Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?
[/quote]


Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?