(deleted)

[Mithrandir]

.

[DannyHamilton]

So, if I understand you correctly, you are trying to say:

• You have a MultiBit wallet with the address 1DPYi3JbPwwE6inR3kBBQMx2u4k5kHxSwv
• You also have a blockchain.info wallet with the address 1DPYi3JbPwwE6inR3kBBQMx2u4k5kHxSwv
• On 2014-05-06 at 23:08:06 UTC you received 0.0348 BTC at 1DPYi3JbPwwE6inR3kBBQMx2u4k5kHxSwv
• You confirmed that the bitcoins were received in the MultiBit wallet
• You then shut down the MultiBit wallet
• On 2014-05-07 at 19:30:49 UTC while your MultiBit wallet was shut down, the 0.0348 BTC were sent to 17hghQzNMXkCZw8Dj6HPEYAXnYZgAP99RL
• You did not create the transaction sending the bitcoins to 17hghQzNMXkCZw8Dj6HPEYAXnYZgAP99RL and you are not the owner of the address

It sounds to me like someone else has your private key from the 1DPYi3JbPwwE6inR3kBBQMx2u4k5kHxSwv address.

Since you have the same address in at least two different wallets, I guess the first question would be:

Where did the 1DPYi3JbPwwE6inR3kBBQMx2u4k5kHxSwv address come from?  Was it created in MultiBit and imported into blockchain.info?  Was it created in blockchain.info and imported into MultiBit?  Was it created somewhere else entirely, and then imported into both MultiBit and blockchain.info?

If you obtained the private key from an insecure source, then that was your most likely leak.

If you exported the private key and then imported it into another wallet, then there is a good chance that you weren't careful with the private key after exporting it.

If you imported the private key into any other "Wallets" it is also possible that one of them were compromised.

[activebiz]

Its also possible ur email used to create blockchain account was hacked and ur wallet backup stolen

[cp1]

There's absolutely no point in using linux and running an encrypted file system if you're going to leave your private keys on a website.  Instead of importing the private key you should just transfer the funds to an address in your multibit wallet or sweep the private key.

[DannyHamilton]

There's absolutely no point in using linux and running an encrypted file system if you're going to leave your private keys on a website.  Instead of importing the private key you should just transfer the funds to an address in your multibit wallet or sweep the private key.

I hadn't previously used the addresses for much (i.e. nothing was on them) and I'd completely forgotten I'd imported the keys over from blockchain.info. The addresses were just sitting there until two days ago. But yes, I definitely should have been more careful.

What's odd is that the private keys (in either place) were never cold-stored unencrypted, and the password was generated and stored in a KeePassX db. I've been racking my brain trying to think where I could have left something open, but haven't thought of anything yet.

Are you running any altcoins on your computer?  Some of those have turned out to be bitcoin stealers.

Aside from that, its hard to say where you leaked the private key.  Perhaps in the process of extracting the private key from blockchain.info so you could import it into MultiBit?

[spin]

There's absolutely no point in using linux and running an encrypted file system if you're going to leave your private keys on a website.  Instead of importing the private key you should just transfer the funds to an address in your multibit wallet or sweep the private key.

I hadn't previously used the addresses for much (i.e. nothing was on them) and I'd completely forgotten I'd imported the keys over from blockchain.info. The addresses were just sitting there until two days ago. But yes, I definitely should have been more careful.

What's odd is that the private keys (in either place) were never cold-stored unencrypted, and the password was generated and stored in a KeePassX db. I've been racking my brain trying to think where I could have left something open, but haven't thought of anything yet.

If you have other bitcoin in your multibit wallet and only this was stolen from the imported address I'd say your problem lies before multibit.  So anytime from when you first used blockchain.info to the time when you imported that private key into multibit.  Has the password always been secure KeePass based?  Was the backup always unencrypted?  Did you safely transfer the keys into multibit?

[DannyHamilton]

Are you absolutely certain that the address was generated with blockchain.info and not imported there?  Is there any chance that this is a "brainwallet" that you generated elsewhere and then later imported into blockchain.info before finally importing into MultiBit?

Also, was this address ever used on an android mobile wallet?  There was previously an issue with how those wallets generated signatures.  I think there was also recently an issue announced with the "Counterparty" altcoin.  I don't know much about that coin, but somehow it allowed you to use your bitcoin address with that coin?  Those that chose to do so accidentally left their bitcoin address vulnerable.

[DeathAndTaxes]

If you accidentally followed a phishing link to blockchain.info an attacker could have gained a copy of your wallet and passphrase.   With no funds to steal the system would just wait and scan.  You might have blindly lucked out except by importing the now compromised keys into a new wallet (why?) it was a landmine.  Eventually you would fund it and the hacker scanning the blockchain would jump on it and move funds. 

If you don't mind losing more funds one way to check would be to transfer a small amount (say couple mBTC) to another address in the blockchain.info wallet and see what happens. My guess is pretty quickly it will move as well.

[escrow.ms]

Which multibit version you were using? did you downloaded it recently? or any other file ? If yes from where. (or you probably clicked on some java applet) and you might got infected with some multios rat, You are not safe on even linux. (Java Sucks)
edit:

1KKKK6N21XKo48zWKuQKXdvSsCf95ibHFa (0.00091234 BTC - Output)
17hghQzNMXkCZw8Dj6HPEYAXnYZgAP99RL (0.00170949 BTC - Output)   -->   17hghQzNMXkCZw8Dj6HPEYAXnYZgAP99RL - (Spent) 0.00262183 BTC

https://blockchain.info/tx/c92ad3cb375aca80e8b2b740f24130a52d6fdfb24b3effa5b3f97abb99a84393

Total Input    0.00262183 BTC
Total Output    0.00262183 BTC
Fees    0 BTC
Estimated BTC Transacted    0 BTC
Included In Blocks    283622 (2014-02-01 18:35:08 +1 minutes)

 

1KKKK probably belongs to
http://networkedblogs.com/ToeNX (He wrote article same day when tx was transferred to 17hgh)
https://github.com/gseshadri/bitcoin-raw-transaction/blob/master/keyUtil.py