So, about a month back, I was digging into BIP39 with Copilot and came across a BIP39 seed example. I threw it into Electrum and noticed there were 2 transactions in the change address: 172LHmTcW1VESuNtVtPKUdpQNPh2XURjar for 99 BTC. Didn't really think much of it at the time. But today, I opened Electrum again, got curious, and googled that address 172LHmTcW1VESuNtVtPKUdpQNPh2XURjar. Turns out I found this thread where someone claims they lost those 99 BTC.
What do you think happened?
I’m suspecting the user might have been unlucky with some sketchy software download, which honestly happens all the time. What’s really puzzling is why this specific change address was used just that once while all the others are sitting with zero transactions. It's wild to consider that someone with access to such a huge sum of money could fall victim to something so strange and obscure.
What do you all think went down?
Another odd situation with lost Bitcoin
6 replies 416 views
SwiftMinerSenior Member
Posts: 259 · Reputation: 1036
#2May 3, 2019, 02:46 AM
After going through the whole writeup, two things popped up in my mind. Although it's possible he may have downloaded a compromised or fake software that has been tweaked by a hacker, it's also possible he is using an original software but his device is either infected by a key logger or he has a malware like clipboard virus. If it was a key logger, they probably used it to get hold of his seed s and only signed transactions after he attempted to make one.
If they have his seed it's possible for them to use CPFP to resend the funds to their own wallet just before it gets confirmed and if it's a clipboard virus then every time he copied and pasted a receiving address the hackers address was pasted instead. When hackers do things like this they make use of huge fees so before you notice it has already been long confirmed.
Don't forget to keep your keys safe!!
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#3May 4, 2019, 10:48 PM
You're overthinking it.
The owner is free to select which address that he will use as a paper wallet from his wallet's keys and address.
He might have selected a change address maybe because he's thinking that it's safer.
If it's not a paper wallet (unlike the author mentioned), it could be an RBF transaction that sent the BTC back to self.
e.g.: Electrum uses its change address as a recipient when using that feature, given the relatively high fee, he may have attempted to do it in Electrum but on a compromised client/machine.
Anyways, you'll only be receiving "educated guesses" without solid information about the case.
Is the seed phrase somehow peculiar?
Upon reading the through, I can see that the sender isn't sure of what he did. He claimed to have sent the coins to an address he copied but upon confirmation, the coins were been transferred immediately to another address unknown to him. It's more like the coin has already been received to his destination and someone had access to his key. So there's only one thing that might have been wrong and that's his wallet had been compromised and a hacker has he's seed phrase. Like I said, the story isn't clear as the author wasn't sure of what he did. All we know was that his coins kept been transferred out of his wallet.
Surely this is what happened to him: he downloaded compromised software and the hacker used CPFP through a bot. Because according to him, his sending wallet's funds remained intact, so the compromised one was the receiving wallet. I say it's compromised software because I don't think the user would use a seed suggested by an AI.
The seed itself isn't strange; what's strange is that Copilot used it as an example, citing https://everybithelps.io/bip39-wordlist/, but there's no indication of the seed on that page.
What's the actual seed phrase? Could be an example used in some github code.
The thread opener ("TO") in coinforum.de topic refused to answer some questions that arose while the topic was "hot".
Some details were a bit vague, but to me it seems his Electrum wallet software was genuine, so no fake Electrum wallet used. "TO" stated that the compromised receiving address was part of an Electrum wallet he owned. No details were provided how this receiving Electrum wallet was created.
There was no RBF involved, the stealing transactions spent the unconfirmed output(s) of the destination Electrum wallet's address as a CPFP in the same block. It's obvious that the private key(s) of the destination address(es) is/are compromised and known to the thief.
How and why the destination wallet's private key(s) were compromised could not be determined. I can think of many stupid ways of how to compromise a wallet. Most of them gravitate around making digital backups or pictures of your mnemonic seed words, compromised devices and/or using extremely weak or bad entropy or even publicly known mnemonic seed words, how stupid is that!
?Reply
Sign in to reply to this topic
Related topics
- bitcoin-qt sync issues and slow speeds 6
- Recovering a Bitcoin wallet and address 8
- Affordable quiet mini PC for running a Bitcoin node and blockchain explorer 19
- Using two different Bitcoin versions without messing up blockchain data 3
- Issue with Bitcoin Core Wallet after power outage 8
- Is it possible to check my bitcoin balance offline 12