My wallet has been hacked. What to do?

[rat03gopoh]

well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.

Not necessary, but if you wanna do, then pls with the "temp-wallet" profile. Just wondering if you've ever accessed your wallet on another device(not yours) without making sure if it's safe from being infected with malware or you simply trust the owner.

[1714545300]

1714545300

[Shaddyr]

well I haven't tried this anywhere else but - yes, that's that I did myself to access my wallet on my laptop. I'll try it on another PC and send you the result.

Not necessary, but if you wanna do, then pls with the "temp-wallet" profile. Just wondering if you've ever accessed your wallet on another device(not yours) without making sure if it's safe from being infected with malware or you simply trust the owner.

Thank you for your worry but at fist my wallet is empty now as you know and second - i have several servers which i can use safe

2All - the story has some new facts - there is another user with the same problem. Check my question at issues page amd new repplies there
https://github.com/spesmilo/electrum/issues/8263


2 rat03gopoh

as I expected, it works. I just copied the Electrum profile folder and pointed the standalone-version to it. And after entering the password, I got access without any questions. On a completely different PC with a different address.

Hell, that's an elephant-sized security hole! If you steal a profile, you can easy  bruteforce a password, and this is clearly easier than bruteforce a seed phrase! Who there said that deleting a profile from a PC and storing it in an archive under an additional password is a waste of time - wants to repeat this phrase again?

>>
since nobody paid attention to the above TXID - here is just statistics
https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

6.57549844 BTC was dropped on the hacker's address in total.
I'm proud of myself - I'm in the top five cool losers. There are only two dudes cooler than me with 0.5BTC and one with 0.7BTC. They .ucked everyone they could hook - there is an address from which they took as much as 0.0.000019 BTC - this dude is definitely laughing, because this amount would not even be enough for him to withdraw interest)

[moderator's note: consecutive posts merged]

[BTCGalaxyA12]

Hello.
Today, when logging into the wallet, I received a message about an outgoing transaction dated 12/03/2023. As a result, my balance was reset to zero. What should I do? Can I do anything to return the money?
(Program version 4.3.3 at the time of entry)

This is the same question I asked in a self-made topic where I asked when we reinstall our laptop, will the assets stored in Electrum be deleted?
Almost all of the answers I got were automatically the same, that is, deleted, except that when reinstalling the laptop, the seed pharse is still stored, allowing it to be re-entered.

There is no solution to your problem unless you still have your seed phrase saved, so the question of where you saved your seed is a good one because if you didn't save your seed then you can't get your balance back.

[DireWolfM14]

https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Do you remember where you downloaded the software from?

[Shaddyr]

2 DireWolfM14

https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Do you remember where you downloaded the software from?

Of course I do. I answered this question of yours on github already and can repeat the answer here -

dowloaded from a link at the status bar of the standalone of course, every time if it had an update there

>>

2 BTCGalaxyA12

Hello.
Today, when logging into the wallet, I received a message about an outgoing transaction dated 12/03/2023. As a result, my balance was reset to zero. What should I do? Can I do anything to return the money?
(Program version 4.3.3 at the time of entry)

This is the same question I asked in a self-made topic where I asked when we reinstall our laptop, will the assets stored in Electrum be deleted?
Almost all of the answers I got were automatically the same, that is, deleted, except that when reinstalling the laptop, the seed pharse is still stored, allowing it to be re-entered.

No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.

[BitcoinGirl.Club]

https://www.blockchain.com/explorer/transactions/btc/ccd6dbffcdf801821906d21e426f9f170b49fa0fb97edcbe01e538c32651788e

That definitely looks like a scammer's transaction.  Multiple types of addresses indicates that the private keys with UTXOs were swept all at once, and with a fee of 50 sats/vByte.  Only a scammer would apply such an expensive fee, to make sure that no one can replace the transaction with a higher fee.

Well I saw sport bookies also send tx with higher fees. If I can remember I saw even 100 sats/vByte tx sent to me from a sportsbook. I guess they don't care about the fees as they have a lot of other things to look into.

thanks everyone for the replies.
Perhaps the translation was not very accurate - my English is far from ideal and I have to use Google.

The scheme of work is as follows: I use the standalone version of the client. The Electrum profile itself does not exist on the computer - it is in the archive under a password. If I need to make a transaction, I unpack the profile folder to a specific location, indicate this location to the program, enter the password and get access. At the end, I close the program, again I archive the profile folder with its removal from the location.
Those. Initially, there is no folder with a wallet or a file with a phrase on the PC. Therefore, I cannot understand how exactly without this phrase and in the absence of access to the wallet file, access to transactions could be obtained.
And - yes, I imagine how the blockchain works. Please don't waste your time visualizing how much smarter you are. Thank you.

The way you are explaining, it sounds like you have your wallet stored in a USB stick or removable storage. You go in different places, copy the wallet file, do your things and then delete the file from the device. By any chance, are you using internet cafes where they allow you to work on a PC for a small service charge? I hope I am wrong.

And one more thing guys, it's about security issue - look at this, 3 days ago
https://github.com/spesmilo/electrum/issues/8244
Isn't it looks like something just begun?
I gonna ask there as well

Your wallet was a 2 of 2 multisig wallet?

I guess everyone of us is having difficulty to understand your English. Sorry.

[rat03gopoh]

2 rat03gopoh

as I expected, it works. I just copied the Electrum profile folder and pointed the standalone-version to it. And after entering the password, I got access without any questions. On a completely different PC with a different address.

Hell, that's an elephant-sized security hole!

Thanks for the effort, definitely not a good security method. I thought this theft was by someone around you. But...

since nobody paid attention to the above TXID - here is just statistics

...missed this one. Jeez, I think you used fake electrum. Sorry to say, you don't really have much chance to get your btc back.

This is the same question I asked in a self-made

Nope, this is a different case with yours. No files were deleted from OP's wallet.

[BTCGalaxyA12]

No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.

Before I answer, I have read your post twice so I took the quote of the question @bitmover which asks where do you save the seed phrase? which I think is a good question to find a solution to the problem you are facing friend.

Where did you stored your seed? In a paper? If not, that is a mistake.

I'm learning and you're probably at the learning stage too. But you're a little careless in my opinion.

Nope, this is a different case with yours. No files were deleted from OP's wallet.

Oh yeah. Hope there's a solution

[Shaddyr]

since nobody paid attention to the above TXID - here is just statistics

Jeez, I think you used fake electrum.

Just if Electrum's link has faking exe's. I can upload previously used standalone - it wasn't deleted. And it was checked by an antivirus without any warnings as well as all other files on my laptop

No, that's not entirely true. If you're using your Electrum wallet, by default your profile is stored in the Windows users Roaming directory and you can clean it up with a clean reinstall of Windows. But you can definitely restore it with a seed. My problem is completely different. Please read my answers carefully from the beginning.

Before I answer, I have read your post twice so I took the quote of the question @bitmover which asks where do you save the seed phrase? which I think is a good question to find a solution to the problem you are facing friend.

Thank you for you try but I would like to ask you again to pay attention for my posts - I already answered that question

the seed file is always located in another archive, also under a password. I never turn to him - there is no need. It has not been available on PC for many years.

[nc50lc]

-snip- I can upload previously used standalone - it wasn't deleted. And it was checked by an antivirus without any warnings as well as all other files on my laptop

You can check the validity of each executable yourself by verifying their signatures.

Follow this guide to know how to verify your Electrum download: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
Signature files (.asc) for the older versions can be downloaded here: https://download.electrum.org/

By the way, Antivirus can't be a good indicator since even real Electrum, specially the older versions usually have false-positive detection from some Antivitus software.

[Shaddyr]

You can check the validity of each executable yourself by verifying their signatures.
Follow this guide to know how to verify your Electrum download: https://bitcoinelectrum.com/how-to-verify-your-electrum-download/
Signature files (.asc) for the older versions can be downloaded here: https://download.electrum.org/

thank you.
I checked the signatures for both downloaded executables - they have an identical result. No errors found

By the way, Antivirus can't be a good indicator since even real Electrum, specially the older versions usually have false-positive detection from some Antivitus software.

I know. Just one more additional check

[DireWolfM14]

Base on that transaction that you posted, and the other guy on Github who's funds were swept in the same transaction, I can only assume that your seed was compromised.  Did you sign up for any give-away or stake in some air-drop, or something of the sort?  Did you divulge your seed to any entity that promised you a reward of some type?

[Shaddyr]

Base on that transaction that you posted, and the other guy on Github who's funds were swept in the same transaction, I can only assume that your seed was compromised.  Did you sign up for any give-away or stake in some air-drop, or something of the sort?  Did you divulge your seed to any entity that promised you a reward of some type?

I never did anything with my seed at all

[DireWolfM14]

Base on that transaction that you posted, and the other guy on Github who's funds were swept in the same transaction, I can only assume that your seed was compromised.  Did you sign up for any give-away or stake in some air-drop, or something of the sort?  Did you divulge your seed to any entity that promised you a reward of some type?

I never did anything with my seed at all

What about some other wallet software?  The fellow on Github who's funds were also stolen mentioned he had installed a wallet on different machine, I'm assuming he means some software other than Electrum.  Have you used some other software to access your Electrum wallet, possibly?

It's rather odd, because the other guy was using the Android software, and you indicated you're using Windows Desktop software.  The issue gives me the impression that a hacker gained access to your private keys or seed phrase, but to have done so on two separate platforms (operating systems) is rather unlikely.

I encourage you to think back to any risky behavior you may have engaged in that could have led to your being phished.

[Pezroly]

But how then your wallet has been hacked ? Which antivirus you use in your computer. I think you downloaded serious virus/malware somewhere.

[Pmalek]

Tell us a bit more about the computer where you used Electrum and which holds your achieved seed phrase.

What do you use it for? It makes no sense not telling the truth because it's an unfortunate learning experience. You are not going to get your BTC back, but you can learn what you did wrong and not repeat it again.

Do you use a genuine and licensed OS or a pirated one?
Do you use other pirated and cracked software on it?
Do you have other wallets installed on the same computer for any cryptocurrencies?
Is the .rar password easy to guess or bruteforce? Did you use the same password somewhere else?
Do you play cracked PC games, download torrents, watch porn, browse any other forums, software or hacking related?
Who else uses or has access to your computer?
Have you received any emails recently that you have clicked on or opened?
Are you active on Telegram or other social media and in what capacity?
What did you do in the days prior to your coins getting hacked? Did you visit any new sites, installed new software, talked with new people, anything out of the ordinary?

[Shaddyr]

What about some other wallet software?  The fellow on Github who's funds were also stolen mentioned he had installed a wallet on different machine, I'm assuming he means some software other than Electrum.  Have you used some other software to access your Electrum wallet, possibly?

No, I even don't know if it's

It's rather odd, because the other guy was using the Android software, and you indicated you're using Windows Desktop software.  The issue gives me the impression that a hacker gained access to your private keys or seed phrase, but to have done so on two separate platforms (operating systems) is rather unlikely.

I encourage you to think back to any risky behavior you may have engaged in that could have led to your being phished.

I couldn't remember anything like this in the last 3 years

But how then your wallet has been hacked ?

I have no idea. I did everything to prevent this from happening

Which antivirus you use in your computer. I think you downloaded serious virus/malware somewhere.

Everybody says that. But the reality is - my PC is clean.  Online scanners confirm that as well. My static AV is Kaspersky right now.

Tell us a bit more about the computer where you used Electrum and which holds your achieved seed phrase.

What do you use it for? It makes no sense not telling the truth because it's an unfortunate learning experience. You are not going to get your BTC back, but you can learn what you did wrong and not repeat it again.

Do you use a genuine and licensed OS or a pirated one?
Do you use other pirated and cracked software on it?
Do you have other wallets installed on the same computer for any cryptocurrencies?
Is the .rar password easy to guess or bruteforce? Did you use the same password somewhere else?
Do you play cracked PC games, download torrents, watch porn, browse any other forums, software or hacking related?
Who else uses or has access to your computer?
Have you received any emails recently that you have clicked on or opened?
Are you active on Telegram or other social media and in what capacity?
What did you do in the days prior to your coins getting hacked? Did you visit any new sites, installed new software, talked with new people, anything out of the ordinary?

I'm not a gamer at all, my only game is HMM 3.5 which was downloaded 15 years ago. About a year ago I had to leave my hometown because of the war UA - RU. I'm the only user of my laptop and no one else can access it in the apartment - there's no one but the cat who doesn't like BTC at all. During this time, nothing strange or dangerous happened to the software. The license is irrelevant to the situation as it doesn't require cracks or anything like that. So I really don't have any options how it could be other than if the seed was stolen much earlier, more than a year or three years. But judging by what happened, one gets the impression not of long-term storage and use years after the theft, but that the penetration took place in a recent period, which is impossible in my case.

[DireWolfM14]

I'm not a gamer at all, my only game is HMM 3.5 which was downloaded 15 years ago. About a year ago I had to leave my hometown because of the war UA - RU. I'm the only user of my laptop and no one else can access it in the apartment - there's no one but the cat who doesn't like BTC at all. During this time, nothing strange or dangerous happened to the software. The license is irrelevant to the situation as it doesn't require cracks or anything like that. So I really don't have any options how it could be other than if the seed was stolen much earlier, more than a year or three years. But judging by what happened, one gets the impression not of long-term storage and use years after the theft, but that the penetration took place in a recent period, which is impossible in my case.

A few years ago there were some malicious Electrum servers broadcasting a message to Electrum users directing them to download and install a malware version of Electrum.  The malware wallet would send all the bitcoin in the wallet to the hacker's address whenever the user made an attempt to send ay transaction.  I don't know if seed phrases were compromised by the same hack, but that certainly could have happened.  

I would suggest you start from scratch; fresh OS install, fresh Electrum install and make sure to verify the download before installing it, and then create a new seed.  Write the seed down on paper, and store it in a safe place.  Don't store the seed digitally, and don't store on any cloud servers.

Here's a guide for verifying Electrum with GPG: https://bitcointalk.org/index.php?topic=5240594.msg54223763#msg54223763

[Pmalek]

<Snip>

In most cases concerning the theft of bitcoins, it's the user who made one or multiple mistakes. The problem is, people don't want to admit making mistakes, not to themselves and not to others. It's always something else that caused it.

Everything you do on that computer can potentially be a landmine because that's what happens if the device that holds your keys is constantly online and used for various other activities. You need to separate that. Getting a hardware wallet is the easiest way. Getting a second laptop with a genuine OS that you aren't going to use for other things online is another way. Using a completely airgapped solution is the least user-friendly but safest option.

[Shaddyr]

A few years ago there were some malicious Electrum servers broadcasting a message to Electrum users directing them to download and install a malware version of Electrum.  The malware wallet would send all the bitcoin in the wallet to the hacker's address whenever the user made an attempt to send ay transaction.  I don't know if seed phrases were compromised by the same hack, but that certainly could have happened.  

That's right. But I didn't have any problem with transactions to\from the wallet - everithing was Ok

I would suggest you start from scratch; fresh OS install, fresh Electrum install and make sure to verify the download before installing it, and then create a new seed.  Write the seed down on paper, and store it in a safe place.  Don't store the seed digitally, and don't store on any cloud servers.

It's clear. I gonna create a new wallet. But I won't can change settings of some stations which send BTC to this wallet's adress because no access to them right now. I'm unable to make sure if someone else has access to my wallet, am I right?

Here's a guide for verifying Electrum with GPG: https://bitcointalk.org/index.php?topic=5240594.msg54223763#msg54223763

As I already noted I've checked my exe's with GPG

In most cases concerning the theft of bitcoins, it's the user who made one or multiple mistakes. The problem is, people don't want to admit making mistakes, not to themselves and not to others. It's always something else that caused it.

Everything you do on that computer can potentially be a landmine because that's what happens if the device that holds your keys is constantly online and used for various other activities. You need to separate that. Getting a hardware wallet is the easiest way. Getting a second laptop with a genuine OS that you aren't going to use for other things online is another way. Using a completely airgapped solution is the least user-friendly but safest option.

You are right. But your advice is a bit late - I just lost all the coins. And given the fact that they have been mined for many years, it doesn’t matter anymore, I’m unlikely to be able to get into the same situation in the near future.
The money was saved for the education of my kids or for the purchase of housing. Now it doesn't matter anymore. I am sure that even if it is confirmed that the attack was successful not due to user error, but using some kind of wallet vulnerability, Electrum does not compensate for the losses to its users, as Nicehash did in a similar situation. Because it is always easier to write off such things as viruses, errors, licenses and other rubbish than to admit there is a problem and take responsibility for the result.