My electrum wallet was compromised

[mcdouglasx]

It's not enough to simply download from the official website; you have to verify the signatures, and the signatures must be correct.
Malware could simply redirect the link from the official site to a compromised download and make you believe everything is fine.

If a website or app like Electrum were compromised, we would already know, as such incidents would be so frequent that we would suspect something was amiss.

Therefore, thinking of that option as the most likely is not the right approach. You could have compromised your seed phrase somehow, or someone could have accessed your PC in some way, ranging from physical to digital, remotely or through scripts. I

deally, you should use methods that don't require an internet connection to sign your transactions.

[LoyceV]

So if I'm reading this correctly ~
And after stealing your funds, the user has used Fixedfloat (ff.io) to swap the funds (to something else).

That's not accurate, you may want to edit your post. See mempool.space or just nc50lc's post:

It looks more like another victim's funds going to the hacker's address through FF (prob an exchanged Altcoin) instead of OP's funds because its UTXO (6a4048b6:0) is currently still unspent.

It just moved while I was checking the address:

Code:

19XBDNDseQmEaXFwKjv9oPZkwQimvcVWTw		‎0,02250021 BTC 	
bc1q8pjaumzy65mvra7nqsn35dmswl8ayk3st9nwyc	‎0,22061681 BTC

The largest amount went back to the address it came from. A smart attacker wouldn't reuse the same address.

my wallet was emptied. Can anyone explain how they did it?

Is it possible someone gained physical access to your computer? That would explain the not-so-smart linking of addresses.

This isn't helping you now, but it may help in the future, and I don't think it can be said often enough: DO NOT keep high value in a hot wallet! This isn't the first and unfortunately won't be the last time something like this happens.

[khbinversion]

Thanks...yes...I saw that movement.
I'm keeping an eye on it and watching to see if they move it to any exchange.
Nobody has access to my PC, and my seed phrases and keys aren't on the PC either.
It makes me think it's someone who knows Electrum very well. How can they access the wallet without the keys?

[LoyceV]

Nobody has access to my PC, and my seed phrases and keys aren't on the PC either.

You're wrong here: your Electrum wallet has your seed and keys.

[khbinversion]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

[hosemary]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

If the keys doesn't exist on your computer, there is no way for electrum to sign transactions and that's why they are saved in the wallet file.

Note that your electrum wallet file contains your seed phrase and also your master private key, but in encrypted form if you set a password when creating the wallet. Therefore, if the wallet is encrypted, anyone who has access to your computer would also need your password to steal your funds.

[noorman0]

Thanks...yes...I saw that movement.
I'm keeping an eye on it and watching to see if they move it to any exchange.

Keep monitoring the hacker's wallet output addresses through chain analysis tools, some centralized services set a rather long sweep schedule to their hot wallet so they may currently only be marked as personal addresses.

[mcdouglasx]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

The only way to increase security against hacking is to either use a hardware device to protect your seed phrase, where you only use the device to sign transactions, or use Electrum Air Gapped. In the latter case, use your internet-connected version of Electrum only as a watch-only wallet, export the unsigned transaction to the offline Electrum wallet, sign it, and then send it back signed for transmission.

Here are some threads that will give you more information:

How to Safely Download and Verify Electrum

offline air-gapped electrum

Electrum air gapped device

[RoxxR]

Sorry for your loss. It very much looks like your PC was compromised.
 1. Check for ANY recently installed software. Do you see anything suspicious?
 2. What is your system OS and version?   All security updates installed?
 3. In any case, I would highly recommend to do a factory restore of the entire system.

[Cricktor]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

I think you misunderstand something here. Your Electrum wallet file has the seed mnemonic words in plaintext when you didn't use a wallet encryption password or passphrase (not to confuse with a mnemonic passphrase which extends the mnemonic recovery words).

Even when the Electrum wallet is encrypted, it contains the details to recreate the seed recovery words, of course. And in both cases a non-watch-only wallet contains the master extended private key which can derive all private keys of your wallet.


As an example, I just created a new standard wallet with Electrum and got the mnemonic recovery words

Code:

icon axis arrow cotton auto also issue kingdom despair silent seek bamboo

I left the wallet encryption password/phrase empty which leaves the Electrum wallet file completely in plaintext (don't do this, terrible non-existant security). The JSON "keystore" object in the wallet file has the recovery words in "seed", see here as copied out of the Electrum wallet file:

Code:

...
    "keystore": {
        "derivation": "m/0h",
        "pw_hash_version": 1,
        "root_fingerprint": "0125db3c",
        "seed": "icon axis arrow cotton auto also issue kingdom despair silent seek bamboo",
        "seed_type": "segwit",
        "type": "bip32",
        "xprv": "zprvAYaAR9g4qDVi8pnLKzX7too4Ph6LxSwnJN47HqdRKxpyPPVhH63WQVigiVLp9M28zw5wq7GtRfXiWfDe5vGjxvTBRwyct12QTVJghx4soeP",
        "xpub": "zpub6mZWpfCxfb41MJroS248FwjnwivqMufdfayi6E32tJMxGBpqpdMkxJ3AZobfXY3uFVXBfeimutfhQzBzP1JYgPCwuYCsGMkB2YnTHrUJXK2"
    },
...

IIRC, you didn't answer if your Electrum wallet was encrypted. Was it?

Your computer could've been compromised when you had setup your Electrum wallet initially.

You're right, that it's highly recommended to only make an analog backup of your wallet's recovery words. But some people do also the mistake to take digital pictures with their smartphones of the written analog backup. Digital pictures which often are then synced to some picture clouds and computer clouds are just other people's computers where you loose control and possession of your digital files. Imagine fancy AI picture classification tools of some picture clouds, imagine OCR tools that picture clouds offer...

This isn't helping you now, but it may help in the future, and I don't think it can be said often enough: DO NOT keep high value in a hot wallet! This isn't the first and unfortunately won't be the last time something like this happens.

I would've already used a hardware wallet for a tenth of the lost coins of OP. Really, I don't know what some are thinking...
A luxury hardware wallet is not more than a 1/100^th or less than the roughly lost quarter Bitcoin.

Sure, you can also loose coins with a hardware wallet if you don't check transaction output addresses thoroughly for every transaction that you're going to sign and broadcast. But that would be gross negligence and ignoring best practices.

[Synchronice]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

How did you create a wallet? When you create a wallet, it generates seed phrases that you write down on paper or save somewhere. What did you exactly did on this step? Also, electrum creates a wallet file, on which you set a password and when you want to quickly access your wallet, you open Electrum and then type your password.
If you didn't have password stored on your computer or stored it on drive or somewhere else, then I don't know how the hacker was able to access your wallet. In the worst case, you had a malware which let the hacker to remotely access your computer but I wonder how did you catch such a malware. Were you visiting torrent websites that are full of viruses or other suspicious websites? I'm sure that you won't get a virus if you visit simple and popular websites like YouTube, Twitter and so on.

Would love to hear more about this because I'm really interested.

[Lucius]

Retrieving the funds is one thing, but if you want to prevent it from happening again you need to figure out how this happened in the first place.

True, imagine if the OP manages to get back what was stolen from him, and then the same thing happens to him. It is assumed that the OP managed to pick up something malicious somewhere, perhaps a RAT that has access to everything on his computer. Unless he plans to submit the computer for forensic analysis, the only correct procedure is to format the disk and buy some hardware wallet.

[DireWolfM14]

Retrieving the funds is one thing, but if you want to prevent it from happening again you need to figure out how this happened in the first place.

True, imagine if the OP manages to get back what was stolen from him, and then the same thing happens to him. It is assumed that the OP managed to pick up something malicious somewhere, perhaps a RAT that has access to everything on his computer. Unless he plans to submit the computer for forensic analysis, the only correct procedure is to format the disk and buy some hardware wallet.

There's a good chance the same thing will happen again if he's not investigating the cause.  This line is telling:

Can anyone explain how they did it?

How they did it.  No accountability in that statement.  I'm sorry that the OP got scammed, but scammers are opportunists, and in this space more than any other we need to be diligent to deny them the opportunity.

Thankfully I learned my lesson cheaply, and have been uber diligent ever since.  But, even the most diligent among us is capable of making a mistake.  So we need to take extra steps to prevent our mistakes from becoming costly.  A hardware wallet is a great first step to building redundant safety measures.  And many can be purchased for a signature campaign's weekly wages.

The last thing I want to see is something like this guy who lost 1.68BTC to learn his lesson.

[Z-tight]

The last thing I want to see is something like this guy who lost 1.68BTC to learn his lesson.

Yeah, that was a very hard and expensive way to learn a lesson. And what's worse about this kind of loss is that the victim may never use BTC again and would move forward with the idea that BTC is a scam. It is hard for someone to be accountable for their choices when they do not even completely understand what they are doing, so they hardly even know what they have done wrong.

If you didn't have password stored on your computer or stored it on drive or somewhere else, then I don't know how the hacker was able to access your wallet.

It could've been a local attack. Someone maybe got access to op's device and moved the funds. Op has shown to have limited BTC knowledge, so this is a strong possibility. I also guess the wallet wasn't encrypted.

[NeuroticFish]

So there's the mistake. I didn't know my PC saved my seed phrase and password. Everyone says you have to keep them off the PC. That's why I thought they weren't saved.

Sadly you don't understand how the wallets work and didn't have a hardware wallet to guard those 11k worth of coins.
An under 100$ HW with the seed saved by hand on paper (or steel) for backup would have been ensuring the seed phrase stays away of the online world.

PS. You may have missed the point that the coins are not in the wallet, they are "on the blockchain" and anybody who had once access to the seed can take them without starting your PC. This also means that your wallet is no longer safe. Probably neither your PC (unless your backup was in email, cloud, ...).

[Synchronice]

Unless he plans to submit the computer for forensic analysis, the only correct procedure is to format the disk and buy some hardware wallet.

Will formatting the disk be enough? What if his BIOS is also infected? Maybe it's better to reflash bios and wipe the system entirely, then reinstall the OS.

There's a good chance the same thing will happen again if he's not investigating the cause.

For me, the most interesting part is how he got that virus. I'm very confident that you won't get such kind of virus by browsing simple websites. He was either visiting malicious torrents, download movies or cracked games. I hope he will share with us what could be the reason of his computer getting infected. There is no way he didn't visit anything and got such a terrible computer virus, probably a RAT.

It could've been a local attack. Someone maybe got access to op's device and moved the funds. Op has shown to have limited BTC knowledge, so this is a strong possibility. I also guess the wallet wasn't encrypted.

OP said that no one had physical access to his computer.

[LoyceV]

Will formatting the disk be enough? What if his BIOS is also infected? Maybe it's better to reflash bios and wipe the system entirely, then reinstall the OS.

I've never worried about a potential BIOS-virus when I wipe a laptop and install Linux. Assuming OP used Windows, installing the same Windows without knowing what compromised it will likely lead to a compromised computer again.

[Lucius]

~snip~
How they did it.  No accountability in that statement.  I'm sorry that the OP got scammed, but scammers are opportunists, and in this space more than any other we need to be diligent to deny them the opportunity.

I learned a long time ago that you always have to be at least one or even better two steps ahead of a scammer if you want to be sure they won't outsmart you. Making a setup and saying that you are now 100% safe is the wrong approach, because when you let your guard down, that's when you are most vulnerable.

Unless he plans to submit the computer for forensic analysis, the only correct procedure is to format the disk and buy some hardware wallet.

Will formatting the disk be enough? What if his BIOS is also infected? Maybe it's better to reflash bios and wipe the system entirely, then reinstall the OS.

We can go further, what if the OP has a computer with malware parts that are malicious? The Chinese were doing it on a global scale before they were discovered, and who can say today that his computer does not secretly communicate with remote servers without the owner's knowledge. If we take into account the possibilities of hacking Windows OS computers 7-8 years ago that some agencies had, it is not difficult to imagine what they can do today.

I'm not saying that the OP is a victim of the same, but we all know that such tools can find their way to the black market and then ordinary hackers start using them.

[DireWolfM14]

What if his BIOS is also infected?

That's extremely unlikely in these types of situations.

For me, the most interesting part is how he got that virus. I'm very confident that you won't get such kind of virus by browsing simple websites. He was either visiting malicious torrents, download movies or cracked games. I hope he will share with us what could be the reason of his computer getting infected. There is no way he didn't visit anything and got such a terrible computer virus, probably a RAT.

I can't say what it was for certain, but odds are the simplest answer is the correct one.  I suspect he got phished by downloaded a malicious version of Electrum, or someone he knows stole his funds.  I hope the OP figures it out.