Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?

Quote from: BitMaxz on July 14, 2025, 10:50:13 PM

I don't think Electrum servers can able to do that since Electrum only request for these data like address history and balances, block headers, UTXOs, etc.
There's no way that they can do or control your wallet.

How exactly did you create your wallet? Did you create your wallet somewhere else? I mean outside the Electrum wallet from that PC/Laptop?

If not, and you created your wallet on the same device, there's a possibility there's something in your PC that you don't know leaks your wallet private keys.

I'd like to know how you installed this Linux and where you downloaded it. Are you sure that you downloaded the Linux OS from a legit source?
Because if you downloaded it from somewhere other than the trusted source, there's a possibility it's already infected with malware. Scanning it with any antivirus won't work; that's why I don't download an OS randomly.

There are lots of free OS mods out there, but all of them are already infected with malware that can't be easily scanned by any antivirus.

If I want to use a wallet on a Linux-based OS, I am more comfortable using Tails, which has built-in Electrum. Electrum already provided a guide for this. If you are interested in the future, check their guide below.

- https://github.com/spesmilo/electrum-docs/blob/master/tails.rst

I have created the wallet on a Windows system years ago - see my post above.

The Debian OS (iso install. file) I have downloaded of course from the original Debian developer site debian.org - also signature-verified.
I now use offline signing with Electrum (cold wallet) and only one wallet per address - so fuck the seed :-) Tails is also a good option, I agree, but only when using it as read-only / non-persistent storage and if you do offline signing, otherwise you still have a hot wallet.

But what really is driving me nuts is that I don't know how the hack worked and why only once at this time and coincidentally with a TX of myself? My old wallet seed and BTC addresses and even the Electrum password never changed in 5 years and any attacker could have stolen much more if he had known the seed/keys/password. I really think it is a combination of a glitch / vulnerability in Electrum together with a malicious server... Any server can send wrong confirmations, tricking you into downloading an update, but I am pretty sure I didn't fall for that. Maybe anything else? There was this JSON-RPC hack, you remember, not so long ago...

B.t.w. I have contacted Binance - where my stolen BTC ended up on one of their addresses - and after proving (with screenshots, videos from wallet opening and wallet/TX history) that I am the owner of the address from which the BTC got stolen, they offered to refund me - but only if I open a Binance account (they will send it to my Binance address)! They said the owner of this Binance BTC address (obviously their customer=the hacker!) agreed to send it back!!! WTF Has anyone had this experience? The don't want to give me his identity nor the type of attack how the BTCs got removed! This looks very dodgy and supports my theory of a malicious server attack / vulnerability in Electrum which they maybe want to hide... Also I think a criminal/police investigation over several jurisdictions (me, Binance HQ, Binance server locations, TX server locations / mining pool, location of Binance customer) would lead to nothing.

Quote from: btcfreak123 on July 15, 2025, 07:13:05 PM

Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?
[/quote]

Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?

Since you scanned for malware/viruses, I am guessing that your device is clean so it's probably nothing to do with that.

But it does sound suspiciously like a private key leak or a malicious server (man-in-the-middle attack).

Check Electrum's log file, if you had logging enabled: ~/.electrum/logs/ or \AppData\Roaming\Electrum\logs (hidden folder)
Was auto-connect to server on?  
Check the tx data on blockchain explorer - were they broadcast from the same IP / node?
[/quote]


Unfortunately I had logging not enabled but yes, it was auto-connected to (several) servers.

Blockchain explorers also show no IP addresses, so how would I check where both TX came from or if they initiated both on my PC/wallet or not? This would already help me. If the second TX was initiated outside my wallet (e.g. by a stolen seed or private key) this would rule out malware on my current system, since I have used the same wallet years ago on a Windows system - where I also had only signature-verified Electrum progs installed, but I am not so sure (as on my Linux system now) that I was 99% free of malware. But then again, why would someone with my wallet seed had not drained all the addresses but only one and coincidentally at the exact same time when I broadcasted a TX and never before or after?

B.t.w. I discovered that at the time of the attack - shortly (seconds/minutes) before - 3 files were created in the /.electrum directory:
/.electrum/certs/guichet.centure.cc
/.electrum/certs/blackie.c3-soft.com
/.electrum/certs/btc.aftrek.org

Idk if this is normal (e.g. new servers connected) or could that have been the malicious servers?