Theft from Electrum 1.9.8 wallet

[xephyr]

I recently had a problem with theft of a small amount of bitcoin from an Electrum 1.9.8 portable wallet protected with a strong password. Once I noticed the theft I changed the password immediately and be damned if the thief hit me again a day later. My Electrum 1.9.8 watching only wallet was not affected. I spent a good amount of time scanning my computer for malware with no results, nada. Have bitcoin thieves become so sophisticated that local wallets protected with strong passwords are no longer secure enough and cold storage is now essential?

[RUEHL]

I recently had a problem with theft of a small amount of bitcoin from an Electrum 1.9.8 portable wallet protected with a strong password. Once I noticed the theft I changed the password immediately and be damned if the thief hit me again a day later. My Electrum 1.9.8 watching only wallet was not affected. I spent a good amount of time scanning my computer for malware with no results, nada. Have bitcoin thieves become so sophisticated that local wallets protected with strong passwords are no longer secure enough and cold storage is now essential?

Sounds like a root kit, something that won't be found by conventional scanners.  I'd suggest re-imaging the system.  

Also, they may have your private key so a password wouldn't matter.

[Light]

Also, they may have your private key so a password wouldn't matter.

This was probably the reason why you managed to get hit twice by the thief. If your coins get stolen you have to assume the your private key has also been compromised and hence you should immediately generate a new wallet with a new password. No point in storing coins in an address where the thief has control over it.

[dabura667]

Also, they may have your private key so a password wouldn't matter.

This. If I hack your wallet once. I now own your wallet, changing the password doesn't matter.

To put it in simple terms. That 12 word seed you received when you created the wallet, THEY KNOW THAT NOW.

Any bitcoins put into your wallet now will be stolen by them within minutes.

CREATE A NEW WALLET AND STOP USING YOUR OLD WALLET.

[Bitcoin++]

The thief hit me again a day later

How can this be? If the thief had the seed he'd take everything at once. Isn't it likely he only had one private key at first and later discovered another key? If so, the long time it took indicates some brute-forcing? In theory that should be impossible, right? Unless he found a way to make qualified guesses.... I am no expert at all on this, so good if a developer makes a clarifying comment.

[Light]

How can this be? If the thief had the seed he'd take everything at once. Isn't it likely he only had one private key at first and later discovered another key? If so, the long time it took indicates some brute-forcing? In theory that should be impossible, right? Unless he found a way to make qualified guesses.... I am no expert at all on this, so good if a developer makes a clarifying comment.

Highly unlikely that the private key was brute-forced. The private keys in a wallet have no mathematical relationship to one another - they are completely random (most are except for deterministic wallets, but even then you cannot determine the next private key without the seed anyway). If you want to be convinced it is unlikely to happen go search for that Dyson Sphere Sun photo that tells you you "Bitcoin is protected by the laws of the universe".

Far more probable is that his private keys were stolen and that when OP used the same address again the hacker simply stole the coins.

[jonald_fyookball]

The thief hit me again a day later

How can this be? If the thief had the seed he'd take everything at once. Isn't it likely he only had one private key at first and later discovered another key? If so, the long time it took indicates some brute-forcing? In theory that should be impossible, right? Unless he found a way to make qualified guesses.... I am no expert at all on this, so good if a developer makes a clarifying comment.

1. OP probably put funds back into his wallet and the thief took it again...

2.  maybe the thief took the seed and generated the first 5 addresses, then later generated a longer list.

3. Seem it is true that with one private key you can discover others in the same wallet.  There is a warning message in the
electrum wallet about this.  This is not the same thing is simply knowing multiple addresses from
the same wallet, but if you have the private key, I think you can figure out some of the other private keys.

[darlidada]

what is the difference between the seeds and the private key?

[Abdussamad]

3. Seem it is true that with one private key you can discover others in the same wallet.  There is a warning message in the
electrum wallet about this.  This is not the same thing is simply knowing multiple addresses from
the same wallet, but if you have the private key, I think you can figure out some of the other private keys.

You need any one private key + master public key to calculate the master private key (which is the stretched seed as we've covered in other threads) .  Just the private key is not sufficient. But note, however, that the master public key is not encrypted in the wallet file. Only the seed is. So exposure of a private key carries significant risk. That is why you have the warning.

[Abdussamad]

what is the difference between the seeds and the private key?

An electrum wallet has one seed. All bitcoin private keys in a wallet are derived from the seed. It makes backups easier since you have to do the one backup of the seed and it's good for life. The downside is that if the seed is revealed to a thief all your bitcoins can be stolen.

[xephyr]

Thanks for the input. I made the OP to make sure folks understand that just protecting your Electrum wallet with a strong password is not enough nowadays. If you use Electrum you really should set up cold storage as outlined at https://electrum.org/tutorials.html#offline-mpk

[Bitcoin++]

Just for information.

Personally I've never experience theft, but to be safe I use multiple Electrum wallets.
My daily wallet has a limited amount of BTC. This has an added benefit that I cannot by accident spend 10x or 100x too much in case of a typo on the decimal point.
My long-term savings are on wallets generated offline. I have multiple copies of the seed saved on paper notes. I use watch-only wallets on my online computer.