My multi sig wallet got hacked

[Ray_dog75]

I created a multi sig wallet using Electrum in 2023
It was a 2 of 3 wallet. Meaning it would need signed transactions from 2 wallets to move the Bitcoin

But in February 12, my computer got hacked. And Bitcoin of some of my wallets got moved somewhere

Don't understand how it was possible

The 3 wallets that were signatories to that multi sig was not hacked. As in no crypto were lost on those wallets

Here is the my Bitcoin address
bc1qcuevd4xqrqdhxwde83m6tp4hn25lsedq27vk43l7ycklnk2lhytq56mr3t

This is the txid


717707e28521e352e02b91c86701442dabdea53920b2cabc5e2127fa3b441254

Could the multi sig wallet be hacked without hacking the 3 wallets used to sign ?

BTW, one of the wallets was a Ledger

[nc50lc]

Could the multi sig wallet be hacked without hacking the 3 wallets used to sign ?

No if the script is correctly generated and each cosigner Electrum wallet only contains one master extended private key and two master extended public keys.
But your MultiSig only requires two signatures based from that address' witness script so the hacker only needed two wallets (either already contains the extended public key of the third):

Code:

OP_PUSHNUM_2
OP_PUSHBYTES_33 0228c5b5d4c9048666a8ea5b61485d7c50427b72f06fe2c5e22df60eae9aa8fa9f
OP_PUSHBYTES_33 02a971a0e958145dd98af62844144c7a306863d00ff85a9c99b0e4c355a522d551
OP_PUSHBYTES_33 0332a0c7ed49f5ead4a21d7736ce9b05f6f80b6f87e902281655dc38521d2233a2
OP_PUSHNUM_3
OP_CHECKMULTISIG

(there seem to be nothing wrong with the script so it's hacked through the private keys or seed phrases)

But in February 12, my computer got hacked. And Bitcoin of some of my wallets got moved somewhere
-snip-
The 3 wallets that were signatories to that multi sig was not hacked. As in no crypto were lost on those wallets

Is one of the MultiSig wallet cosigner in that hacked computer?
How many master private keys/seed that the MultiSig wallet contains (remember when you created it), excluding the Ledger wallet cosigner?
If you can't remember, you can see by removing the wallet's password and by opening the wallet file 'as text', check if it has two master private keys or seeds under "x1", "x2" and "x3".

Also, where do you store the cosigners' seed phrases?

[Ray_dog75]

I used Electrum desktop with my Ledger

Other 2 wallets are Exodus and Trust wallet which never in my desktop

I never used Ledger that day

[nc50lc]

I used Electrum desktop with my Ledger

But how about the cosigner keys/seed phrase when you setup the MultiSig wallet?

How did you set the cosigner 2 and 3 during wallet creation, there are options there to either put a master (private/public) key or seed:


If "Cosigner seed", and you pasted your Exodus and Trust Wallet's seed, then the hacker can just use that MultiSig wallet to spend without needing your Ledger device to cosign.

If "Cosigner key": Did you pasted your Exodus and Trust Wallet's (master) extended public key or (master) extended private key?
If the latter, then it's the same as putting the cosigner seed, the MultiSig wallet isn't properly setup, it's a MultiSig wallet already capable of providing two of the required signatures.
If the former, then it's something else, probably compromised backup seed phrases.

[LoyceV]

The 3 wallets that were signatories to that multi sig was not hacked. As in no crypto were lost on those wallets

Let me get this straight: did you use existing funded wallets to create a multisig, and those wallets still have funds while the multisig got emptied? In that case you'd better move your funds to a new secure wallet before the attacker realizes he left something behind!

I'm quoting your post from another topic here:

I got hacked on Feb 12
But the ones from https://segwitadress.org/ were
But my ETH paper wallets were also hacked as well as a multi sig wallet I created with Electrum

It sounds like you even had paper wallets on an online system, instead of using cold storage for them.

I used Electrum desktop with my Ledger
Other 2 wallets are Exodus and Trust wallet which never in my desktop

So those wallets were on different devices? Any chance you stored the seed words on your computer? If multiple wallets on different devices "get hacked", you must have had more than one device compromised. Could someone have gained physical access to your devices?

[SquirrelJulietGarden]

I used Electrum desktop with my Ledger

Other 2 wallets are Exodus and Trust wallet which never in my desktop

I never used Ledger that day

I can not help you to figure out why you lost your bitcoin and can not help you recovering it. Remember Bitcoin transactions ar3 irreversible.

I only can warn you about Exodus wallet and Trust wallet, they are close source wallets and you know, with Bitcoin users close source wallets are not recommended.

Exodus wallet was compromised months ago but let me check.
https://www.publish0x.com/crypto-champion/metamask-and-exodus-hack-shock-the-crypto-world-xyqvopr

[Ray_dog75]

I used Electrum desktop with my Ledger

But how about the cosigner keys/seed phrase when you setup the MultiSig wallet?

How did you set the cosigner 2 and 3 during wallet creation, there are options there to either put a master (private/public) key or seed:
https://www.talkimg.com/images/2025/02/18/qmO7D.png

If "Cosigner seed", and you pasted your Exodus and Trust Wallet's seed, then the hacker can just use that MultiSig wallet to spend without needing your Ledger device to cosign.

If "Cosigner key": Did you pasted your Exodus and Trust Wallet's (master) extended public key or (master) extended private key?
If the latter, then it's the same as putting the cosigner seed, the MultiSig wallet isn't properly setup, it's a MultiSig wallet already capable of providing two of the required signatures.
If the former, then it's something else, probably compromised backup seed phrases.

I'm guessing this is the answer, thanks

The 3 wallets that were signatories to that multi sig was not hacked. As in no crypto were lost on those wallets

Let me get this straight: did you use existing funded wallets to create a multisig, and those wallets still have funds while the multisig got emptied? In that case you'd better move your funds to a new secure wallet before the attacker realizes he left something behind!

I'm quoting your post from another topic here:

I got hacked on Feb 12
But the ones from https://segwitadress.org/ were
But my ETH paper wallets were also hacked as well as a multi sig wallet I created with Electrum

It sounds like you even had paper wallets on an online system, instead of using cold storage for them.

I used Electrum desktop with my Ledger
Other 2 wallets are Exodus and Trust wallet which never in my desktop

So those wallets were on different devices? Any chance you stored the seed words on your computer? If multiple wallets on different devices "get hacked", you must have had more than one device compromised. Could someone have gained physical access to your devices?

Yes, i thought paper wallets were cold wallets. As long as you protect the private keys, then they were bullet proof. The Bitaddress.org wallets were as they were not hacked. That the segwit ones were not bullet proof. The ETH paper wallets were from Metamask i think and as old as the 7 year old bitaddress wallets.

So moving everything with value to Ledger and Tangem

Mod note: Consecutive posts merged

[nc50lc]

-snip-

I'm guessing this is the answer, thanks

That was an unsatisfying response IMO.
Please at least indicate which is the case so this thread's issue can be sorted-out for reference and warning to others who may have created the same unsecure setup.

But based from "guessing" word,
I'll just assume that you can't remember how you created the wallet and you either used the "seed" or "extended private keys" to setup the cosigners.
BTW, that assumption can be confirmed by manually checking the wallet file's keystore (instructions in my first reply).