I’ve checked the channel details in Electrum and confirmed the closure txid. I’m hesitant to connect my offline phone to avoid further risks. Any advice on how to investigate this, -snip-
Your cold-storage phone is safe (
given that it's totally air-gap).
It's just your lightning-enabled watch-only wallet actually contains an extended private key.
You Electrum wallet is using that to manage your lightning transactions. (
notice that it can send lightning without using your offline wallet)
But don't worry since the extended (
master) private key of your on-chain cold-storage wallet can't be compromised by it.
For the closing transaction's signature, by oversimplifying things:
Your latest lightning transaction actually has a "
pre-image" of what the final state of the transaction could be when broadcasted to the blockchain.
The remote node (
other party of the channel) simply used it to get access to his part of the funds without your consent.
For more accurate details, read this document:
lightning.network/lightning-network-paper.pdf