Some background:

I used electrum seeds written down on paper with tails/electrum on a usb stick for my big coin stash. I don't use dark net markets: I don't use tails for anything except electrum.

What happened:

I transferred a modest chunk of change (less than a bitcoin) from my warm to cool storage in a single transaction. Within a day, that exact output was swept from my electrum wallet into an address, which with some google-fu I discovered was a common parking space for stolen btc. The important thing here is that the rest of my funds, kept in the same electrum wallet, were untouched.

Of course I don't expect to retrieve the stolen coins, but what I want to know is how it was done, and I think an important clue is that not all the coins were taken. I'm also confident that my wallet was offline at the time the coins were taken, as I load up tails sparingly.

I'm curious as to how my wallet got compromised. Does anyone have any ideas as to how this was pulled off, or suggestions for me to improve my practices in the future?