Stolen bitcoin from wallet. Need help!!!!

[23user23]

Hello everyone, I’m an inexperienced user, but help me. I had a cue ball stored on my bitcoin core; it was on a computer that I couldn’t use, and it was disconnected from the network, turned on and connected only once every six months to update the wallet.The last time it was at the end of February this year and everything was fine, everything was updated with coins in place, I turned everything off and forgot for this month. Recently I connected everything again and an update began which lasted 1.5 weeks,at the end of the update I discovered that the balance was 0, you can see the transaction that took place in March of this year (when the computer was turned off and not connected to the network)there is a wallet number, there is a transaction. When I checked where the money went, it is clear that there was a transfer to two different wallets and then each was divided into two (that is, coins in a total of 4 wallets) and they are still there. HOW TO RETURN? REALLY NECESSARY!!!!!Maybe I wrote something wrong, sorry I don’t know all the terminology

[hugeblack]

If these addresses are not part of your wallet or you did not make that transaction, then there is no way to recover them except by accessing the private key of those addresses.

If this does not affect your privacy, post the addresses here, maybe we can track them down and find something that may be useful to you.

I turned everything off and forgot for this month. Recently I connected everything again and an update began which lasted 1.5 weeks,a

What you did does not enhance the security of your coins, so to ensure that you set up cold storage correctly, please follow this guide ---->  https://electrum.readthedocs.io/en/latest/coldstorage.html or https://bitcointalk.org/index.php?topic=5228801.0

[LoyceV]

I had a cue ball stored on my bitcoin core

Google tells me it's a "pool ball"?

it was disconnected from the network, turned on and connected only once every six months to update the wallet.

Online "once in a while" makes it a hot wallet, not cold storage.

When I checked where the money went, it is clear that there was a transfer to two different wallets and then each was divided into two (that is, coins in a total of 4 wallets) and they are still there. HOW TO RETURN?

Bitcoin wouldn't exist if you could return transactions. Whoever controls the private keys is the only one who can do this, and if your coins got stolen, the thief isn't going to return them.

[23user23]

I had a cue ball stored on my bitcoin core

Google tells me it's a "pool ball"?

Bitcoin core -wallet

[If these addresses are not part of your wallet or you did not make that transaction, then there is no way to recover them except by accessing the private key of those addresses.

If this does not affect your privacy, post the addresses here, maybe we can track them down and find something that may be useful to you.]

bc1qkn6gnfn6pgnmu9jam8ms4xt4zhdwd9rx7a4tr9-wallet number for which the transaction was made

0031f3e0e57fcd27fec28f714e244a6d0e1dafc584f4eb7f163328295e92912e-transaction

If these addresses are not part of your wallet or you did not make that transaction, then there is no way to recover them except by accessing the private key of those addresses.

If this does not affect your privacy, post the addresses here, maybe we can track them down and find something that may be useful to you.

I turned everything off and forgot for this month. Recently I connected everything again and an update began which lasted 1.5 weeks,a

What you did does not enhance the security of your coins, so to ensure that you set up cold storage correctly, please follow this guide ---->  https://electrum.readthedocs.io/en/latest/coldstorage.html or https://bitcointalk.org/index.php?topic=5228801.0

bc1qkn6gnfn6pgnmu9jam8ms4xt4zhdwd9rx7a4tr9-wallet number for which the transaction was made

0031f3e0e57fcd27fec28f714e244a6d0e1dafc584f4eb7f163328295e92912e-transaction

[Catenaccio]

What you did does not enhance the security of your coins, so to ensure that you set up cold storage correctly, please follow this guide ---->  https://electrum.readthedocs.io/en/latest/coldstorage.html or https://bitcointalk.org/index.php?topic=5228801.0

Verify Electrum wallet if possible too, it reduces risk of losing bitcoin to a fake Electrum wallet.
[Guide] Verify and download Electrum wallet
The paranoid user's security guide for using Electrum safely.

A guide to create a cold storage wallet with Electrum.

Online "once in a while" makes it a hot wallet, not cold storage.

A cold wallet must be set up offline and use offline for a whole time.

[Z-tight]

bc1qkn6gnfn6pgnmu9jam8ms4xt4zhdwd9rx7a4tr9-wallet number for which the transaction was made

0031f3e0e57fcd27fec28f714e244a6d0e1dafc584f4eb7f163328295e92912e-transaction

The transaction was made a long time ago, in March 24, 2024. I must say you lost a lot of money there, ~1.3 BTC. The current balance in that address is $0.00 and they have only used that address to receive your funds, which they moved on to two separate addresses. I didn't follow on from there, because i don't think there's any use, as you cannot recover stolen funds.

Is there a way you think this could have happened? If your wallet is connected to the internet, even once, it no longer is an airgapped wallet. Did you expose your seed phrase?

[23user23]

bc1qkn6gnfn6pgnmu9jam8ms4xt4zhdwd9rx7a4tr9-wallet number for which the transaction was made

0031f3e0e57fcd27fec28f714e244a6d0e1dafc584f4eb7f163328295e92912e-transaction

Is there a way you think this could have happened? If your wallet is connected to the internet, even once, it no longer is an airgapped wallet. Did you expose your seed phrase?

Unfortunately, I don’t know how they did it, nothing was revealed

[dkbit98]

Recently I connected everything again and an update began which lasted 1.5 weeks,at the end of the update I discovered that the balance was 0, you can see the transaction that took place in March of this year (when the computer was turned off and not connected to the network)there is a wallet number, there is a transaction.

It doesn't really matter if computer is turned off if private keys or seed words get leaked/hacked/stolen and imported in different device and wallet.
I am not saying this happened in your case, but there is always a possibility.

HOW TO RETURN? REALLY NECESSARY!!!!!

You can't return anything if you didn't send the transaction to your other wallet.
Transaction is confirmed and balance on that receiving address is now zero.

[Forsyth Jones]

You said you used Bitcoin Core, right? The Bitcoin Core wallet backup is done by making a copy of the wallet file (wallet.dat). It doesn't provide a BIP39 mnemonic phrase, since Bitcoin Core calculates the private keys from a BIP32 root key. So there is no way for malware to have copied any mnemonic phrase, since it doesn't exist in a native Bitcoin Core wallet.

What may have happened is that you created this wallet on a computer already compromised by malware, downloaded a "baptized" version of the software, etc.

Unfortunately, we will never know why. The most rational thing to do is NEVER use this computer to perform any Bitcoin operations again.

Get a new computer (or buy a hardware wallet and follow all the instructions on the manufacturer's website and other reliable sources), use it only for operations dedicated to BTC and nothing else.

As you can see, the wallet was compromised before or during some point when your "cold storage wallet" was turned on to perform updates, certainly the thief was monitoring your wallet for quite some time waiting for the right moment to make the withdrawal, waiting for you to make more deposits to get the most out of your BTC.

Another important factor I forgot to mention: was this wallet protected by a passphrase of bitcoin core?

[Cricktor]

~~~

What kind of an update lasted for 1.5 weeks? Bitcoin Core updating your wallet and syncing the blockchain or something else?

You did not do any transaction in the past months with your wallet? If you didn't then we can assume someone else emptied your wallet.

Who has access to your computer? Only you? Or did you e.g. invite some friends or had visitors in the period where the theft happened?

The security of a Bitcoin Core wallet file is its wallet encryption passphrase. Did you setup a strong wallet encryption password/passphrase?

What operating system runs on your computer?

[BitMaxz]

Unfortunately, I don’t know how they did it, nothing was revealed

If your wallet is always connected to the internet online there are lots of possibilities that you don't know there's nothing that we can do since Bitcoin transaction is reversible.

I suggest you stop using your wallet anymore and learn to create an Electrum offline/cold storage wallet on tails where you can save all of your BTC for long-term storage it is way safer than using Electrum on a Windows PC or Mobile phone that always connected online.
You can also use it as an airgap where you can create offline transactions from your phone with your watch-only wallet and your offline wallet is your signer.

[Charles-Tim]

I didn't follow on from there, because i don't think there's any use, as you cannot recover stolen funds.

Some people will still continue the tracing to know if the hacker sent the coins to exchanges or custodial wallet. If the money is huge, it is possible that the victim can report the person through legal means. But if the coins was not sent to anything custodial, likely the money is gone.

I suggest you stop using your wallet anymore and learn to create an Electrum offline/cold storage wallet on tails where you can save all of your BTC for long-term storage it is way safer than using Electrum on a Windows PC or Mobile phone that always connected online.
You can also use it as an airgap where you can create offline transactions from your phone with your watch-only wallet and your offline wallet is your signer.

Yes. But also offline attack is also possible. He should be careful with his device and how he backup his seed phrase. I do not think I have a wallet that does not have passphrase which I use to extend the seed phrase. This gives me feeling that my backup is more secure and better than not using passphrase.

[NotATether]

Unfortunately, I don’t know how they did it, nothing was revealed

I think - and this is just a theory - that your computer was infected with malware that stole the wallet.dat from your computer and uploaded it to the hacker's server. Then when you shut down your computer, some time during that time-frame, the hacker guessed the password (?) or maybe already knew it and swept all the funds from it. It doesn't require your computer being turned on to do.

[LoyceV]

I think - and this is just a theory - that your computer was infected with malware that stole the wallet.dat from your computer and uploaded it to the hacker's server.

Or, someone may have accessed the computer physically, so someone OP knows in real life. That's probably the only scenario in which OP can find back his coins.

[apogio]

Sorry for the loss.

It seems to me that Loyce's idea is the most possible. Someone must have gained physical access to your computer and stole the coins.

The malware that NotATether suggests is a possibility but, most of the time, when people get hacked because of malware, they end up seeing irrational transactions with their coins. That's because most of the time the malware is pre-programmed to send the coins to specific addresses, to split them in parts and to perform wallet-hopping to hide the traces.

In OPs scenario, the coins were transfered on ‎2024-03-24 13:26:44. Then they were moved again ‎2024-03-24 20:49:18. So, approximately 7hrs elapsed between the 2 transfers. I highly believe someone gained access to OPs computer and sent the coins to another address. Then, they moved to the computer where the other address' keys are hosted and performed another transaction.

OP, if I were you, the only I would try to do (since you can't do much), would be to try and remember if someone visited me, or accessed my computer on March 24, 2024. The 7hrs in-between could mean:
1. someone visited you for lunch, some drinks etc and at some point they accessed your PC. Then they returned to their home and executed another transaction.
2. do you have your computer at the office? Do you share your working environment with anyone? If so, is there any chance that someone accessed your computer during you were working?