypted wallet backups in the cloud are. It doesn't matter if the service has end-to-end encryption; this only stops the company from accessing your files. Anybody with your pCloud login was able to download your wallet, including possibly a seed phrase if you included that.

If you are going to store backups in the cloud you must encrypt the file (or text) with an encryption format yourself - I prefer using GPG with an extremely long diceware passphrase and a 4096-bit RSA key. It doesn't matter if it's Proton Drive or some other end-to-end encrypted cloud service.

Your electrum binary is certified to be from ThomasV so that means your Electrum wallet setup was not breached but somebody gained access to your wallet.dat file or seed phrase through some other route.

[jackjjohnson]

The wallet was stored on Pcloud, but it was encrypted with a 25 character, non-dictionary password. No one else has the Pcloud credentials.

[jackjjohnson]

No, I don't believe 1PguUmsPEeR6UzheDbVMH1avsew4qCjFsa is one of my addresses in that wallet.

[NeuroticFish]

Payments that send exact amounts and take no change are a likely indication that the bitcoins didn't move hands.

Not necessarily. The same happens when the wallet is emptied by thieves.

Does anyone have any suggestions on possibly what happened? I waited a few days before reporting in case there was some sort of wide-spead problem, but I do not hear of one.

It looks like somebody may have gotten your wallet seed and emptied your wallet.
I don't know how this could have been happening, but you should consider at very least that wallet compromised, so you should no longer sweep to there, instead make yourself a new wallet with a new seed.
I wrote "at very least" the wallet, since I'm a Windows user and I would reinstall everything.

How did this happen? No idea. It could be the cloud storage, it could be the HDD backup, it could be something on your PC or it could be something on the routing/transfer to/from cloud (am I too paranoid?). None seem really likely.
Lately I use hardware wallet and I keep the seed backup written by hand. Maybe it's also an idea you could use.

[BitMaxz]

How did you generated the seed from Electrum?
The generated seed phrase is from other source and imported to Electrum and then you just sweep your old wallet to this wallet?

Another thing is that would you mind to tell us what exactly backup from pcloud did you store? Is that the private key that you sweep or the backup seed?

The bad thing is you store your wallet into cloud storage which is not safe and will never be safe.

[nc50lc]

Looking at it's transaction ID of b7aee9ebf54c3f7f97ace1e63b81a5f073419e6a86ef69937711295090d6af79 I see a message, "Exact payment amounts (no change)

On https://en.bitcoin.it/wiki/Privacy#Exact_payment_amounts_.28no_change.29 I see:
Payments that send exact amounts and take no change are a likely indication that the bitcoins didn't move hands.

Your coins weren't moved to your own wallet.
Having a single output with round amount doesn't always mean that it didn't changed hands (the keyword in the WiKi is "likely").
The message that you see in that specific blockexplorer is just a generic tag to such transactions, but it doesn't mean that it's always the case.

It's pretty obvious that if all of your funds are sent to a single output, then there wont be any change left to use a "change address".
For the exact (round) amount, it's common in tools that automatically set the fee from difference of the input(s) and the output's amounts; e.g.: createrawtransaction rpc in Bitcoin Core.
or even Electrum's "output value rounding" feature if enabled can produce such output.

Electrum is run directly from Python sources, without installing: python3 Electrum-4.3.2/run_electrum
The Electrum executable matches ThomasV's GPG signature.

Uhh, you have an executable that you verified or run Electrum from source?
Or do you mean the "tar.gz" file?