You sure you didn’t install any video recording / screenshot software accidentally on Whonix-Gateway?
Or installed anything else on Whonix-Gateway that might have pulled such a tool as a dependency and then you accidentally pressed a key combination to start recording?
I doubt we install such a tool by default?
A compromise of that sort seems unlikely. Someone with the skills to pull off such an attack would probably
- does not troll in that way?
- why record the gateway if anything not the workstation?
- has better ways to monitor all keystrokes, mice movements and desktop images that are not so obviously detectable?