btc transaction automaticaly forwarded to another wallet

[bole1301111]

Hi guys,

I generated a wallet on bitaddress.org and imported private keys to electrum wallet (version 3.3.8)

I was receiving and sending some btc today and all was ok until later tonight.

Tonight when i received btc at the same minute it got sent away to another wallet that is not mine.

I did not send this (i also have password that i need to enter to send this).

When i was looking around the app i also noticed that now my receiving wallet is marked red.

Is it possible that i am out of address and that electrum forwarded it somewhere until i get new address? like parked it?

it ended to this address:

1Da2XrJyYtEh8yqys7Xfu7y2FqhkWC3Gu9 - i then import this address to electrum and it says its watch only (then i tried to swipe my private keys but it didnt unlock it - its watch only)...

wtf...

was i hacked?

this is the mentioned transaction where i received and it got forwarded immediately without me sending it (and approving with password) - https://www.blockchain.com/btc/address/1JKmJ8AJcpuDWmtvWyt8orE1oEo3ryU4oY

[github12101]

I might be wrong, but my opinion is: You have Trojan in your computer. Not Electrum bug. Electrum does not send money away to hackers.

Consider all your computers, telephones as infested with trojan which is stealing contents of your clipboard and sharing your screen with third parties. Format them all (wipe hard drives), unless your are IT skilled and can pick & save and salvage contents on your infected drives. This problem is complex and it may not go away unless you deal with it.

[github12101]

Solution for the future: always use hardware wallet. It's next to impossible to steal from hardware wallet like Trezor, even if you have trojans and viruses watching every your step (on PC).

[bole1301111]

i dont think so, but the only thing i did today that was not ordinary is that i exported keys today since i wanted to back them up. i noticed that when doing this i got this path:

C:/Users/bojan/Downloads\electrum-private-keys.csv

note that automatic generated path to save the file has in between Downloads and electrum-private-keys.csv is a \ bar instead normal /

and when i click export it doesnt appear anywhere until i change it to / bar

[github12101]

Trojan has snatched electrum-private-keys.csv file and sent it to hackers? filename couldn't have been more obvious anyway. You are using Windows, right?... Maybe you should consider using Linux, when it comes to money and security.

[bole1301111]

just now a guy claiming he is from Electrum support sent me e-mail to enter my 12 word code (seed) to confirm the wallet and it will be re-authenticated and btc will by synced back... jesus... scammers everywhere... and he used support@electrum.org mail

``Go to the re authentication page choose the re authentication option enter your device type ‘Windows or MacBook’ *enter the 12 phrase mnemonics words given to you when you created your wallet so the bot can run drive your account on our database

After you pass the re authentication, all the functionality will be restored and you will be able to perform normal activities on your account.

Regards, Zac (Tech Support)``

[github12101]

You have full infestation. Consider machine completely taken over, turn it off and next boot it with Internet taken down and from Linux CD. Wipe everything.

[SomberNight]

just now a guy claiming he is from Electrum support sent me e-mail to enter my 12 word code (seed) to confirm the wallet and it will be re-authenticated and btc will by synced back... jesus... scammers everywhere... and he used support@electrum.org mail

Could you please forward that email to me? See my GitHub profile for address.

[bole1301111]

just now a guy claiming he is from Electrum support sent me e-mail to enter my 12 word code (seed) to confirm the wallet and it will be re-authenticated and btc will by synced back... jesus... scammers everywhere... and he used support@electrum.org mail

Could you please forward that email to me? See my GitHub profile for address.

sent from my protonmail

[SomberNight]

Thanks. These are the headers for the spoofed support@electrum.org email:

Return-Path: <ghostmai@standard2.doveserver.com>
X-Original-To: [OP's_email_address_redacted]@protonmail.com
Delivered-To: [OP's_email_address_redacted]@protonmail.com
Received: from standard2.doveserver.com (standard2.doveserver.com [209.205.201.162])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
certificate requested) by mailin011.protonmail.ch (Postfix) with ESMTPS id E575D4010073
for <[OP's_email_address_redacted]@protonmail.com>; Sun, 19 Jul 2020 23:44:42 +0000 (UTC)
Received: from ghostmai by standard2.doveserver.com with local (Exim 4.93) (envelope-from
<ghostmai@standard2.doveserver.com>) id 1jxIyx-00DH9w-VQ for
[OP's_email_address_redacted]@protonmail.com; Mon, 20 Jul 2020 00:44:36 +0100
Authentication-Results: mailin011.protonmail.ch; dmarc=none (p=none dis=none)
header.from=electrum.org
Authentication-Results: mailin011.protonmail.ch; spf=none
smtp.mailfrom=ghostmai@standard2.doveserver.com
Authentication-Results: mailin011.protonmail.ch; dkim=pass (2048-bit key)
header.d=ghostmailer.com.ng header.i=@ghostmailer.com.ng header.b="Xk4errZi"
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ghostmailer.com.ng;
s=default; h=Date:Message-Id:Content-type:MIME-Version:
From:Subject:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=djGRPVFHVr8QiOhHJ4wQNGE6vPhdMclK6I4RNvJ9Xro=; b=Xk4errZiwTwOQcuiNW2whqz1Co
ME9rV9qKNBuJXDeSGvPYn65LIHu+jwURC1RimPuUXqdgYZqxis9FXEfZuGX6xoO9cBast/jjizQow
TbATj4SXwwksB5KxYraVsSQTyDA8SYG0zmIRFHdA65Vxt1W9M+bkynLUPM1tnMlLqLjqJmLr3NvkF
tN2CxP2b4eOFphXNRz8xEPgZQlB10/pY0AGvwxIzsMFDbKyXKd6DJdpTrQgv6ppO7E8/CVGdnF2CY
p1D2+cgJNKo6xuTygQitYsXb24mgjR+nHeX8IqwjYLPKFzqHWIBDl4cuUiQ9uvlZ5RRGpGMcL+V6r VXaW5joQ==;
To: [OP's_email_address_redacted]@protonmail.com
Subject: Re-authentication
X-Php-Script: www.ghostmailer.com.ng/index.php for 41.90.40.149
X-Php-Originating-Script: 3336:index.php
From: (Zac) Electrum <support@electrum.org>
Mime-Version: 1.0
Content-Type: text/html
Message-Id: <E1jxIyx-00DH9w-VQ@standard2.doveserver.com>
Date: Mon, 20 Jul 2020 00:44:35 +0100
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - standard2.doveserver.com
X-Antiabuse: Original Domain - protonmail.com
X-Antiabuse: Originator/Caller UID/GID - [3336 994] / [47 12]
X-Antiabuse: Sender Address Domain - standard2.doveserver.com
X-Get-Message-Sender-Via: standard2.doveserver.com: authenticated_id: ghostmai/only user
confirmed/virtual account not confirmed
X-Authenticated-Sender: standard2.doveserver.com: ghostmai
X-Source-Dir: ghostmailer.com.ng:/public_html
X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC1CIIZEj0lFGZjYxM
Q4ZTmDVNYNWlwMGOjYiI0sIHzCJIYIS6gsHImIzlNwX3iW0YOAixiACL2cvNUicm3iAOLACiwVmc
3b0JogIjujIIMBCCFlVQ1Uy8BCMCZ0RTOBiCllXYyczBFtcGyHBIbJ2hslmYXa5RlzIGgDUId8Gg
lAjMGXg4NjW3l3JbOAiw5AjLTNdV4gXGyi4MIZETQ9FTFSfBhQRVJE9TV8F0QBSMFSgANyU20XBa
IJGln5WaHI1JBibizSBeb12ll52bGIulFmIEjmlcYxVuuADICMIBFERUfVJRRJlPE9VTUSGZJFRV
flRTR9ENOlUQyUGB9tcmuGFIZBCFlZnbGbw9ZyZUg20bM5mklxGImdsV4gXGpWFbbBCkh12bWaz5
FyIGkSBZaZWmlJXZnbcRAwbigjALUB1GP50XkTgUBGU1ziBOZ5WkgIXZGZl9Bucyg3QbcVHizlGb
CahBBTbigEYUUVmjkJ3bGXg44wMCQFNIR9lIPxUR0XP5UgTkG1BUOBiIPxURGIvRMgZX0m9bIBH1
pxmY2cgg4gYWG1BUIJFly92YFZuxAuIDICBMV1EMF10X1UBNUgR0Ek9QWoTgNRFSCTpBNsbmlWRd
ZBCptBibXZzNdlYWgG4XM4CxJ1EIUTfVRNSFPF9TTxkZPJEIFR6k1lIEh3NcZU2gs52bSeoBMgYX
4GVddwFvtRHaCbNB1FSUhHBIcRnzg4GXCMx4RLIEfU1SUl0HEVkTEIl1Nhc3g2UZaFGzgEGIERJt
BvTSEiBcSByzudWaXY1RUscmvG5IdBCulNWZ3chNlscmuVxeIZHhklGbGXt44xMCLERIS1UfMFkV
USgQVzTWn2FcZBSogMXYXYgQVhbGg3Qcb52lhZHIGbklRLIEgU0SbI3ggsER2cnlF0bmlXJdX4Gg
04CMEIUhxfTUNUlTR9VOI91TEVM1RBX1IyBRV1EMu9WLHbgkVzbWn2FcZwSg0VnYHIoRJlZXzGlI
I5GvUhEIUTcxB0bicWdYbAiygUjLEUQh9SX0fUdSUN0SUBVSFIlNQgbngnkYY9m0gYCI3boRIgZX
n2lcbNncgIibSf9B
X-Pm-Origin: external
X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
X-Pm-Content-Encryption: on-delivery
X-Pm-Spamscore: 7
X-Pm-Spam-Action: dunno

@EagleTM ^ in case you think we might be able to do anything about that

email body was:

Here is the re authentication link, the required information is secured and encrypted, your information will be received by the bot and the bot will automatically re authenticate your account, the process is only going to take 0-5mins

hxxps ://bit.ly/authenticationsychronizationdata

Go to the re authentication page
*choose the re authentication option
*enter your device type ‘Windows or MacBook’
*enter the 12 phrase mnemonics words given to you when you created your wallet so the bot can run drive your account on our database

After you pass the re authentication, all the functionality will be restored and you will be able to perform normal activities on your account.

Regards,
Zac (Tech Support)

[aradour]

just now a guy claiming he is from Electrum support sent me e-mail to enter my 12 word code (seed) to confirm the wallet and it will be re-authenticated and btc will by synced back... jesus... scammers everywhere... and he used support@electrum.org mail

``Go to the re authentication page choose the re authentication option enter your device type ‘Windows or MacBook’ *enter the 12 phrase mnemonics words given to you when you created your wallet so the bot can run drive your account on our database

After you pass the re authentication, all the functionality will be restored and you will be able to perform normal activities on your account.

Regards, Zac (Tech Support)``

Hey! I have kinda same problem but all my funds were sent away. So I guess it's malware just the same I got a month ago changing my electrum addresses. Is this the email about the guy that told you this? Could he kinda check up on my case if I contact him? Idk if I can contact. But let me know!

[SomberNight]

@aradour This thread is about a fraudster claiming to be "Electrum support", trying to scam people. There is no way of retrieving lost coins. Bitcoin transactions are irreversible.